Tag: Digital Forensics

Acquiring data from locked, broken, or inaccessible devices poses significant challenges. However, there are ways to retrieve valuable information from such devices by obtaining the data from iCloud, including old data that has been deleted with no chance of recovery. In this article, we will explore the classic acquisition methods available for iOS devices and focus on the crucial role of Apple iCloud in forensic investigations.

Classic Acquisition Methods

For iOS devices, low-level extraction is an effective method that returns the full file system image and decrypts the keychain containing important data like passwords and encryption keys. Low-evel extraction remains the only way to access encrypted conversations in secure instant messengers (e.g. Signal). However, low-level extraction availability is limited to older devices or versions of iOS, leading to delays in supporting newer iOS releases. This rapid succession of updates and patches makes data extraction a continuous challenge for forensic experts.

In cases where unsupported iOS versions are encountered, advanced logical extraction becomes the only viable option. While it allows the extraction of device backups, some system logs, media files and metadata, it may not retrieve critical data like email messages or conversation histories from popular instant messaging apps.

No device – no data?

In some situations, accessing data directly from the device may not be possible or may not return all the desired information, even if the device is unlocked. This is particularly relevant when dealing with deleted data. When the device is factory reset, of data is deleted from a device, it may seem irretrievable. The specific type of data encryption used in modern versions of iOS renders deleted files completely inaccessible even if low-level access is granted to device storage.

Certain scenarios render the device inaccessible for data extraction. Physical damage to the device, such as water damage or hardware failure can pose significant challenges. Additionally, instances where the device has undergone a factory reset or has been wiped clean may hinder data retrieval efforts.

In such cases, cloud extraction provides a viable solution.

The Role of iCloud in Data Acquisition

Apple iCloud, being a centralized cloud storage and synchronization system for Apple devices, holds a wealth of information, including backups, synchronized data, and tons of sensitive information protected with end-to-end encryption.

iCloud backups, introduced in 2011, store system and application data similar to passwordless local backups. However, synchronized data, like photos from iCloud Photos, may not be present in these backups; these and many other types of data can be retrieved from iCloud by accessing synchronized data.

Accessing iCloud backups typically requires restoring onto a physical Apple device. This is the only way officially supported by Apple; there are no backup management tools and no official way to download iCloud backups from Apple servers. Accessing synchronized data is somewhat easier as some categories can be accessed by setting up iCloud on a Mac or using iCloud for Windows. Still there exists no way to download iCloud backups with official Apple software.

Getting iCloud Data: The Legal Way

To obtain iCloud data legally, forensic experts can request the data from Apple directly. This process involves specific steps and documentation, which can vary depending on the jurisdiction and legal requirements. Additionally, they may need to obtain proper consent or court orders, depending on the circumstances.

Requesting information from Apple must follow a certain pathway. For U.S. law enforcement, Apple has published a number of guidelines for US and non-US law enforcement officials.

The printable request form is available here:

The following general resources are available:

While the legal pathway ensures that the data is obtained with proper authorization, reinforcing the credibility of the evidence in any legal proceedings, the process may be lengthy and highly complicated.

Alternative Approach to iCloud Data Extraction

Elcomsoft Phone Breaker is a forensic tool that revolutionized iCloud backup extraction by eliminating the need for using authentic Apple hardware to restore iCloud data to. With this tool, experts can download iCloud backups created with devices running all versions of iOS up to and including iOS 16.x, access all types of synchronized data, and even decrypt end-to-end encrypted data (more on that later). Synchronized data encompass various types of information, such as calendars, contacts, notes, and more, which are synchronized by Apple apps across different devices linked to the user’s iCloud account.

To download iCloud backups and synchronized data using Elcomsoft Phone Breaker, the following requirements must be met:

1. The user’s Apple ID and password.
2. A one-time code for two-factor authentication, if enabled on the user’s account.

We published a comprehensive guideline on iCloud extraction:

End-to-End Encrypted Data

End to end encryption is used as an additional protection layer to safeguard some of the most sensitive information against unauthorized access even if the intruder knows the login and password to the user’s cloud account. Technically, end-to-end encrypted records belong to synchronized data. Data protected with end-to-end encryption requires an additional secret to unlock the encryption key. That key can be unlocked with a screen lock passcode (iOS) or macOS account password of one of the trusted devices. End-to-end encrypted data include iCloud keychain (authentication data and passwords), Health, Safari browsing history, iMessages, and several other categories.

Downloading end-to-end encrypted data requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication (a must; end-to-end encryption is not available for accounts without two-factor authentication)
• Screen lock passcode or system password of a trusted Apple device with the same Apple ID

Apple itself states that it cannot provide this encrypted information when serving legal requests. However, our software is capable of retrieving end-to-end encrypted data, but requires the user’s passcode or password from one of the trusted devices associated with the iCloud account. This capability makes Elcomsoft Phone Breaker the only tool on the market capable of extracting end-to-end encrypted data.

Advanced Data Protection for iCloud

Advanced Data Protection for iCloud is an optional setting that provides Apple’s highest level of cloud data security. When enabled, it offers end-to-end encryption for the majority of the user’s iCloud data, including iCloud backups, photos, notes, and more. This advanced encryption ensures that no one, not even Apple, can access end-to-end encrypted data, making it highly secure, even in the event of a cloud data breach. As forensic experts, it’s important to be aware of this data protection feature, as it means that data stored in iCloud accounts with this feature enabled may not be accessible using either the legal pathway or conventional forensic tools, including our software. While our software excels in extracting a wide range of iCloud data, Advanced Data Protection poses unique challenges due to its advanced protection measures.

Legal Considerations

When it comes to forensic investigations for legal proceedings, complexities arise. While ongoing investigations have clearer guidelines, presenting evidence in court requires meticulous adherence to legal standards and potential challenges from opposing parties. Therefore, forensic experts must be educated in legal procedures and practices to ensure the integrity of their findings.

Conclusion

iCloud acquisition is a valuable resource for forensic experts facing challenges in acquiring data from locked, broken, missing, or wiped devices. While classic acquisition methods provide access to certain data, iCloud extraction opens up new possibilities for retrieving crucial information, even including end-to-end encrypted data. However, forensic experts must be aware legal complexities and always ensure compliance with the law to uphold the integrity of their investigations.

Acquiring data from Apple devices, specifically those not susceptible to bootloader exploits (A12 Bionic chips and newer), requires the use of agent-based extraction. This method allows forensic experts to obtain the complete file system from the device, maximizing the amount of data and evidence they can gather using the iOS Forensic Toolkit. In this article, we will discuss some nuances of agent-based iOS device acquisition.

Please note: for technical reasons, support for iOS 9 through 11 was removed from recent versions of the extraction agent. From now on, the earliest version of iOS supported by the extraction agent is iOS 12. For this reason, if you need to extract a device running an earlier version of iOS than iOS 12, you’ll have to use iOS Forensic Toolkit 8.23 or 7.81.

How does it work?

Technically speaking, agent-based extraction involves gaining extended (usually root) privileges and bypassing the device’s sandbox restrictions. This enables access to the data in all the folders, and allows experts accessing all the files on the device, as well as the keychain. However, this process is far from simple. Apple iOS employs multiple layers of protection, making it challenging to breach. Mere kernel read/write access is insufficient; several exploits (a chain of exploits) are necessary to achieve the desired outcome.

The first step in the process is to install our app, known as the Agent, onto the target iPhone. However, this task presents a considerable challenge. But first let’s briefly explore the concept of sideloading.

What is sideloading?

Sideloading refers to the installation of apps on a device through methods other than the official App Store. This method involves using tools like Apple’s own Xcode or a third-party app, or utilizing an unofficial signing service (mostly using leaked enterprise certificates) directly on the device. To sideload an app on devices running iOS 16, users must enable Developer Mode in the device settings beforehand. Older versions of iOS do not require a special mode to sideload. Generally, Apple does not support sideloading, except for internal app testing and development using the official SDK. Official sideloading support might be coming to iOS 17 in conformance with the new EU directive, yet at this time we don’t know much about it.

After sideloading the app onto the device using a non-developer account, one must navigate to Settings > General > Device Management and trust the developer certificate associated with the sideloaded app. The certificate will be validated through ppq.apple.com. This additional step is required to allow the device recognize the app and allow it to run. This requires allowing the device to connect to an Apple server, which in turn has certain forensic consequences. There are several ways to solve this issue, one of which is using an Apple account enrolled into the Developer Program, and another using a software or hardware firewall to restrict device connectivity.

The importance of Apple ID

If the device is not jailbroken (we can safely assume it is not), sideloading the agent requires an Apple ID. No alternative methods exist. Whether you possess an Apple Developer account or not determines the approach you can take, and this distinction is crucial. Non-developers can sideload apps onto iOS devices only from macOS, but it necessitates bringing the device online, which poses certain risks (explained below).

Apple Developer accounts

Having an aged Apple Developer account is ideal for our purposes. With this type of account, sideloading the agent, or any other app, becomes a straightforward process. Furthermore, it is important to note that with iOS 15 and 16, sideloaded apps need additional verification during the first run, and presently, no workarounds exist for this limitation. However, if the account was registered prior to June 6, 2021, there is no requirement to bring the device online when launching the app for the first time (which only applies to devices running iOS 15 and 16 anyway). The request is processed through humb.apple.com.

For those using a corporate developer account rather than a personal one, keep in mind that Developer privileges alone are insufficient to sideload apps; App Manager privileges are also necessary.

An Apple Developer account allows you to sideload an app on up to 100 devices of each type (iPhone and iPad, in our case) per year. Nevertheless, there is a catch. After the tenth device, a delay of up to 72 hours occurs before adding a new device to the account and permitting app sideloading. The reasoning behind this limitation remains unknown, and it is highly unlikely that it is an anti-forensic measure.

Regular accounts

Regular, non-developer accounts can also be utilized for sideloading the agent (macOS only). However, it is important to have a trusted device connected to the account. Nonetheless, this is not the only obstacle. The main challenge lies in the requirement to verify the app’s certificate online from the device. The risks associated with allowing the device to access the internet are evident: it may actively sync and may be subject to remote lock/wipe commands.

Signing an app using a non-developer account also has a limitation: a maximum of three devices per week. Of course, you can create a new Apple ID, but remember to have a trusted device associated with it.

A brief note on firewalls

What should you do if the agent’s certificate needs verification or if the agent attempts to connect to the internet during its initial run? Solutions do exist:

The hardware-based solution is more robust, but requires additional hardware (Raspberry Pi or Orange Pi), adapters and cables. However, it is essential to note that these solutions are not foolproof, as Apple may modify the app verification process at any time.

Conclusion

If you possess an Apple Developer account created before June 2021, congratulations! You have an easier path ahead. Otherwise, paid accounts may not be worth the investment (unless you’re using Windows) since you will still need to bring the device online. However, rest assured, we have a solution to address this hurdle.

For forensic experts dealing with mobile devices, having a reliable and efficient forensic solution is crucial. Elcomsoft iOS Forensic Toolkit is an all-in-one software that aids in extracting data from iOS devices, yet it is still far away from being a one-button solution that many experts keep dreaming of. In this article, we will walk you through the preparation and installation steps, list additional hardware environments, and provide instructions on how to use the toolkit safely and effectively.

Installation Steps

The software is available in Windows and macOS editions, and there are two major releases available: v7 and v8. However, please note that v8 is exclusively designed for macOS, with a Linux version coming soon. To obtain the software, visit the official Elcomsoft website and follow the instructions provided when purchasing the license. You will need a registration code (the one starting with “IOFT-“) to download the software; you can always get the latest version here. Here’s what you’ll find on the website:

Elcomsoft iOS Forensic Toolkit v.7

• Windows Edition
• macOS X Edition

Elcomsoft iOS Forensic Toolkit v.8

• macOS Big Sur, Monterey and Ventura (Intel and Apple Silicon)
• macOS High Sierra, Mojave, Catalina (Intel only)

Version 7 offers a slightly simpler user interface with a text-based menu displaying available commands for data extraction. On the other hand, Version 8 is more advanced and feature-rich. Elcomsoft plans to release v8 for Windows and Linux platforms soon, leading to the retirement of v7.

To install Version 7, simply run the installer and provide the installation password. If you’re using a Mac, you might encounter a warning message on the first run; in such cases, just confirm the warning.

To install Version 8, mount the .dmg file (select the appropriate platform) and enter the password. Then, copy the folder named EIFTx.y (where x.y denotes the version number) to a folder on your local computer, such as the desktop folder. The next step involves opening the Terminal and removing the ‘quarantine’ flag from the entire program folder. Use the following command:

xattr -r -d com.apple.quarantine 

For example:

xattr -r -d com.apple.quarantine /Users/JohnDoe/Desktop/EIFT8.31

A Word on Compatibility with Older Versions of iOS

Please note: for technical reasons, we had to remove support for iOS 9 through 11 from recent versions of the extraction agent. From now on, the earliest version of iOS supported by the extraction agent is iOS 12. For this reason, if you need to extract a device running an earlier version of iOS than iOS 12, you’ll have to use iOS Forensic Toolkit 8.23 or 7.81.

Using Elcomsoft iOS Forensic Toolkit v8

Once the installation is complete, navigate to the EIFT folder using the Terminal. For example:

cd /Users/JohnDoe/Desktop/EIFT8.31

Elcomsoft iOS Forensic Toolkit v8 provides a command-line interface (CLI). To utilize it, follow this format:

./EIFT_cmd {command}

For instance, to gather information about the connected iPhone, use the following command:

./EIFT_cmd info

Running the program without any parameters will display the complete list of commands and their respective options. For detailed instructions, consult the product manual, which provides comprehensive descriptions of each command.

Important note: Ensure that the USB dongle remains inserted throughout your work with the program. Do not remove it during the data acquisition process.

Additional Hardware Requirements and Working Environment Considerations

In addition to the software, you will require some additional hardware components to effectively use Elcomsoft iOS Forensic Toolkit. While having a computer (preferably a Mac) is essential, there are other cables, adapters, and extras that may be needed. We will soon release a comprehensive list of these devices. Even if you don’t need them immediately, it’s advisable to be prepared.

It is ideal to work in an isolated room, preferably a Faraday tent. Using a Faraday bag alone may not be sufficient, as you will need to connect the device to the computer and utilize its screen during the forensic process.

Using a USB Hub

To connect the iPhone to a Mac, even if it has a physical USB Type A port, please connect the device to the available USB Type C/Thunderbolt port through a Type C USB hub (with Type A ports), or a USB Type C to Type A adapter. This is particularly important for the latest version of EIFT. Please do not use USB Type C to Lightning cables; instead, use the Type A to Lightning cable plugged into the Type A port of a USB hub or USB Type C to Type A adapter to ensure proper connection and compatibility.

Device Preparation

Before beginning the forensic process, it’s important to ensure that the device you are working with is adequately charged. We recommend a minimum charge of 20%, although having 50% or more is preferred. This recommendation applies unless you are working with an Apple TV or Apple HomePod connected to a power supply.

It is crucial to have the correct date and time set on the device, as this plays a significant role in the agent acquisition method.

If you plan to use the extraction method based on a bootloader exploit, make sure you are familiar with the appropriate buttons needed to put the device into Recovery mode and DFU (Device Firmware Update) mode. Typically, these buttons include Power, Home, and Volume Down. For certain acquisitions, the touch screen should also be functional, e.g. to enter a passcode.

Regardless of the acquisition method you choose, it is vital to keep the device in Airplane mode. In addition to that, we strongly recommend manually checking (and disabling, if necessary) the individual wireless toggles for Wi-Fi and Bluetooth networks as these may not be automatically disabled when the device is placed to Airplane mode. This serves two purposes:

• Preventing the device from syncing: By disabling syncing, you minimize changes that could occur on the device during the forensic process.
• Preventing remote lock/wipe: If the device has FindMy enabled, keeping it in Airplane mode ensures that it won’t be remotely locked or wiped.

Please note that for some specific scenarios, such as iPhone 8, iPhone 8 Plus, or iPhone X running iOS 14 or 15 and utilizing the checkm8 exploit, you may need to reset the device settings. Once you do, the wireless isolation mode is automatically disabled after reboot, and it’s important to ensure that the iPhone does not accidentally connect to a cellular network (if a SIM card or e-SIM is inserted) or a known/open Wi-Fi access point.

Choosing the Right Acquisition Method

When using Elcomsoft iOS Forensic Toolkit, it’s important to select the appropriate acquisition method for the given device. We provide detailed information on this topic in our resource titled “Approaching iOS Extractions: Choosing the Right Acquisition Method.” It is crucial to gather as much information as possible about the device and plan the acquisition accordingly. In some cases, multiple methods may be applicable, and selecting the correct order is essential. Making the wrong choices at this stage can result in negative consequences, such as unnecessary changes to the device, the loss of irreplaceable data, or missing critical evidence.

While we won’t describe all the methods and commands in detail within this article, our product manual provides comprehensive coverage. However, we would like to highlight some important issues that may arise during the process. Please pay close attention to the information presented here, as it complements the documentation.

For example, if the device is vulnerable to a bootloader exploit, it is advisable to use this method first to maintain the forensic integrity of the process.

Extended Logical Acquisition

Logical acquisition is the simplest and most universal method that works for all Apple devices. However, it returns a limited set of data. Extended logical acquisition includes:

• Full device information
• iTunes-style backup *
• Media files and metadata
• Shared app files
• Crash and diagnostics logs

* There are important nuances to consider in this method. For instance, backups contain the maximum amount of data if they are password-protected. However, breaking an unknown backup password is virtually impossible. On the other hand, sometimes the backup password can be extracted from the Windows or macOS computer the device was connected to.

If a backup password is set and you are unable to break or reset it, the other parts of logical acquisition will still work. You can at least obtain media files (including valuable metadata) and logs, which can help build a timeline of device usage. It’s worth noting that logs are often underestimated in their significance. Remember to generate the logs as needed (refer to the manual for instructions). Additionally, we provide resources that offer more information on logs and how to interpret them (see the provided links).

1. GitHub – cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
2. Checkra1n Era – Ep 6 – Quick triaging
3. Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
4. iOS Crash Dump Analysis, Second Edition
5. Sysdiag -who? | WithSecure™ Labs
6. More useful information gleaned from sysdiagnose – The Eclectic Light Company

It’s important to mention that backups can be obtained for iPhone, iPad, and iPod Touch devices. However, for Apple TV, Apple Watch, and Apple HomePod, you can obtain media files, logs, and other similar data. Occasionally, it is possible to access the full file system of these devices as well.

Full File System & Keychain Acquisition: Using Bootloader Exploit

Using the bootloader exploit for full file system and keychain acquisition provides forensic experts with a powerful method for extracting data. By carefully following the instructions for entering DFU mode, booting the device, and understanding the limitations and variations across different iOS versions and device models, one can unlock valuable evidence and ensure a robust forensic investigation process.

DFU Mode

Entering DFU (Device Firmware Update) mode can be a bit tricky, especially for those who are new to the process. Different models require different key combinations, and timing is crucial. It may take a few attempts before successfully entering DFU mode, as the device might simply reboot otherwise.

We recommend entering Recovery mode first, followed by DFU mode. The reason behind this is simple: Recovery mode is easier to enter and rarely fails. Once in Recovery mode, you can set the device to boot only into DFU mode, ensuring a forensically sound process.

Note that iPhone 8, iPhone 8 Plus, and iPhone X (and newer models) can be entered into DFU mode in an automated way. You can find instructions on automating DFU mode using a Raspberry Pi Pico here: Automating DFU Mode with Raspberry Pi Pico. On the other hand, if some buttons on the device don’t work, you may need to disassemble the device and use the test points. Refer to the article “How to Put an iOS Device with Broken Buttons in DFU Mode” for detailed instructions.

For more information on Recovery and DFU modes, you can explore the following articles on our blog:

Booting the Device

Our approach to bootloader-based acquisition differs from other vendors. We detect the iOS (or iPadOS, WatchOS, tvOS) version installed on the device and provide automatic links for you to download and use the corresponding version. This ensures maximum compatibility across all devices and iOS versions. We patch the bootloader on-the-fly during the process.

However, there may be instances where the exact iOS build version cannot be detected. In such cases, we offer several best matches for you to choose from. If the process fails with the selected version, you can try using another one.

Restoring the Device to its Original State

Once your work with the device is complete, and it is time to return it to its owner in its original condition, it is important to reset the autoboot mode flag that is set automatically by iOS Forensic Toolkit to prevent accidental reboots into the main OS. This will ensure that the device can boot into iOS. Enter the following command in the Terminal or command line interface:

./EIFT_cmd tools autobootTrue

Note: the device will undergo an automatic reboot to complete the process.

By following this step, you can ensure that the device is returned to the owner without any modifications made during the checkm8 analysis.

Legacy Devices

Older devices without the Secure Enclave and with HFS file systems follow a different acquisition path compared to iPhone 5s and newer models. You can find detailed information in “Perfect HFS Acquisition“. Certain models can be unlocked by breaking the device’s passcode (with some limitations), while for others, it is possible to extract the full file system regardless of the passcode set.

Limitations

Devices powered by the Apple A11 SoC (iPhone 8, iPhone 8 Plus, and iPhone X) are technically compatible with the bootloader exploit. However, for iOS 14 and 15, you will need to remove the passcode first. There are a couple of issues with this:

• It is not always possible to remove the passcode
• Removing the passcode will result in some data loss, breaking forensically sound process

For iOS 16, the situation is even more challenging. Extraction never works if the passcode has been set on the device since the device was set up, so even removing it won’t help. Please note that this limitation applies only to A11-based iPhones. When dealing with iPads running iOS 16, you may need to remove the passcode, but it’s worth trying with the passcode first, as it often works.

Full File System & Keychain Acquisition: Using the Agent

Agent acquisition is the only available method used to obtain the full file system and keychain from devices based on A12 or newer SoC (System on a Chip). While it offers great potential in theory, practical use can sometimes be challenging.

To begin, you need to sideload the agent onto the device, which had become a challenge. Apple has implemented measures to prevent app installations from sources other than their App Store. However, it is still possible to sideload apps, especially with an account registered in the Apple Developer Program. Regular accounts can also work, but there may be additional hurdles to overcome.

The main challenge arises when the app, particularly our extraction agent, requires online verification. This can be problematic due to the need for device isolation and the associated risks of enabling online access to the device. To address this, you may need to set up a software or hardware firewall to control the verification process. It’s worth noting that even with a developer account, there are limitations. For example, only the first 10 devices (out of a total allowance of 100) are added in real-time, while for subsequent devices you may need to wait up to 3 days for the device to be “connected” and allow the agent to run. Additionally, iOS 16 requires enabling a special developer mode on the device (after agent installation).

In terms of version compatibility, agent-based acquisition is not as versatile as bootloader-based methods. While some zero-day exploits exist, it is unlikely that we will be able to work with the latest iOS versions. At the time of writing, our tool covers iOS 12 to 16.4. Note that support for iOS 9 to 11 was available previously but had to be removed due to technical reasons. However, if you urgently require support for those older versions, you can still use an older version of our product.

A Note about A11 Bionic

There is something specific about the A11 SoC that sets it apart from other chips (A12 Bionic and newer). It is comparatively less vulnerable, and fewer exploits are available for it. Consequently, in some cases, we can only obtain a partial file system using the agent, and the keychain may not be accessible.

Troubleshooting

No software is completely free of bugs, and it’s impossible for us to test every model/iOS combination thoroughly, despite our extensive testing with over 70 combinations and ongoing efforts to expand coverage. In version 8 of the toolkit, the logs are stored in the following folder:

~/Elcomsoft/EIFT/logs

If something goes wrong during the process, kernel panic logs can be incredibly helpful. You can find these files, named panic-full-{timestamp}.ips, on the device itself under:

Settings | Privacy & Security | Analytics & Improvements | Analytics Data

From there, you can use AirDrop or other methods to transfer the logs from the device to your Mac (or another iPhone, for example).

However, before delving into advanced troubleshooting steps, sometimes a simple reboot of your Mac and retrying the process can resolve minor issues.

Using the DCSD Adapter for Advanced Troubleshooting

In some cases, when utilizing an acquisition method based on the bootloader exploit, the logs mentioned earlier may not be sufficient to detect and resolve issues that may arise. To overcome such challenges, we highly recommend obtaining the DCSD adapter. This adapter is specifically designed for serial debugging purposes, allowing you to capture the traffic between the host and the device. It creates its own log, providing valuable insights when working with specific devices and iOS combinations that may encounter difficulties.

While we sincerely hope that you will never need to use the DCSD adapter, we strongly advise acquiring one as a precautionary measure. Its availability can prove invaluable in resolving complex issues during the forensic process. For detailed instructions on how to utilize the DCSD adapter effectively, please refer to the product manual, which provides comprehensive guidance.

By having the DCSD adapter at your disposal, you can enhance your troubleshooting capabilities and ensure a more robust and thorough analysis when using iOS Forensic Toolkit.

Conclusion

Elcomsoft iOS Forensic Toolkit offers forensic experts a powerful solution for extracting data from iOS devices. By following the installation instructions, considering additional hardware requirements, preparing the device appropriately, and selecting the right acquisition method, forensic experts can maximize their efficiency and accuracy in obtaining crucial evidence. Whether utilizing the logical acquisition method, the bootloader exploit, or the agent-based approach, each method has its considerations and limitations, which were outlined in this article. By understanding the nuances and troubleshooting techniques provided, forensic experts can navigate the complexities of mobile forensic analysis, ensuring a robust and effective investigative process.

In the world of digital investigations, the sheer volume of data and the challenge of identifying valuable evidence can be overwhelming. Often, investigators find themselves faced with the need for optimization — the ability to quickly and seamlessly identify what is valuable and requires further examination. We aim to fulfill this need by introducing a new forensic toolkit in Elcomsoft System Recovery, a powerful bootable tool designed to speed up investigations, quickly identify and collect digital evidence right on the spot.

The challenge of overburdened labs

Experts are overwhelmed with analyzing vast amounts of computers and data, which can lead to significant backlogs. Statistics show that numerous computers and disks lie dormant for months, not only leading to wasted time and effort but placing roadblocks on the way of criminal investigations. To address this issue, we have developed a streamlined approach, revolutionizing the way investigations are conducted.

Our approach

To help experts streamline investigations, we created Elcomsoft System Recovery, a portable field analysis tool for computer forensics. Built as a forensically sound computer analysis tool, Elcomsoft System Recovery enables experts to make real-time decisions on the spot. Key benefits of Elcomsoft System Recovery include:

1. Unparalleled compatibility: By utilizing the licensed Windows PE environment, Elcomsoft System Recovery ensures exceptional compatibility across various systems and hardware configurations. This compatibility enables investigators to access digital evidence on the nearly every Windows device in existence.
2. User-friendly experience: The tool runs off a ready-to-use bootable disk, simplifying the analysis and making it almost a one-click solution. Investigators can seamlessly navigate the interface, harnessing its power with ease and efficiency.
3. Breaking through password barriers: Elcomsoft System Recovery’s core functionality revolves around gaining access to crucial data without knowing the user’s Windows account password. This unique feature empowers investigators, enabling them to uncover vital evidence that may have otherwise remained inaccessible.
4. Quick access to essential data: In a matter of minutes, Elcomsoft System Recovery efficiently retrieves the most critical and valuable information. From passwords to important documents, the tool uncovers a wide array of artifacts, providing investigators with a solid foundation for decision-making.
5. Identifying potential leads: Upon discovering potentially significant findings, Elcomsoft System Recovery allows investigators to create forensic disk images for further analysis. These images serve as a starting point for deeper exploration, facilitating a thorough examination of potential leads.
6. Saving time and resources: By speeding up the identification and extraction of essential evidence, Elcomsoft System Recovery significantly reduces the strain on experts. This optimization frees up valuable time and resources, enabling investigators to focus on high-priority cases and complex analyses.

The “low-hanging fruit” strategy

Just like a fruit picker in an orchard, law enforcement professionals conducting digital investigations often encounter a similar concept known as the “low-hanging fruit” principle. Let’s imagine you’re strolling through an orchard, and the fruit within easy reach can be effortlessly picked as you walk by. However, if you want to reach the fruit higher up, you’ll need to drag a ladder, spending additional time and effort.

When it comes to digital investigations, the low-hanging fruit principle suggests that investigators should first target the most accessible and crucial pieces of evidence. These can include items like passwords, readily available documents, encryption keys, or logs of user activity. By swiftly and efficiently obtaining this information, investigators can establish a solid starting point for further analysis.

Applying the low-hanging fruit principle not only saves time but also allows investigators to make significant progress early on, effectively reducing or even eliminating potential backlog. By quickly gathering the most essential evidence, they can assess the situation, identify potential leads, and determine the next steps of the investigation. This strategic approach is particularly valuable when faced with limited resources or time constraints.

We designed Elcomsoft System Recovery around the “low-hanging fruit” strategy, allowing investigators to quickly gather the most critical and easily accessible evidence along with keys to encrypted disks and vaults. Since Elcomsoft System Recovery operates as a bootable disk, investigators can extract crucial data and make informed decisions on further actions on the spot. Based on the collected data, investigators can determine whether it is necessary to create a disk image and transport it to the laboratory for further in-depth analysis. This streamlined approach saves time and resources, ensuring that investigations can progress swiftly and accurately in both the field and the laboratory.

It is important to emphasize that Elcomsoft System Recovery goes beyond merely extracting a number of easily accessible forensic artifacts. It aims to provide comprehensive insights into user activity, both online and offline. The tool retrieves passwords, critical documents, and even provides visibility into the applications and files accessed by the user. While the exact list of data collected is extensive and continually expanding, rest assured that Elcomsoft System Recovery strives to quickly retrieve the maximum amount of relevant information on the spot.

Conclusion

By focusing on the most accessible and critical evidence, investigators can make swift progress and establish a strong foundation for their investigation. It is essential to balance this approach with the willingness to explore deeper, more complex areas when necessary. This strategic combination ensures a thorough and successful investigation.

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit stands head and shoulders above the competition. With its cutting-edge features and unmatched capabilities, the Toolkit has become the go-to software for forensic investigations on iOS devices. The recent update expanded the capabilities of the tool’s low-level extraction agent, adding keychain decryption support on Apple’s newest devices running iOS 16.0 through 16.4.

Low-Level Extraction: File System Image and Keychain

iOS Forensic Toolkit is an all-in-one solution for iOS data acquisition. The low-level extraction agent, in particular, sets the tool apart from the competition. While we have already established ourselves as pioneers in checkm8 extractions and extended support to Apple TV, Apple Watch, and HomePod devices in addition to the full range of iPhone and iPad devices, our dedication to innovation continues.  We were among the first to implement low-level extraction support for the range of iPad models based on the Apple M1 and M2 chips, ensuring compatibility across a wide range of Apple devices.

The previously posted update gave our tool the ability to extract the full file system image from supported devices (which include all iPhones from the Xs/Xr up to the iPhone 14/14 Pro range, and iPads up to M1/M2), yet we have not included support for the keychain at the time. While low-level file system extraction is impressive on its own, the ability to decrypt and access the keychain opens up a wealth of opportunities for forensic investigators. We are proud to introduce full keychain decryption support for the same range of devices, at the same time expanding the range of supported OS versions.

The keychain stores crucial encryption keys required to unlock protected messaging applications like Signal. The keychain safeguards users’ online account passwords, granting investigators access to vital information that can shed light on their digital activities.

The current support matrix looks as follows:

iOS 16.4 Support and Beyond

Our company remains at the forefront of iOS forensic tools, constantly evolving to meet the demands of the ever-changing landscape. While the latest updates to iOS Forensic Toolkit introduced support for iOS 16.4, further enhancing its capabilities, we are committed to staying ahead of the curve, and our development team is diligently working on supporting subsequent iOS versions, including iOS 16.4.1 and 16.5. With each update, we ensure that forensic professionals have the tools they need to extract and analyze data from the latest iOS devices.

Please note: for technical reasons, we had to remove support for iOS 9 through 11 from recent versions of the extraction agent. From now on, the earliest version of iOS supported by the extraction agent is iOS 12. For this reason, if you need to extract a device running an earlier version of iOS than iOS 12, you’ll have to use iOS Forensic Toolkit 8.23 or 7.81.

Conclusion

Elcomsoft iOS Forensic Toolkit continues to be the unrivaled leader in iOS data acquisition. With its powerful extraction agent, support for iPhone models up to and including the latest iPhone 14/14 Pro range and iPad models based on M1 and M2 chips, and the ability to decrypt keychains, EIFT empowers forensic investigators with comprehensive access to valuable information. The recent addition of iOS 16.4 support, alongside the ongoing commitment to support upcoming versions, solidifies EIFT’s position as the most advanced iOS acquisition software on the market. We are working dilligently to unlock new possibilities in your forensic investigations.

A while ago, we introduced an innovative mechanism that enabled access to parts of the file system for latest-generation Apple devices. The process we called “partial extraction” relied on a weak exploit that, at the time, did not allow a full sandbox escape. We’ve been working to improve the process, slowly lifting the “partial” tag from iOS 15 devices. Today, we are introducing a new, enhanced low-level extraction mechanism that enables full file system extraction for the iOS 16 through 16.3.1 on all devices based on Apple A12 Bionic and newer chips.

TL&DR

The previously announced partial file system extraction mechanism that, at the time, allowed low-level access to third-party app data for devices running iOS 16.0 through 16.1.2, has been refined. The enhanced process now delivers full unrestricted file system extraction (currently without a keychain) for a set of devices with iOS/iPadOS 16.0 through 16.3.1. iPhone Xs/Xr and newer devices are supported, including the iPhone 14 and 14 Pro range as well as iPad models based on the latest M1 and M2 chips.

Still no keychain (but coming soon)

We pushed this release as forensic experts do have a backlog of Apple devices with iOS 16.3.1 and older. The new extraction process enables low-level access to the file system, which includes access to sandboxed app data, system databases and other information available in the file system. We are working on bringing full keychain decryption support, which is scheduled for one of upcoming releases. We are also working on iOS 16.4 support.

The updated compatibility matrix:

Before: partial file system extraction for iOS 16.0-16.1.2

iOS Forensic Toolkit comes with a custom low-level extraction agent. Technically, the extraction agent is an app that, when installed on an iOS device, attempts privilege escalation by attempting to exploit one or more vulnerabilities in the operating system. For the most part, the exploits used in the extraction agent are kernel-level exploits allowing full sandbox escape with low-level access to the file system and keychain records.

For a long time, no usable exploit was available for any version of iOS 16. When one was finally discovered, it turned to be a weak exploit that was not quote up to the task of enabling full access to the  file system, let alone decrypt the keychain. When we initially used that exploit, we’ve been unable to fully escape the sandbox, as some protective mechanisms were still in place. As a result, we’ve been only able to offer access to parts of the file system, mostly with data of third-party apps. Obviously, that approach left many kinds of data out, so we continued our research that lead us to today’s release.

Now: full file system extraction for iOS 16.0-16.3.1

We are proud to release an update to iOS Forensic Toolkit with full file system extraction support for iOS/iPadOS 16.0 through 16.3.1. We’ve been able to fully escape the sandbox and gain access to previously inaccessible types of data, which includes the full file system. Currently, we do not support keychain decryption for these versions of iOS, but an update is coming soon.

The list of supported devices includes:

• A12: iPhone Xr, iPhone Xs, iPhone Xs Max
• A13: iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, iPhone SE (2nd gen)
• A14: iPhone 12, iPhone 12 Mini, iPhone 12 Pro, iPhone 12 Pro Max
• A15: iPhone 13, iPhone 13 Mini, iPhone 13 Pro, iPhone 13 Pro Max, iPhone SE (3rd gen), iPhone 14, iPhone 14 Plus
• A16: iPhone 14 Pro, iPhone 14 Pro Max
• All corresponding iPad models including iPad Air 5 and iPad Pro 5 (Apple M1), iPad Pro 6 (Apple M2)

Coming soon: keychain decryption and iOS 16.4 support

Certain data remains inaccessible without the complete chain of exploits. Secure messaging platforms, in particular, often necessitate specific keychain information for successful extraction. We are working hard to improve the extraction agent with additional features and expanded supported OS range. The next planned update will include iOS 16.4 support and keychain decryption for the entire iOS 16.0 – 16.4 range. Stay tuned!

Escalating complexity in iOS forensics

In an era defined by rapid technological advancements, the battle between digital security and forensic experts who seek legal access to incriminating evidence grows increasingly complex. The interplay between exploit chains, extended development timelines, and lagging support for iOS updates from vendors of forensic software poses significant challenges for both security experts and forensic specialists.

Data extraction stands as a primary stage of any forensic investigation. The success of subsequent analysis and evidence collection hinges on the effectiveness of this initial step. Therefore, it is crucial to employ reliable and comprehensive data extraction techniques.

With the advent of newer devices, starting from the iPhone 12, traditional methods for passcode recovery have become increasingly ineffective, even in high-end forensic tools. As a result, investigators must explore alternative, non-technical methods to obtain passcode information to enable access to the data. Device security measures have become increasingly complex, incorporating multiple layers of defense. Exploit chains required for bypassing these protections have grown longer, making the task of gaining access to secure devices more challenging than ever before.

There is often a significant time gap between the release of iOS versions and the availability of corresponding data extraction support from forensic tools. This delay can extend several months, impacting investigations. For example, iOS 16.3.1 supported in this release of iOS Forensic Toolkit was released on February 13th, while version 16.4 was released on March 27th. In addition to the delays in version releases, subsequent updates and patches quickly follow major iOS versions. For instance, while we are currently finalizing support for iOS 16.4, the already patched versions of iOS 16.4.1, 16.4.1a, 16.5, 16.5.1, and even a beta version 16.6 are already out. This rapid succession of updates poses ongoing challenges for forensic experts.

So what about those currently unsupported versions of iOS? For those newer iOS builds, the only viable option remains advanced logical extraction. This method allows the extraction of media files, including metadata, shared app data, and valuable diagnostic logs. However, it is important to note that this approach, while valuable, does not return many crucial bits and pieces such as email messages or conversation histories in most popular instant messaging apps.

Using the extraction agents is inherently safe for the device itself; however, it is not as clean and forensically sound as checkm8, and may compromise forensic soundness due to the alterations (however minor) introduced during extraction. However, despite not being classified as a “physical” extraction, the low-level extraction technique employed by the extraction agent yields as much data as that obtained through physical extraction methods like checkm8. We recommend exercising due caution when using this extraction method though, as installing and launching the extraction agent may require online connectivity in certain cases, which presents potential risks. We have a solution for this, which requires a Raspberry Pi device with custom firmware.

We are excited to announce the release of an open-source software for Raspberry Pi 4 designed to provide firewall functionality for sideloading, signing, and verifying the extraction agent that delivers robust file system imaging and keychain decryption on a wide range of Apple devices. This development aims to address the growing security challenge faced by forensic experts when sideloading the extraction agent using regular and developer Apple accounts.

Important: older developer accounts created before June 6, 2021, are exempt from the verification process. If you are using one of these accounts, you will not need a firewall to run the extraction agent.

TL&DR

To perform a low-level extraction of iOS and iPadOS devices, the extraction agent, an essential app, needs to be sideloaded onto the device under investigation. Each sideloaded app, including the extraction agent, must be signed with a unique digital signature specific to the device. When launching a newly sideloaded app on an iPhone or iPad, users are prompted to verify the digital signature, requiring the device to establish contact with an Apple server. However, it is crucial to be aware that connecting the device to the internet poses the risk of remote blocking or erasing its content, especially if it is part of an evidence base.

Previously, we recommended a solution that involved enrolling the Apple ID used for signing the sideloaded app into the Apple Developer program, which in turn allowed for the validation of the digital signature without the need for the device to contact an online server. Unfortunately, due to recent updates on Apple’s side, even digital signatures associated with new developer accounts must now undergo verification with an Apple server. Consequently, this reintroduces the potential risks that were previously exclusive to non-developer accounts. Considering these changes, we have developed a solution based on a Raspberry Pi 4 with open-source software that minimizes risks by limiting the device’s connection solely to the server required for certificate verification.

The importance of extraction agent and the decline of checkm8

The extraction agent is a small app for iOS that we developed in-house to enable low-level file system extraction and keychain decryption on Apple devices being investigated. Once installed onto a device, the extraction agent attempts to escalate its privilege level to break out of sandbox and gain full access to the file system and relevant encryption keys to access and decrypt keychain records.

The significance of the extraction agent cannot be understated, especially as the relevancy of checkm8 diminishes over time. With fewer checkm8-compatible devices and an increasing need to reset passcodes to access information, essential evidence is at risk of being lost. The compatibility gap between checkm8 and iOS 16 has reached critical levels, and iOS 17 can be installed on even fewer devices that are vulnerable to checkm8. While checm8 remains a remarkable extraction method, it is clear that a new approach is necessary.

Agent-based low-level extraction through extraction agent is gaining traction as a viable alternative. Hardware-wise, the extraction agent supports all iPhone and iPad models, including the latest iterations. However, it is important to note that the support for various iOS versions is never complete and requires significant catching up when it comes to supporting the newest builds.

Installing the extraction agent is a challenge

One of the most daunting challenges for forensic experts lies not in the usage but in the installation process of the extraction agent. Since the extraction agent will never be accepted into the App Store, experts must resort to sideloading to install the agent onto a device. The sideloading requires the use of a set of Apple ID credentials to sign the .ipa file being installed. Ideally, an Apple Developer Account, preferably an older one, is required for that purpose. However, even using a developer account is not without its complications.

First, this Device registration update states that, as per Apple’s guidelines, only the first ten devices are added immediately into the Developer program, while subsequent additions face delays of up to three days. This means that the extraction agent cannot be signed and deployed instantaneously. Moreover, online verification of provisioning profiles has also changed for developer accounts created after June 6, 2021 as detailed in the Provisioning profile update.

Contrary to previous practices, the verification now requires connecting to an online server to verify the digital signature:

New Apple Developer Program memberships created after June 6, 2021, require development- and ad-hoc-signed apps for iOS, iPadOS, and tvOS to check in with the PPQ service when the app is first launched. Your device must be connected to the internet to verify the certificate used to sign your app. If you’re behind a firewall, make sure that it’s configured to allow connections to https://ppq.apple.com. If the device can’t successfully make a connection, the app may not launch. If your app is running in a highly restrictive network environment or you need to temporarily build offline, alternative workflows are available.

Contrary to what is stated in the update, the verification takes place on humb.apple.com (and not on ppq.apple.com, which is used for a similar purpose for non-developer accounts), which has a dynamic IP that changes every five minutes. It is crucial to note that this verification occurs at the first launch of the agent or any other signed and uploaded application.

After these updates, the overall utility of developer accounts for the purpose of sideloading the extraction agent has significantly diminished, with standard accounts once again becoming increasingly attractive. While standard accounts limit the number of devices to three per week, creating a new Apple ID can circumvent this limitation if necessary. On the other hand, developer accounts face delays beyond the initial ten devices and are now subject to online verification during agent launch. Consequently, finding a solution for firewall functionality becomes essential for both types of accounts.

Advantages of developer accounts

Despite the challenges faced by developer accounts, they still offer certain advantages over regular, non-developer Apple ID’s. First and most importantly, Windows users can only utilize developer accounts to sideload the extraction agent. The sideloading process we developed for installing the extraction agent with regular, non-developer Apple IDs requires a Mac. Finally, older developer accounts created before June 6, 2021, are exempt from the verification process. For these accounts, you will not need a firewall solution.

Possible alternatives

If you don’t have a Raspberry Pi, you may be able to set up a firewall in an alternative way. We have already published a method that effectively turns your Mac into a firewall. While this method does not require additional hardware, it is more complex and less reliable compared to the Raspberry Pi based solution.

Another method involves setting up a firewall on your router, on which you can try to configure a whitelist. This, however, may not be simple. Even if you know all the addresses that ppq.apple.com resolves to (there are only a few of them), humb.apple.com can resolve to a much wider range of addresses. Only a very small number of routers with standard firmware allow whitelist functionality, especially based on the domain name rather than IP. Alternatively, you may try an alternative firmware such as OpenWRT, which is outside the scope of this article.

Finally, yet another alternative may appear for users in some jurisdictions in iOS 17. According to 9to5mac, a report last year revealed that Apple was working on allowing sideloading with iOS 17, but so far it didn’t happen in the first beta. We are waiting eagerly for the outcome of the new EU regulation.

Using the Raspberry Pi 4 as a firewall

Our Mac-based solution has been available for quite some time, but its usage can be complex and prone to errors (let alone the fact that it is not available to Windows users). It is important to be aware about the risks associated with devices being investigated connecting to the internet, with remote locking or remote wipe on the extreme end of the spectrum, and unwanted data synchronization on the other, which can lead to significant changes and jeopardize admissibility of evidence obtained from such devices.

To solve these issues, we are introducing a new open-source software that transforms the Raspberry Pi 4 into a firewall. With one end of the Pi box connected to the router and the other to the phone, this solution provides enhanced security during the signing and verification process. The software can be found in the public repository on GitHub. It is worth noting that Elcomsoft has an extensive presence on GitHub, with currently 19 projects and more to come. Instructions for using the software will be provided separately in a subsequent article, and rest assured, it is remarkably simple to set up (with a few nuances to consider).

Finally, our solution should work for any other sideloaded applications signed with either regular or developer accounts, which includes alternative agents.

To reduce the risks of exposing the iPhone device being remotely tampered with, we’ll need to restrict it’s online connectivity. Ideally, the iPhone should be only able to connect to a single certificate validation server – with all other communications being terminated. For this we developed an open-source software for the Raspberry Pi 4. This article contains step by step instructions for setting up a Raspberry Pi 4 as a firewall for sideloading the extraction agent.

Pre-requisites

You will need the following hardware:

1. Raspberry Pi 4 or newer (e.g. Raspberry Pi 4 Model B)
2. microSD card
3. Lightning to Ethernet adapter
4. USB to Ethernet adapter

Instructions for setting up a Raspberry Pi as a functional firewall

First, download the firmware image from GitHub – Elcomsoft/eiftpi and flash it to an SD card using software like balenaEtcher. You can download balenaEtcher from the following link: https://etcher.balena.io/. Then follow these steps:

• Insert the SD card into your computer
• Launch balenaEtcher and select the downloaded/compiled firmware image (eiftpi.img)
• Choose the SD card as the target drive
• Click on the “Flash!” button to write the firmware image to the SD card
• Once the process is complete, remove the SD card from your computer

You will need two network interfaces on the Raspberry Pi. One interface will be connected to the internet, and the other will be used to connect the iPhone. To connect the iPhone, you will need a Lightning to Ethernet adapter.

• We recommend to use a USB-A to Ethernet adapter to connect the Raspberry Pi to the internet.
• Alternatively, you can connect the Raspberry Pi to the internet via Wi-Fi.

Important: the iPhone must be connected to the built-in Ethernet port.

Note: We purposely use a wired connection and do not recommend enabling WiFi on the iPhone as it may cause the device to accidentally to connect to a different known network, which would expose the risk of remote wipe.

For a simple and more reliable setup, use two wired connections. This is why you need the USB to Ethernet adapter.

If you prefer to connect the Raspberry Pi to Wi-Fi, follow these steps:

• Connect the Raspberry Pi to your Mac using Ethernet. (Note: If your MacBook does not have an Ethernet port, you will need a USB-C to Ethernet or USB-A to Ethernet adapter.)
• Open a terminal on your Mac and enter the following command:
  • The password is “Elcomsoft” (without quotes).
  • Once you are logged in, run the following command to configure Wi-Fi:
  • The nmtui interface will allow you to easily connect to the Wi-Fi network.

That’s it! You have now set up the Raspberry Pi with the firmware. Connect the Pi to the network (either via Ethernet or Wi-Fi) and connect your iPhone to the Pi using a cable. Note: we recommend to first use a test iPhone to ensure that internet access is restricted, while only ppq.apple.com, humb.apple.com and elcomsoft.com should be accessible.

Conclusion

As we have shared our open-source software for Raspberry Pi 4 with firewall functionality, we aim to secure the sideloading of the extraction agent in the iOS ecosystem. The limitations of checkm8 and the complex nature of developer accounts have necessitated new approaches to ensure data security. By embracing open-source solutions and providing alternatives, we strive to empower forensic experts and enhance the effectiveness of the extraction agent in safeguarding valuable information.

The challenge of encrypted disks and virtual machines

One of the primary challenges in digital forensics lies in decrypting data stored on encrypted disks or containers. Encrypted disks, such as Windows BitLocker and Apple FileVault2, are designed to be resistant to “cold” attacks. Analyzing a live session before shutting down a computer can aid in extracting encryption keys, rendering lengthy brute-force attacks unnecessary. Extracting BitLocker keys can be accomplished through Windows command-line tools (assuming the account in question has administrative access to the system), while third-party disk encryption tools may be dealt with by capturing a full memory dump to locate on-the-fly encryption keys (OTFE keys) with Elcomsoft Forensic Disk Decryptor or similar tools. Shutting down the computer unmounts encrypted disks and containers and clears OTFE keys from the computer’s memory.

Virtual machines in general offer multiple benefits, and the main one is the complete isolation from the normal working environment. Virtual machines are also a tool commonly used in the criminal world. Many types of virtual machines can be securely encrypted. Using an encrypted VM gives criminals an opportunity to cover their activities under a virtual umbrella, reducing the risks of an accidental leak of incriminating evidence. Shutting down a computer prematurely can deny access to critical information stored within encrypted virtual machines.

Preserving volatile virtual machines and private chats sessions

Volatile virtual machines pose a unique challenge for investigators. Unlike their persistent counterparts, volatile VMs do not commit changes to the container, leaving the VM image file unaltered and potentially void of incriminating evidence. By shutting down a computer hosting a volatile VM, investigators risk losing vital changes and activity history within the VM.

In a fashion similar to encrypted VMs, certain instant messaging applications employ volatile private chat sessions, where all data resides solely in the computer’s RAM instead of being stored in a database on the disk. Powering off the computer erases all traces of these confidential communications.

The issue of plausible deniability in hidden containers

Hidden containers, an integral part of modern disk encryption techniques, are designed to provide users with the shield of plausible deniability. Without knowledge of the correct password and encryption settings, access to hidden containers becomes impossible, making their content and even existence unprovable.

Figure 1: VeraCrypt standard encrypted container. A password unlocks and mounts the encrypted volume. Unless the container is stored on an SSD drive with trim passthrough, distinguishing between encrypted data and random data is impossible.

Figure 2: VeraCrypt hidden container. One password unlocks and mounts the standard encrypted volume, while a different password must be used to unlock and mount the hidden volume.

The essence of hidden crypto containers lies in their ability to camouflage sensitive data within the main encrypted storage container. The main and hidden containers use different passwords, and may even use different encryption settings. The perpetrator may give out a password to the main container, leaving forensic experts in a situation where incriminating evidence becomes not only inaccessible but even its existence transforms into an unprovable uncertainty.

Conclusion

Securing access to crucial digital evidence poses a challenge. In the world of digital forensics, the right handling of digital evidence can make all the difference. By adhering to proper preservation steps, investigators can avoid the loss of vital evidence stored in encrypted disks, virtual machines, private chats, hidden containers, and more.

Year after year, the field of digital forensics and incident response (DFIR) presents us with new challenges. Various vendors from around the world are tirelessly striving to simplify and enhance the work of experts in this field, but there are some things you probably do not know about (or simply never paid attention to) that we discussed in the first part of these series. Today we’ll discuss some real cases to shed light onto some vendors’ shady practices.

The yellow leader T-Shirt

One striking observation is the prevalence of self-proclaimed leaders among these vendors. It’s fascinating to see the consistent use of grandiose titles in their press releases. Almost every company claims to be the “global leader” or “industry’s leading provider” in digital forensics and intelligence solutions. I absolutely love this; here are some real quotes from press-releases of different vendors:

• Company A, the global leader in Digital Intelligence Solutions…
• Company B, a global leader in forensic technology for mobile device investigations…
• Company C is a global leader in digital forensics technology…
• Company D, a global leader in digital forensics for law enforcement…
• Company E, the industry’s leading provider of digital forensic investigation technology…
• Company F is a world leader in forensic technology…
• Company G is a global leader in digital forensics software.
• Company H is a leading provider of mobile device digital forensics.

There is one vendor that stands out from the crowd, and they have earned immense respect from us precisely because they refrain from such self-promotion. They must be the real leader after all:

“Founded in 2010, Magnet Forensics is a developer of digital investigation software that acquires, analyzes, reports on, and manages evidence from digital sources, including computers, mobile devices, IoT devices and cloud services.”

Secrets are lies by another name

Another intriguing aspect pertains to the secrecy surrounding certain products. Some vendors require customers to sign nondisclosure agreements (NDAs), preventing discussions about sensitive topics such as the capabilities of their products.

No discussion of sensitive topics commonly protected by NDA such as PRODUCT’s capabilities.

Can you imagine that the features and capabilities of a tool are protected with a NDA? The reasons behind such restrictions may vary. One motive could be the desire to conceal vulnerabilities. In the past, a software vendor revealed that wide disclosure had led to severe repercussions, prompting Apple to restrict certain forensic capabilities. Another reason could be the fear of competitors gaining access to valuable information, potentially resulting in stolen ideas or advantages. Here is what we one software vendor told us in a comment to our blog article:

There have been cases where that wide disclosure policy has caused severe implications and responses from Apple’s side – directly causing the unfortunate shut down of capabilities the forensics community had before the disclosure.

However, the true motivations for these NDAs are likely different. Vendors are primarily focused on selling licenses, preferably through long-term contracts, with the expectation that customers will eventually become accustomed to the limitations imposed. In our view, the entire “they’ll get used to it because the choice of available tools in the field is limited” approach is borderline bait-and-switch tactics.

Anyways, whatever the reasons are, the complete product specifications, including a comprehensive list of supported devices, detailed extraction and recovery methods, and any limitations, are often withheld. All you get is some marketing descriptions such as “Advanced strategy 1” or “Supersonic brute-force” without a mention of any specific requirements or limitations. In some cases, even after acquiring a license, customers may still find themselves lacking vital information, unless they attend expensive courses that may cost more than the license itself.

Need for speed

When it comes to passcode cracking, the lack of transparency becomes even more apparent. Most vendors avoid publicly disclosing the speed at which their tools can crack passcodes. Instead, they use terms like “brute force,” “supersonic brute force,” “SE-bound fast brute force,” and “Brute Force Turbo Boost v2.” The only numbers provided are often framed in comparisons, such as “6-digit passcodes in under 24 hours (other vendors ~25 years)” or “Can Brute Force 6-digits in 6 months”.

It is evident that obtaining accurate and comprehensive information about passcode cracking speeds is quite challenging. In case if you are curios, “supersonic” brute-force is slightly above 5,000 APD (Attempts Per Day); I am not saying this speed is bad (especially as most other vendors cannot do that at all), but I definitely would not call it “supersonic”.

Juggling with Numbers

The bigger, the better! In product descriptions, you have probably come across texts like this:

Version X.Y supports over N device models, more than M application versions, and P cloud services.

The numbers are staggering, reaching tens of thousands. However, upon closer inspection, one thing becomes clearly apparent: the so-called “different” device models are in fact a number of nearly identical models. The inflated numbers account for every variations like memory capacity or color (they do receive different model identifiers).

The intrigue develops to the count of supported apps, where every version ever released counts, even if the data format remained unchanged. The same goes for cloud services – for example, some manufacturers count a dozen “different” services from a single Apple iCloud service, considering each data category like contacts or calendars as separate services.

When it comes to artifacts, things get even more amusing. For instance, while reviewing the backup contents of my iPhone in one of the products, I came across some 7,000 Apple Wallet artifacts:

When I examined them closer, the counter displayed a significantly lower number, but even there, the data was heavily inflated (the actual number of records was less than 300):

The same approach is often applied to data from other applications – practically any data and files, no matter how meaningless or useless, are considered “artifacts.”

Such exaggerations significantly hinder the customers’ ability to correctly assess whether all the data has been extracted and analyzed. It becomes even more challenging to verify the results by comparing what different programs yield. One product shows 7,120 “artifacts” in a certain category, while another might display two thousand, and yet another product displays only 288 (based on the actual number of records). Evaluating which product has performed more accurately is nearly impossible, thanks to these “inflations.”

The first and only

We all love Apple’s presentations with all these “amazing”, “exciting”, “incredible” and so on. But there is only one Apple.

In the highly competitive world of digital forensics, vendors constantly strive to be at the forefront, claiming to be innovative and the first to introduce groundbreaking features. However, the reality doesn’t always align with these vendors’ claims. It is not uncommon to witness conflicts on social media platforms like Twitter and LinkedIn, where one company touts a supposedly revolutionary new feature, only to be countered by another company claiming they had already implemented it years ago. The race to be first can lead to dubious claims and attempts to redefine innovation to fit marketing narratives.

Once upon a time I experienced a similar thing. One company publicly claimed that they were those who invented “cloud forensics”. I was really surprised as we were the first (indeed) who released iCloud acquisition software over 10 years ago; so I wrote personally to their marketing director, and reminded her about that. “Yes, I know that”, she replied, “but we support more cloud sources, so our software deserves the ‘first’ anyway”. Oh, never mind.

Another company decided to advertise that they were the second who implemented a certain feature. So what? Does that mean that a potential customer should first try the solution of the company who claims to be the first, and if they don’t like it for some reason, pick the next one who was the second? Seriously?

Innovations and limitations

Occasionally, vendors overstate the capabilities of their products in press releases, leaving out critical limitations. I recall one mobile forensic company’s press release from 2017, boldly stating that they had “overcome data encryption on Android devices” and had “gained direct access to complete user data even if it was previously deleted” that made their tool “the most complete and up-to-date password recovery and decryption solutions for Android devices”. However, upon closer examination, it became apparent that these claims were applicable only to select smartphone models from a single manufacturer and were subject to several limitations. While still an impressive feature, it fell short of the lofty promises made in the press release.

In general, marketing materials naturally tend to downplay or omit limitations altogether. Sometimes, a product manual may contain fine print detailing certain conditions, but uncovering the complete list of supported models, operating system and application versions, and other critical details can be a daunting task.

Back to the “innovations”, my favorite is the dark theme support. That’s obvious that no forensic expert can live without it, right?

Genuine innovations in the DFIR field are few and far between. Examples include MSAB‘s app downgrade extraction method and the checkm8 exploit, which, although not attributed to any specific forensic vendor, has had a significant impact. Some vendors may offer exciting features in their premium versions, but they rarely disclose the specifics.

License to kill

Licensing terms for forensic software are often unclear, leaving users in a state of uncertainty. When a license expires, the software may either cease functioning entirely or severely limit its capabilities, forcing users into read-only mode or preventing them from saving reports. Remembering to renew licenses on time can be challenging, and failing to do so can lead to unfavorable consequences. Moreover, it has been reported that some vendors retain the right to terminate licenses under certain circumstances, such as suspected illegal use or compliance with court orders or legislation.

The user agreement for the company’s products mentions a “Disabling code”, and claims COMPANY retains the right to remotely shut down its devices if it believes the customer is using them illegally, or following a court order or legislation.

However, sources suggest that “using the devices illegally” and “court order” are not the only factors that can lead to license termination.

When it comes to trial versions — please note that they are often very limited; here is an example:

If you love something, set it free

Many (if not all) forensic products rely heavily on open-source code developed and maintained by the community. While this is generally acceptable, forensic vendors often fail to acknowledge the community projects they utilize. The contributions made to GPLv3 projects, such as those related to checkm8, are seldom acknowledged. The lack of recognition for the community’s work is concerning. A great example of this are the many checkm8-based extraction tools developed by various vendors. As a coincidence, most forensic vendors tout the same compatibility with checkm8 extraction methods as the checkra1n jailbreak does. To see our take on this issue, read iOS Forensic Toolkit and Open Source.

When marketing is king

Everything mentioned above in no way diminishes the merits of forensic products we’re talking about. They all possess the required functionality for unlocking, extracting, and analyzing digital evidence. Their speed and usability are impressive (although, of course, there is still room for improvement).

The problem lies in the fact that marketing and sales clearly take priority over research and development. In their pursuit of customers, manufacturers have started behaving rather unethically, concealing shortcomings and limitations (which inevitably exist) while significantly exaggerating capabilities. This “competition” is absolutely detrimental to the cause.

One thing we have not yet mentioned are bugs and issues. Unfortunately, some of these bugs and issues remain unaddressed for months, if not years. Manufacturers take advantage of their monopolistic position in certain markets and the fact that users have become accustomed to their solutions, making it difficult for them to switch to alternatives.

The truth is out there

There are a couple of things I wanted to outline. It is crucial to understand that there is no single software solution that can fully meet the diverse needs of the DFIR field. Relying solely on press releases and marketing materials is ill-advised. It is essential to verify and compare claims made by vendors. If a vendor refuses to disclose crucial information prior to securing a deal, it should raise concerns about their transparency and reliability. The truth lies beyond the marketing façade, and it is imperative to dig deeper to ensure the best outcomes.

One of the key limitations is the rapidly evolving landscape of technology. As new devices, operating systems, and encryption methods emerge, forensic vendors find themselves in a constant race to keep up. The tools they provide may not always be compatible with the latest devices or may have limited success in breaking newer encryption algorithms. This limitation is exacerbated by the fact that many vendors operate on a commercial basis and may prioritize the development of tools for popular devices or data formats, leaving the less common devices overboard.

A tool is just a tool. Use your brain!

Another limitation that forensic vendors may not readily admit is the potential for false positives or false negatives in their analysis. Digital forensic tools are designed to extract and analyze data from various sources, including devices, networks, and cloud services. However, the complexity of digital ecosystems and the sheer volume of data can and does lead to errors in interpretation. The algorithms used by forensic tools may occasionally misidentify or misinterpret data, leading to inaccurate conclusions. This poses a serious challenge for investigators who heavily rely on the findings of these tools in legal proceedings.

Privacy protection as a restraining factor

Privacy concerns also play a significant role in the limitations of forensic tools. In recent years, there has been a growing emphasis on privacy and data protection, leading to increased encryption and security measures. While this is beneficial for individuals and organizations seeking to safeguard their information, it poses a challenge for forensic vendors. Stricter privacy regulations and enhanced security practices mean that vendors may have limited access to certain data, making it more difficult for them to retrieve the required information.

Secrecy and non-disclosure lead to lack of transparency

The inherent secrecy and limited transparency surrounding the inner workings of forensic tools is a major drawback when it comes to pre-sales. Vendors often guard not only their methods and techniques as proprietary information, but keep system device compatibility under cover, making it challenging for forensic experts to assess the compatibility, reliability and accuracy of their tools. Many vendors go as far in maintaining secrecy as not disclosing even the most essential information such as their legally binding license agreements before making a sale. This lack of transparency raises concerns regarding the performance, usability, and compatibility of the tools and, more importantly, validity of the evidence produced by these tools.

Additionally, forensic tools may have limitations when it comes to locked, password-protected smartphone devices. While vendors often tout their ability to unlock a large list of devices and retrieve vital evidence, the reality is that the vendors’ compatibility lists are often incomplete or even kept secret. The tools available to forensic investigators may struggle to unlock any given device, particularly if the device is a branded phone or is not running a specific version of firmware that was tested in the vendor’s lab. As a result, investigators may be left with limited access to crucial evidence, hindering their ability to build a comprehensive case.

We at ElcomSoft take pride in being one of the forensic vendors that prioritize transparency and fully disclose the compatibility and limitations of our tools. We understand the importance of providing accurate and reliable information to our customers, enabling them to make informed decisions without requiring them to make a purchase to access our tools’ full specifications, benchmarks, or license agreements. We openly communicate the devices, operating systems, and encryption methods that our tools are compatible with, ensuring that our customers have a clear understanding of the scope of our capabilities. Furthermore, we emphasize the potential limitations of our tools, highlighting the need for using various extraction and analysis methods and approaches. By being transparent about the limitations of our tools, we aim to foster trust and empower investigators with the knowledge they need to effectively utilize our solutions while being aware of their boundaries.

Conclusion

In conclusion, it is crucial for digital forensic experts to clearly know about the features and limitations of any tools they use, while many forensic vendors fail to acknowledge and fully disclose their solutions’ limitations. The ever-evolving technology landscape, the challenges posed by encryption and privacy measures, and the limited transparency all contribute to the complex nature of digital forensics. Understanding these limitations can help investigators and legal professionals make informed decisions and employ complementary methods to ensure a comprehensive and reliable approach to digital investigations.