Tag: Digital Forensics

Mobile forensics is not limited to phones and tablets. Many types of other gadgets, including IoT devices, contain tons of valuable data. Such devices include smart watches, media players, routers, smart home devices, and so on. In this article, we will cover the extraction of an Apple TV 4K, one of the most popular digital media players.

We already covered Apple TV forensics in the past; check out the following articles:

There are generally two methods to access data stored in an Apple TV: logical acquisition (media files with the metadata, diagnostics logs), and full file system extraction. The latter required jailbreaking (see above), which is limited to certain versions of tvOS. We have the full checkm8 support for all models up to and including the Apple TV 4K, which means that the version of tvOS no longer matters. Only the latest Apple TV HDR is not vulnerable.

The problem

Everything was relatively simple up to and including the Apple TV 4. The 4K version, however, has two problems:

• No USB port
• Difficult to enter DFU

The first problem has been resolved, as a hidden port was discovered under the Ethernet (RJ45) socket. A special connector is now available, the GoldenEye (or Foxlink X892), which is available for around 40€. With this adapter, you can connect your Apple TV 4K using a standard lightning cable and perform logical acquisition (the good news is that the Apple TV cannot be locked with a passcode).

The second problem is more serious. In order to run the checkm8 exploit, the device must be in DFU mode. The Apple TV 4 and older models can be placed into DFU using the remote control with a special combination of buttons. This is not the case for the Apple TV 4K.

One way to place the 4K model into DFU uses a special breakout cable (available at around $70), but the installation is difficult and requires some soldering skills.

The solution

Fortunately, there is an easier way, revealed by @matteyeux about two years ago. Apart of the GoldenEye cable, you will also need the DCSD cable; we covered it in The Mysterious Apple DCSD Cable Demystified. The adapter is easily available at around 20€.

So here is how to place the AppleTV 4K into DFU:

• Disconnect Apple TV 4K from the power source
• Connect the DCSD cable to the computer’s USB port
• Connect the GoldenEye adapter to the DCSD cable (using Lightning)
• Connect the GoldenEye to the Apple TV 4K
• Connect the Apple TV 4K to the power source

And there we go: the Apple TV 4K is automatically boots into DFU!

You can now install the checkra1n jailbreak if your Apple TV runs tvOS 14 or older, or use the latest Elcomsoft iOS Forensic Toolkit 8.0 beta to perform a forensically sound keychain and file system extraction. As easy as that.

The acquisition steps are basically the same as for iPhones and iPads. Boot our custom ramdisk (you will have to download a proper firmware image using the link provided in our software):

Unlock the data partition:

And then pull the keychain (lightning fast) and the file system (at an impressive ~2.5 GB per minute).

Conclusion

Elcomsoft iOS Forensic Toolkit remains the only software capable of performing a forensically sound keychain and file system extraction from the majority of Apple TV models including the second and third generations, Apple TV HD and Apple TV 4K. If you are working in the field, do not miss the opportunity to get valuable data from this part of Apple ecosystem!

This article continues the series of publications aimed to help experts specify and build economical and power-efficient workstations for password recovery workloads. Electricity costs, long-term reliability and warranty coverage must be considered when building a password recovery workstation. In this article we will review the most common cooling solutions found in today’s GPUs, and compare consumer-grade video cards with their much lesser known professional counterparts.

Is expertise in mining any relevant?

At a glance, crypto currency mining may look a similar enough workload to password recovery, tempting experts learn from miners’ experience when building a password recovery rig. In reality, this approach isn’t the best for multiple reasons. Mining farms are built for profit; ideally, a quick profit. These are commonly built in an open housing from the available components that are rarely designed to withstand these types of workload. Power consumption and power efficiency are often disregarded, while long-term reliability is not a concern if a given video card had made enough crypto-cash.

While mining farm-like systems may and are used by forensic experts, they are commonly considered stop-gap solutions, even if they are used for many months or years. Workstations built for the needs of digital forensics have different priorities, with energy-efficiency, overall stability, long-term reliability and warranty coverage being on top of the list.

GPU cooling solutions

A typical modern video card is cooled with a large heatsink and one or several fans. The design of the cooling solution determines where the hot air goes. Depending on the working environment and workload type the different types of cooling solutions have advantages over the rest of the pack.

Most consumer video cards employ a so-called ‘open-air’ solution. In this design, the fans blow air onto the heatsink, while hot air escapes through the sides of the heatsink. The warm air lands on the motherboard and in the computer’s case. If more than a single video card is installed, this solution works best in open cases or benches.

(source: cgdirector.com)

A slightly different heatsink design places fins in parallel to the video card, thus blowing some hot air away from the computer case through the PCIe slot cover, while the rest of the air is still thrown into the case.

If you are using an open case, the direction of the fins is not significantly relevant. This solution provides better cooling if you are using several video cards in a closed case.

NVIDIA developed a hybrid solution in the 3000 series of its Founders Edition cards. Warm air is partly blown out of the case, and partly driven to the computer’s CPU fan and removed via the computer’s system fan.

Inside, this cooling system looks as follows:

While this is a very good design from the point of view of a typical gamer, and generally works fine if only one or two boards are installed in a closed case, this solution is still not designed to work in workstations or rack cases where multiple video cards are installed side by side. For this purpose, NVIDIA built a different type of cooling solution.

 

(Source: igor’sLAB)

The idea between this kind of cooling is shown on the following slide (source):

In First look at the “internals” of a single-slot Nvidia RTX A4000 graphics card the thermal solution is disassembled:

These cards are designed to run in rack servers.

If you want to learn more about the various cooling solutions found in today’s video cards, check out the following articles from cgdirector.com:

To learn more about the differences between consumer-grade and pro-level boards, check out this article:

In these articles, Alex Glawion explains the differences between open-air and blower fan designs:

Blower-style cooling solutions are naturally designed to be used in rack cases:

The “Pro” boards

Many gaming board are optimized for squeezing the last frame-per-second in action games at expense of stability, excess power consumption, and long-term reliability. Board partners are overclocking the GPU chips and increase the available power envelope to achieve higher performance. The extended power envelope delivers limited returns as demonstrated by Igor’sLAB in Cool flagship instead of fusion reactor: the GeForce RTX 3090 Ti turns the efficiency list upside down with a 300-watt throttle.

While consumer video cards are often factory-overclocked and operated at higher power limits and core voltages, this leads to the increase of power consumption that is not proportional to performance bump. The password recovery workload may take days or weeks to finish, making the power consumption and waste heat management a challenge. In addition to unnecessarily wasting energy, consumer boards are not guaranteed for constant workloads, and may have decreased lifespan and/or experience stability problems in the long term.

These issues are addressed in NVIDIA’s professional-level GPUs, which differ from their consumer counterparts in several meaningful ways.

Let’s compare two boards: an NVIDIA RTX 3070 Ti Founders Edition and NVIDIA A4000, a professional board based on the same chip.

	NVIDIA RTX 3070 Ti	NVIDIA A4000
CUDA cores	6144	6144
VRAM	8 GB GDDR6X	16 GB GDDR6 ECC
Memory interface	256 bit	256 bit
Single-precision performance	21.7 TFLOPS	19.2 TFLOPS
Cooling solution	Hybrid/open air	Blower
MSRP	$599	$999
Total board power	290 W	140 W

As you can see, the professional board delivers nearly identical performance to its consumer counterpart, while doing it at less than half the power. At the price of 25 cents per kW/h, in 24×7 workloads the professional board can save around $328 a year. With electricity prices quickly growing, this can lead to even more significant savings in the future.

Are professional boards worth the investment?

Alex Glawion says: “You would expect the additional cost for pro GPUs to also mean considerably higher performance over consumer cards, but this is seldom the case, with consumer GPUs holding up and even leading in several video editing, 3D rendering, and CAD workloads. Instead, what pro GPUs offer are certified hardware, optimized drivers, and extensive support, making them more of an investment for those with deep pockets who seek higher reliability or a specific feature exclusive to these GPUs.”

For extended workloads such as password recovery, reliability and longevity of a video card do matter, especially considering the current 3-year upgrade cycle between major GPU releases. In addition, consider the differences in power consumption. A professional board sips half the power of its gaming counterpart, making it a much greener solution while being more economical in the long run.

Conclusion

Depending on the type of workload, your budget, and your working environment, you may opt for a set of professional video cards in a server rack, or a number of consumer boards installed into an open bench, or end up with something in between. When building a workstation for crunching passwords, consider the different ‘grades’ of video boards, the different cooling solutions, and the way you’ll be cooling the entire computer.

This article opens the series of publications aimed to help experts specify and build effective and power-efficient workstations for brute-forcing passwords. Power consumption and power efficiency are two crucial parameters that are often overlooked in favor of sheer speed. When building a workstation with 24×7 workload, absolute performance numbers become arguably less important compared to performance per watt. We measured the speed and power consumption of seven video cards ranging from the NVIDIA Quadro T600 to NVIDIA RTX 3070 Ti and calculated their efficiency ratings.

GPU acceleration and power efficiency

The use of video cards for brute-forcing passwords is nothing new. This year alone, we posted GPU Acceleration On The Cheap: Using Affordable Video Cards to Break Passwords Faster followed by GPU Acceleration: Attacking Passwords with NVIDIA RTX Series Boards, the later discussing the price/performance rating of the last generations of GPU chips. Today, we are about to make a different rating, comparing video cards by their performance relative to power consumption. Interestingly, the results are non-linear and deviate significantly from the price/performance rating.

Why some GPUs are more power-hungry than others? There are multiple factors affecting the performance and power consumption of a given chip. The GPU architecture and manufacturing process are obvious, as is the number of Compute Units installed (or activated) in a given model. The more Compute Units a GPU has, the faster it works, and the more power it consumes.

Another factor contributing to the card’s performance is the frequency, which strongly affects the power consumption and power efficiency of the card. The increase in the number of Compute Units results in linear growth of power consumption, while the growth of the card’s frequency increases the card’s power consumption with diminishing returns. For example, an NVIDIA RTX 3090 Ti with its stock TDP of 480 W is only 13% faster than the same card limited to 300 W (a 1.6 times difference) as discovered by igor’sLAB: Cool flagship instead of fusion reactor: the GeForce RTX 3090 Ti turns the efficiency list upside down with a 300-watt throttle and beats the Radeons.

GPU efficiency benchmarks

With multiple tests for every NVIDIA model, do we need yet another benchmark? We believe so. Our tests use NVIDIA’s compute units exclusively, placing a different type of load on the GPU compared to the typical FPS benchmarks. In addition to previously tested models, we are adding an NVIDIA RTX 3070 Ti Founders Edition. This chip is widely criticized for its high power consumption relative to performance. With its TDP of 290 W, reviewers call it an “Inefficient side-grade with high power consumption“. Let us see if this board is as inefficient as the others say.

The following boards participate in today’s benchmark, sorted by TDP:

All the boards except the RTX 2070 were tested on the same system based on Intel’s Alder Lake i9-12900K CPU, while the RTX 2070 was tested in a workstation based on the Intel Core i5-8500 CPU. Note that GPU-accelerated attacks put little load onto the CPU (approximately 3 to 6 per cent utilization per CPU core), which makes such tests CPU-agnostic.

Benchmarks

Using Elcomsoft Distributed Password Recovery as a benchmark, we’ve seen the following results. The benchmarks demonstrate an almost linear growth of performance depending on the video card – with one exception.

This is the exception: the RTX 2070 benchmarked higher than expected in the SHA-256 test. Since the other tests were consistent, and since we had to use a different workstation to benchmark this card, we’d recommend taking this result with a grain of salt.

 

The power efficiency rating

Our power efficiency charts are based on each board’s advertised TDP. We based the “performance” part on the WinZip/AES-256 benchmark using the latest and highly optimized version of Elcomsoft Distributed Password Recovery. While not perfect, this method allowed us to do a fair comparison.

The following chart shows the performance of each GPU relative to its power consumption (the “passwords per watt” rating is based on the WinZip/AES-256 benchmark alone):

The same chart sorted by efficiency (least efficient models on top):

Frankly, the results were quite unexpected. The slowest tested video card, the Quadro T600 model from NVIDIA’s professional range, has also become the most efficient, demonstrating the highest performance per watt. Is this due to the optimizations of the installed GPU or are professional cards targeting power efficiency by design? We don’t have enough data, but some reports suggest so. You can check out Igor’sLAB review of the NVIDIA A5000 server board to see if there is any truth in this speculation.

Interestingly, the NVIDIA RTX 3070 Ti, which is the fastest unit among the tested boards, is not quite an “inefficient outsider with high power consumption.” High power consumption? Quite so. Outsider? Not really: in our tasks, the card outperforms the NVIDIA RTX 3060 and 3050 models in terms of power efficiency, and is not far off the NVIDIA RTX 3060 Ti.

To be continued

This publication is the first in the series of articles about the power consumption, heat dissipation and energy-efficiency of forensic workstations doing password recovery. Today’s article covers the power efficiency of today’s video cards relative to their performance. In subsequent articles we’ll talk about the waste heat, GPU cooling solutions, and the differences between consumer and server boards.

Keychain is an essential part of iOS and macOS that securely stores the most critical data: passwords of all kinds, encryption keys, certificates, credit card numbers, and more. Extracting and decrypting the keychain, when possible, is a must in mobile forensics. We seriously improved this part in the latest build of iOS Forensic Toolkit.

There are several methods of keychain extraction; we reviewed them in  Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored. The different methods will return different results. When analyzing an encrypted backup with logical acquisition, you never get all the items. Excluded are the encryption keys for some secure messengers such as Signal and Wickr, and many other bits and pieces. Keychain obtained with our extraction agent is always complete, and contains all those keys, as well as some extremely useful data such as the local backup password, which can be used to unlock older backups containing the data already removed from the device itself.

TL&DR

• iOS keychain contains valuable evidence
• Low-level extraction decrypts all keychain items
• New release: iOS Forensic Toolkit now supports keychain extraction for all devices running iOS 15.1.1 and older on all supported devices (previously up to and including iOS 14.4.1)
• In older releases, experts had to unlock the device with screen lock passcode during keychain extraction (and even then, some keychain items could be missing). New release: no need to unlock, all keychain items reliably decrypted.
• M1-based iPad Pro now supported.
• Keychain extraction walkthrough (with screenshots)

What is it all about

The ultimate goal of a forensic expert is extracting as much data from the device as possible. Logical acquisition is the simplest to use and the most compatible method that supports all devices and all versions of iOS (see Logical Acquisition: Not as Simple as It Sounds), but as we recently explained in Full File System and Keychain Acquisition: What, When, and How, a different approach may yield a significantly better return.

For devices up to and including the iPhone X (as well as many iPods and iPads, most Apple TV models, and Apple Watch S3), we have an excellent, forensically sound extraction method based on a bootloader exploit. However, for devices based on Apple’s A12 and newer SoC, this method is not applicable, and the only solution to extract the full file system and keychain is to use our unique agent-based method delivering about the same result.

The extraction agent uses kernel-level exploits, and so has limitations on which versions of iOS are supported. At the time of this writing, the agent supports iOS 15.1.1 and older versions. File system extraction is relatively simple (once we have a proper exploit), while keychain has some additional protection layers and is harder to decrypt. Because of that, we only supported keychain extraction on iOS 14.4.1 and older. This is changing today with an updated version of Elcomsoft iOS Forensic Toolkit released today. The new build closes the gap in iOS version support, and allow keychain decryption for the all versions of iOS for which the file system extraction is supported. This means that full file system extraction and keychain decryption are both available for all versions of iOS up to and including iOS 15.1.1, for all devices up to and including the iPhone 13 Pro Max.

Besides, there is one notable improvement in keychain extraction. In earlier versions, you had to enter the device passcode (sometimes even twice) during the process, or use Touch ID or Face ID on the phone. Regardless, from time to time some keychain records would not be extracted. With this update, we made the process completely flawless: there is no need to do anything on the phone, and the full keychain is always decrypted.

Last but not least, we have added full file system and keychain extraction for the latest model of iPad Pro (5th gen) based on the M1 SoC. The iPad was released over a year ago with iOS 14.5.1 onboard; we currently support all versions of iOS 14 versions (up to 14.8.1), as well as iOS 15.0 to 15.1 (the same range as for the iPhones).

Keychain extraction with iOS Forensic Toolkit

Installing the Toolkit

For EIFT 7.x, just follow the standard installation procedure. The Windows version will guide you through the whole process and install the Elcomsoft iOS Forensic Toolkit icon in Start menu. For the macOS version, mount the DMG installation image and copy the product icon into Applications.

For EIFT 8.0 beta, installation requires some manual work. Once the proper DMG image is mounted (there are two: one for macOS Big Sur and Monterey, supporting both Intel and M1-based Macs; and the other one for macOS High Sierra, Mohave and Catalina), first copy the EIFT folder to desktop (or any other folder of your choice). Then, remove the quarantine flag from that folder by running the following command from the console:

xattr -r -d com.apple.quarantine 

Now cd to that folder and launch EIFT:

./EIFT_cmd 

Agent installation

Connect the device to the computer with a Lightning cable or USB Type-C for select iPad models, and establish the trust relationship first.

In EIFT v7, the agent can be installed by choosing the [1] command from the menu; in EIFT v8, run the following command:

./EIFT_cmd agent install

You will be then prompted for an Apple ID and password, and might be requested to pass two-factor authentication.

Important: do not use the device owner’s user’s Apple ID. For more details accounts and limitations, please refer to iOS Low-Level Acquisition: How to Sideload the Extraction Agent. Regular and developer can be used in Windows and macOS.

Note: agent installation may fail if the date and time on the device are incorrect.

Once the agent is installed, you should see Acquisition application icon on the device main screen.

Usage

On the device, launch the extraction agent by tapping its icon:

In EIFT v7, run menu item [2] (keychain extraction); you will be prompted for output path for keychain path. In EIFT v8, run the following command:

./EIFT_cmd agent keychain -o 

The extraction agent will use known exploits to obtain the required level of privileges, then read and decrypt keychain items and save them into an XML file for further analysis. You can analyze the extracted records with Elcomsoft Phone Breaker or review them manually. Please note that file name (to save the keychain) should be unique; if the file already exists, extraction will fail.

The exploiting stage may take up to a minute for some versions of iOS, although usually it is much faster. Saving the decrypted keychain is lightning fast.

Sometimes keychain extraction does not work from the first run: you either get “All exploits failed” on the device screen (in that case, just reboot the device and try again; there is no need to reinstall the agent, just run it and run the acquisition), or device is just rebooted. Some exploits we use require 3-5 tries.

You can now extract the full file system as well (in a form of .tar archive), as described in the user’s manual – and finally, remove the agent from the device (note: some traces are always left).

Compatibility

You can extract the file system and decrypt the keychain via checkm8 or the extraction agent from the following devices:

• iPhone 5s, iPhone 6, iPhone 6s, iPhone SE (1st gen), iPhone 7, iPhone 8, iPhone X: all iOS versions they can run
• iPhone Xr/Xs, iPhone 11, iPhone 12, iPhone SE (2nd gen), iPhone 13: up to and including iOS 15.1.1

iPhone SE (3rd gen, 2022) is not on the list as it was released with iOS 15.4 onboard. We also have not listed other devices (such as iPod Touch, all iPad models including Mini/Air/Pro, Apple Watch and Apple TV); basically, the support is the same as for the iPhones according to the SoC they are based on.

And here is another representation for your convenience:

The asterisk means that we do support this model, but device passcode needs to be removed in advance (iOS 14 and iOS 15 only). We are working on removing this limitation for the iPhone 7. Please also note that agent acquisition is not available for for Apple TV (checkm8 works though).

We are working hard on supporting newer versions of iOS, including iOS 15.2 and up. Stay tuned!

Conclusion

Keychain extraction is often missed in mobile device forensics process. Always extract the keychain when and if you are able to; this will provide a lot of extra evidence compared to just the file system.

Apple ecosystem includes a comprehensive backup ecosystem that includes both local and cloud backups, and data synchronization with end-to-end encryption for some categories. Today we’ll discuss the iCloud backups, particularly targeting issues that are not covered in the official documentation.

Apple describes backups of both types in Backup methods for iPhone, iPad and iPod touch; some information specific to iCloud backups is published in How to back up your iPhone, iPad, and iPod touch with iCloud. Let’s start with basic information, and then proceed with some technical data and tips & tricks.

User experience

iCloud backups are enabled by default, along with the many synchronization options. Please note:

• Almost the same risks are imposed by iCloud synchronization, which is silently enabled by default.
• Everyone should have a recovery plan for lost or broken devices. Remember, your data can be either unique or valuable: if you don’t have a backup, you don’t value that data at all.

Another issue is that Apple only provides 5 GB of iCloud storage for free, and that’s definitely not enough to keep a full device backup. Once you are over your free cloud quota, further backups cannot be created. Since iOS 15, however, Apple offers an iCloud+ plan with lots of benefits, including 50 GB of cloud storage at a very fair price.

iCloud backups, when enabled, are created automatically when all of the following conditions are met:

• The device is connected to a power source, and
• The device is connected to Wi-Fi network, and
• The screen is locked.

The backups are created once a day, usually around 2 AM. Creating the initial (full) backup takes some time, while subsequent (differential) backups are created much faster as they are incremental, and only the changes are being uploaded.

In the past, Apple used to keep three backup snapshots regardless of the user’s iCloud plan. There was no setting to adjust the number of snapshots. These days, only two most recent snapshots are stored.

A fresh iCloud backup can be created manually by tapping the Back Up Now command in the Settings app. In this mode, the phone does not need to be connected to a power source, yet a Wi-Fi connection is still required. iOS 16 adds the ability to create backups using your mobile plan.

There are a few other things worth mentioning. Apple only provides some very basic backup management. By logging in to an iCloud account (or accessing backups from any logged-in device), you can only see the list of backups including device name and last backup date and size. You can also delete individual backups by device. No other options are available. You can restore a new device from almost any backup (the iOS version on the device being restored should be the same or newer than the OS version of the original device). Note that you can only restore from a cloud (or local) backup during the initial device setup (for new devices or devices after a factory reset).

What’s inside

There is almost no documentation on iCloud backups content. In What does iCloud back up? Apple says:

Here’s what iCloud Backup includes

• App data
• Apple Watch backups1
• Device settings
• Home screen and app organization
• iMessage, text (SMS), and MMS messages2
• Photos and videos on your iPhone, iPad, and iPod touch2
• Purchase history from Apple services, like your music, movies, TV shows, apps, and books3
• Ringtones
• Visual Voicemail password (requires the SIM card that was in use during backup)

The other one mentions something slightly different:

 iCloud backups include nearly all data and settings stored on your device. iCloud backups don’t include: 

• Data that’s already stored in iCloud, like Contacts, Calendars, Notes, iCloud Photos, iMessages, Voice Memos, text (SMS) and multimedia (MMS) messages, and Health data
• Data stored in other cloud services, like Gmail and Exchange mail
• Apple Mail data
• Apple Pay information and settings
• Face ID or Touch ID settings
• iCloud Music Library and App Store content

I would say that iCloud backups contain about the same set of data as local (iTunes-style) backups without a password, yet there is a notable difference:

Your iPhone, iPad, and iPod touch backups only include information and settings stored on your device. They do not include information already stored in iCloud such as Contacts, Calendars, Bookmarks, Notes, Reminders, Voice Memos, Messages in iCloud, iCloud Photos, and shared photos. Some information is not included in an iCloud backup but can be added to iCloud and shared across multiple devices like Mail, Health data, call history, and files you store in iCloud Drive.

So, local backups do contain all of the above, but iCloud backups miss at least media files, messages and voice memos if the user enables iCloud sync; see Set up and use iCloud Photos and Use Messages in iCloud. Software such as Elcomsoft Phone Breaker allows downloading this data directly from iCloud. Just note that messages and voice memos use “end-to-end encryption” (see iCloud security overview); in order to decrypt them, you need the passcode of one of the trusted devices in addition to the user’s iCloud credentials.

Also, iCloud backups do not include call logs, Safari browsing history and Health data; this data is synced directly through iCloud (call logs appear to sync directly across devices; they may be the only category that cannot be extracted from the cloud, even if you have all credentials including the second authentication factor and the passcode, and even the trusted device itself).

Finally, the keychain. The keychain is included in iCloud backups; it can be downloaded along with the rest of the data; however, you’ll be unable to decrypt it as it is encrypted with a device-specific key that cannot be extracted even from the device itself. However, the keychain can be also being synchronized through iCloud; see Set up iCloud Keychain for more details. iCloud keychain also uses end-to-end encryption, yet Elcomsoft Phone Breaker can download and decrypt it.

The technical side

iCloud has a very complex structure; I’d say it is not just a cloud service but an ecosystem. All the files are stored in third-party datacenters all over the world. Some servers are hosted by Google, Amazon, Microsoft, and others; Apple’s own infrastructure is also there, but the company does not have a lot of physical servers. The data is split into chunks of variable size, and every chunk is encrypted using its own key. The keys are exclusively stored on Apple-owned servers.

As this topic is slightly outside of scope of this article, please watch our presentations to get more details on iCloud internals (protocols, encryption etc.):

Acquisition

While Apple dos not provide the ability to download a cloud backup, you’ll have to resort to third-party tools such as Elcomsoft Phone Breaker for obtaining a copy of the data without restoring a new Apple device (and attempting to extract the data from the device afterwards). We were the first who implemented this feature almost 9 years ago (the news came out in August 2013).

At that time, iCloud security was much lower than it is now. For example, there was no two-factor authentication for backups; also, we have discovered a way to access backups without an Apple ID and password by using an authentication token that can be easily extracted from a Windows or macOS desktop logged into the same iCloud account.

Since then, Apple learned their lessons, and current iCloud backups are more difficult to download and to decrypt.

The (not so) fun side

Quite a few Apple users never enable iCloud backups because of privacy and security concerns. These are valid concerns. There were several cases related to iCloud hacks; here are just a few:

And that’s not only about stealing someone’s credentials and downloading iCloud data using third-party software. Apple, under certain circumstances, hands the data to law enforcement officials; see Examining a Leaked Criminal Warrant for Apple iCloud Data in a High Profile Case (part one, part two) for example.

Conclusion

Let me speculate about the future. I believe Apple will eventually get rid of local (iTunes-style) backups entirely, leaving iCloud backups as the only option. This may or may not coincide with the removal of the Lightning port from iPhones. Whether you are using iCloud backups or not, educate yourself about the security risks:

 

 

We often write about full file system acquisition, yet we rarely explain what it is, when you can do it, and which methods you can use. We decided to clarify low-level extraction of Apple mobile devices (iPhones and iPads, and some other IoT devices such as Apple TVs and Apple Watches).

What

Data acquisition is the first and most important step in mobile forensics. Multiple extraction methods exist, but you rarely have a choice: often, only one or two will be available for a given device in a given condition.

These methods extract different types and amounts of data. Full files system extraction is exactly what is says on the tin: you get every bit of data from the device except unallocated data, right from the root folder and including all applications data, temporary files, logs, system files (which is important if you suspect a malware infection), detailed location history etc.

How does it compare to other methods? The difference is huge; the simplest (and almost always available method) is logical extraction. Logical acquisition is the most compatible and the easiest to use (yet not as simple as it sounds) returning the least amount of data; it is not fit for file system extraction, but still returns a copy of the keychain if you do it right.

While logical extraction is 100% compatible regardless of the device model and version of iOS (or iPadOS, watchOS, tvOS), it returns a limited set of data. Most common categories such as contacts, calls, notes, media files are there, but that’s really far from what you can actually get with full file system extraction. A lot of data is simply missing with logical extraction.

Also, the keychain. Remember the “do it right” part? With logical extraction, you can sometimes decrypt the keychain, but not every record. Some records including encryption keys and authentication tokens are only available with full file system extraction.

Also, do not forget that logical extraction of Apple TV and Apple Watch is very limited: there are no backup services there, and all you can get is media files and some logs. With full file system extraction, you get everything.

When

The answer is probably obvious, but we still want to say it: do full file system extraction whenever you can (there are several models and iOS versions compatibility issues).

If you only need such things as call log or notes, you can get about without a copy of the file system. You will only waste your time if you try, without getting any extra value. If, however, you require as much evidence as possible extracted in the cleanest possible way, get the whole file system if you can.

Unfortunately, many modern devices running up to date versions of iOS are incompatible with low-level extraction methods. In that case, you will be limited to logical acquisition – but there is a lot of ticks & tricks about it.

How

You need low-level extraction to access the file system. Low-level extraction comes in many flavors. The hardware-bound checkm8 extraction is the cleanest of the pack, while software-based extraction agent works on any hardware if it runs a compatible version of iOS. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

How do these methods compare? Checkm8 extraction is based on a hardcoded bootloader exploit available on Apple’s legacy models. The acquisition agent gains the required level of privileges by exploiting vulnerabilities in iOS (thus being software-bound). Both return almost the same set of data, but have their own pros and cons. Here they are:

checkm8

+ works with all iOS versions
+ does not care about MDM
+ forensically sound
– does not work with modern devices
– you may need to remove the passcode (and so lose some data)

agent

+ works with all devices up to iPhone 13 Pro Max and even M1-based 5^th gen iPad Pro
+ do not need to remove the passcode
– mot exactly forensically sound, make some changes to the system
– limited compatibility with iOS versions
– MDM may prevent the method from working
– requires Apple Developer account to use

Conclusion

Make a copy of the file system and extract the keychain if you can, and you will not be disappointed. Do not expect a “one click” solution there, though; low-level extraction is always tricky no matter which method you use. But it is worth it.

Today’s data protection methods utilize many thousands (sometimes millions) hash iterations to strengthen password protection, slowing down the attacks to a crawl. Consumer-grade video cards are commonly used for GPU acceleration. How do these video cards compare, and what about the price-performance ratio? We tested five reasonably priced NVIDIA boards ranging from the lowly GTX 1650 to RTX 3060 Ti.

Why using a video card instead of a high-end multi-core CPU? A single NVIDIA RTX 3090 board can break passwords up to 600 times faster compared to 12^th-generation Intel Core i9-12900K, while costing twice as much as Intel’s high-end CPU. Not everyone can afford a 3090, and not everyone needs it. Mid-range video cards can deliver respectable performance at a fraction of the flagship’s price.

Until today, the GPU market was extremely overheated. High-performance video cards were almost entirely consumed by crypto miners, skyrocketing the prices of all but the lowest-performing models. We attempted addressing the issue with heterogeneous GPU acceleration, a technology allowing the use of multiple video cards of different makes and models in the same computer. The technology (built into Elcomsoft Distributed Password Recovery) allows utilizing existing hardware in mix-and-match scenarios and postponing the upgrade.

Next, we looked around to find what was still available. We found a number of reasonably priced low-end video cards that could not be economically used for crypto-mining. We even toyed with the idea of using integrated GPUs built into many modern processors with some interesting results.

Today, GPU prices are in free fall. The highly anticipated NVIDIA Ada Lovelace and GeForce RTX 40-Series cards are around the corner, which lowers the demand on existing stock. Intel is about to enter the game with Xe-based Intel Arc Alchemist discrete GPUs, while AMD is refreshing its GPU range while teasing .

This time we tested the following five boards:

1. NVIDIA GTX 1650
2. NVIDIA RTX 3050
3. NVIDIA RTX 3060
4. NVIDIA RTX 2070
5. NVIDIA RTX 3060 Ti

All the boards except the RTX 2070 were tested on the same system based on Intel’s Alder Lake i9-12900K CPU, while the RTX 2070 was tested in a workstation based on the Intel Core i5-8500 CPU. Note that GPU-accelerated attacks put little load onto the CPU (approximately 3 to 6 per cent utilization per CPU core), which makes such tests CPU-agnostic.

Benchmarks

The benchmarks demonstrate an almost linear growth of performance depending on the video card – with one exception.

This is the exception: the RTX 2070 benchmarked higher than expected in the SHA-256 test. Since the other tests were consistent, and since we had to use a different workstation to benchmark this card, we’d recommend taking this result with a grain of salt.

Price/performance ratio

Our price/performance charts are based on today’s mid-market prices in Germany. We based the “performance” part on the WinZip/AES-256 benchmark using the latest and highly optimized version of Elcomsoft Distributed Password Recovery. While not perfect, this method allowed us to do a more-or-less fair price/performance comparison.

Normalized price/performance assumes the p/p of a CPU-only attack as a “1”

Model	Passwords/sec	Price, EUR	Price/performance
GTX 1650	1440000	186	1,00
RTX 3050	1860000	297	0,81
RTX 3060	2650000	377	0,91
RTX 2070	3200000	478	0,86
RTX 3060 Ti	3440000	549	0,81

The numbers from the benchmarks and this table allow us making a simple conclusion: with NVIDIA, you get what you pay for. NVIDIA RTX 3060 Ti is naturally the fastest and GTX 1650 the slowest model with linear scalability. There are no significant deviations in price/performance that would make a certain model stand out, except that we don’t recommend buying past generation video cards today unless you can source them below market prices. The GTX 1650 only ‘wins’ in the price/performance listing because of the very low costs being such an old model. If you can source a certain model above or below these listed prices, your price/performance ratio will be different.

 

Speaking of mobile devices, especially Apple’s, “logical acquisition” is probably the most misused term. Are you sure you know what it is and how to properly use it, especially if you are working in mobile forensics? Let us shed some light on it.

Introduction

You have probably seen charts depicting and comparing the various acquisition methods for mobile devices, sometimes starting with “chip-off” (or even “micro-read”) and going all the way to manual extraction.

Logical acquisition is the simplest, most reliable, and compatible method that supports 99% of Apple mobile devices. If you follow our blog, you should know that this method it does not return the maximum amount of data compared to other methods. But due to its compatibility and simplicity it remains the most popular extraction method. There are a few tricks to learn that will help you make use of it in the most effective way.

What does it mean?

Speaking of Apple mobile devices (iPhone, iPad) and some gadgets (Apple Watch, Apple TV), “logical” is almost always a synonym to “backup”, but there are caveats.

First, neither Apple TV nor Apple Watch devices make full backups; only iPhones and iPads do.

Second, logical acquisition is not just about backups, but also includes media files available via AFC (Apple File Conduit) protocol, as well as diagnostics logs and shared files. Let’s elaborate.

Media files

Media files such as photos, videos and music are stored in a slightly different way that most other files. Even if a backup is password-protected, these files can be easily extracted. It’s not just the files, but also the metadata stored in special system databases; the metadata includes information on how these files were edited, what albums they belong to, objects and people recognized using built-in engines, thumbnails, EXIF data (including geolocations and timestamps), and more. Sometimes you can even get some information on deleted files, but this is outside the scope of this article.

Diagnostics logs

Do not underestimate device logs! They can be easily extracted using proper software (such as Elcomsoft iOS Forensic Toolkit), and they contain lots of timeline data.

Shared files

Some applications (such as Microsoft Office, some password managers etc.) allow sharing their data across the system; it is not sandboxed but accessible from the outside. Like with media files, you can get access to this data even if the backup is password-protected (again, using proper software).

Connecting and pairing the device

You may encounter the first obstacle right from the get go. Connecting the device to the computer may not immediately establish connection over the USB (Lightning) cable due to USB restrictions. We have an article on USB restricted mode that may help you work around this limitation. Note that simply unlocking the device with a passcode or biometrics turns off the restriction and re-enables USB connectivity.

Accessing any data on the device beyond basic information requires pairing the device to the computer, which requires entering the correct passcode on the device itself. There is currently no practical way around it as lockdown files are extremely short-lived.

Password-protected backups

Old backups (both local and cloud) may be everything you have access to. The backups have a value of their own, often containing evidence that was later deleted in the device itself.

A backup may have a password set, and this is a problem. As we explained, the backup password is a property of the device, and once it is set, you cannot just create another backup without a password. It does not matter which computer you connect the device to; all backups will be created with the same password, and there is no way to change it unless you know it – with a caveat.

Starting with iOS 10.2, you can run a brute-force attack on iTunes backups, albeit very slowly (just several passwords per second on a CPU, and a couple hundred p/s on a modern video card); even relatively short password cannot be cracked in a reasonable time.

Starting with iOS 11, Apple introduced a way to remove the backup password by resetting device settings (you’ll need to enter the device passcode to do that). Sounds simple? It is, but this operation has some negative consequences, as the device passcode is also being reset:

• Some user’s data is deleted (e.g. Apple Wallet transaction history)
• Microsoft Exchange mail (downloaded to the device)
• The data of some applications that require the passcode to be set
• Some keychain items are deleted
• iCloud tokens are deleted
• Login data for some applications and online services (including some messengers for example) is lost

The last item probably needs some explanation. If you have the device logged in to iCloud and that device has a passcode set (and you know that passcode), in most cases you can change the iCloud password without knowing the old one. That gives you full access to all iCloud data: the files stored on iCloud drive, iCloud backups, iCloud synced data (including “end-to-end encrypted” one. But once you reset device settings (and so the device passcode), this opportunity is lost.

Somewhat counterintuitively, if the backup password is not set, you should set it yourself. Password-protected backups contain a lot more data compared to unencrypted ones. This includes the device keychain, Health data, call logs, Safari browsing history, and more.

There is one more thing: sometimes you may be unable to reset device settings. At least two things may block the reset:

• MDM (Mobile Device Management) profile
• Screen Time password

Screen Time password is always for digits only, yet it is hard to crack. After several unsuccessful attempts, iOS enforces a one-hour delay before you can enter another passcode. Worst case scenario, it takes 10,000 hours, and this process cannot be accelerated.

The keychain

iOS keychain keeps user passwords and system authentication data such as keys and tokens. The keychain is included in both encrypted and unencrypted backups. However, if the backup is produced without a password, the keychain in that backup will be encrypted with a device-specific hardware key that is not accessible with logical acquisition. If you set a known backup password, you’ll be able to extract many keychain items.

Note that you cannot access some keys and tokens via logical acquisition regardless of the password. Also note that low-level extraction methods allow extracting the entire keychain as well as the original backup password.

iCloud backups

iCloud backups contain almost the same set of data as local (‘iTunes’) backups. Apple does not provide any way to download them; one can only restore new device. However, we have a tool for that: Elcomsoft Phone Breaker. Downloading an iCloud backup requires the user’s Apple ID and password plus access to the second authentication factor (trusted device or SIM card). See above how to reset the password.

Apart from the backups, there is usually a lot of synced data stored in the iCloud (including so-called “end-to-end encrypted” data), as well as files and documents. Wil proper credentials (device passcode or macOS system password), you can have access to all those.

This, however, is not usually called “logical acquisition” but fits into the “cloud acquisition” category.

Conclusion

We wrote about it many times but wanted to say it again: carefully learn how acquisition methods work, and do not blindly trust any forensic tool regardless of who it comes from. There are no simple ways in mobile forensics, and even the best software won’t do the job for you with a push of a button.

The ninth beta of iOS Forensic Toolkit 8.0 for Mac introduces forensically sound, checkm8-based extraction of sixteen iPad, iPod Touch and Apple TV models. The low-level extraction solution is now available for all iPad and all iPod Touch models susceptible to the checkm8 exploit.

checkm8 is applicable to all devices with bootloader vulnerability, yet there are technical differences when it comes to implementing the exploit on the various devices. In this update we are targeting non-iPhone devices, spending efforts to support the many iPads equipped with the corresponding SoCs. While other vendors have been offering their own implementations of checkm8 extraction for quite a while, we found their solutions to lack in device/iOS version coverage and miss the “forensically sound” mark.

Typically, service life of an iPad is several times as long as an iPhone of the same generation. This is reflected in the number of supported battery charge cycles. While Apple claims that a typical iPhone battery is designed to retain up to 80% of its original capacity at 500 complete charge cycles, an iPad battery is designed to retain similar capacity at 1000 complete charge cycles. In other words, despite their age, many of these tablets are still actively used – and can now be extracted.

In addition to extended service life, iPads are real workhorses compared to the iPhone. They are actively used in companies and as BYOD. Unlike iPhones, which are designated as media consumption devices, iPads (especially the Pro lineup) are made for creative tasks, which results in a lot of highly valuable potential evidence.

Compatibility

The newly added iPad models include the full-size iPad 5, 6, and 7, the iPad Mini 2, 3, and 4, the iPad Air 1 and 2, and the iPad Pro 1 and 2 (9.7” and 12.9” models respectively). In addition, iPod Touch 6 and 7 are also supported. This is in addition to previously supported iPad and iPod Touch models. Currently, our checkm8 extraction solution supports all iPad and all iPod Touch models having the bootloader vulnerability with no exceptions.

All versions of iOS up to and including iOS 15.5 are supported. Here is the full list of supported iPad models:

Technical notes

For most devices the exploit can be applied directly. However, there are several requirements when it comes to some other devices.

The Apple TV 4K does not have a USB port anymore. Connecting it to the computer requires additional hardware and some soldering skills.

For iPad 6/7 and iPad Pro 2 devices running iOS 14 or 15, the passcode must be removed prior to the extraction. Follow this guide to disable the passcode: How to Remove The iPhone Passcode You Cannot Remove

Will I need the Pico board?

In the seventh beta, we introduced a hardware/software solution to help place the iPhone 4s into PwnedDFU. The solution requires a Raspberry Pi Pico board with custom firmware. You won’t need the Pico board to work with most iPad and iPod Touch models except those based on the same USB controller as the iPhone 4s.

Please refer to the following table for devices requiring the Raspberry Pi Pico board to utilize our checkm8 extraction solution:

Conclusion

It is difficult to underestimate the importance of checkm8 for mobile forensic specialists. Our solution is the only one on the market supporting forensically sound checkm8 extraction for all Apple devices with the bootloader vulnerability, including all compatible iPhone, iPad, and iPod Touch models, as well as the Apple TV and Apple Watch devices.

 

iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.

What’s it all about

Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.

Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone models running iOS 9 through iOS 14.8, iOS 15-15.1, and iOS 15.1.1 on select platforms. For the A14 platform specifically, the extraction agent supported iOS 14.0-14.3, and 15.0-15.1, making the entire range of iOS 14 builds missing. This made for a rather fragmented support matrix. In this release, we closed the two remaining gaps, once again offering truly gapless file system extraction for all supported platforms. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.1 for all iPhone and iPad models that can run these versions of iOS, and iOS 15.1.1 on some models.

Benefits of agent-based extraction

There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.

Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

iOS 14.8.1

In earlier versions of iOS Forensic Toolkit, we supported iOS versions up to and including iOS 14.8. We also supported iOS 15.0-15.1 on all compatible devices, and iOS 15.1.1 on some platforms. iOS 14.8.1 was notably missing from the list due to the lack of a proper exploit.

For other iOS versions including iOS 15, the extraction agent relied on kernel exploits that are publicly available. The situation is different with iOS 14.8.1, which does not have a public exploit. For this iOS build we incorporated a new, unpublished exploit, making our extraction agent the first tool of its kind to support this version of iOS.

iOS 14.4-14.8.1 (Apple A14)

Prior to this release, we supported iOS 15.0-15.1 on all platforms, and iOS 15.1.1 on some devices. Notably, on Apple A14 Bionic devices the entire range of iOS 14.4-14.8.1 was not supported. iOS Forensic Toolkit 7.40 brings iOS 14.4-14.8.1 support to A14 devices, now offering gapless coverage all compatible devices and all versions of iOS ranging from iOS 9.0 through 15.1.1.

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.

Steps to extract the file system and decrypt the keychain

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.40 or newer.
3. On the computer, sideload the extraction agent by using the corresponding command in iOS Forensic Toolkit.
4. On the iPhone, launch the extraction agent by tapping its icon.
   Windows: developer account required. Use app-specific password.
   macOS: developer account not required but strongly recommended.
5. If supported, extract the keychain. Extract file system image (full file system or data partition). We recommend extracting the data partition only; the full image may be usable e.g. to check the system partition for persistent malware.
6. On the iPhone, uninstall the extraction agent in a regular way.
7. You may now disconnect the iPhone and start analyzing the data.