Tag: Digital Forensics

iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.

iOS 16: no more checkm8 for A11 Bionic

Devices based on the Apple A11 Bionic chip, which includes the iPhone 8, 8 Plus, and iPhone X, are the oldest iPhones updated to iOS 16. They are also the only iPhones compatible with the checkm8 exploit that received iOS 16. In iOS 16, Apple were able to effectively block the ability to extract user data from these iPhones, but some forensic software vendors reported otherwise. What happened?

The public testing of iOS 16 started more than two months ago. At the same time, some third-party software vendors started adapting their products to iOS 16, which included the vendors of forensic software. Everything was well, and some forensic vendors reported checkm8 support in their tools days before the release of the final, official build of iOS 16.

Apparently, some vendors rush to be the first to announce something, not caring much about the quality of the final product and not conducting the thorough, comprehensive testing. We started researching starting from the first beta 16, testing everything in all imaginable combinations, and waited patiently until the official release to conduct the final test – which, in turn, revealed a very surprising result that pushed back our own release. You may read more about it in iOS 16: Extracting the File System and Keychain from A11 Devices.

Our goal is remaining fully transparent about everything we make. We strive to provide the most complete information about the limitations and compatibility (see for example our list of supported devices), and give as much information about the inner working of the things as we can. We have nothing to hide, and we want our customers to have full information about not just functionality but also the insides.

That final, official build now includes a brand-new SEP (Secure Enclave Processor) hardening patch that effectively prevents access to user data if a screen lock passcode was ever used on the device.

Historically, Apple already attempted to patch checkm8 extractions in iOS 14. At the time, the iPhone 7, 7 Plus, 8, 8 Plus, and iPhone X devices received a SEP hardening patch that blocked checkm8 extractions if a screen lock passcode was currently enabled. Removing the screen lock passcode in device settings re-enabled checkm8 extractions on these devices, albeit at the cost of not being forensically sound anymore. A SEP vulnerability was later discovered for A10 devices (iPhone 7 and 7 Plus), making it possible to bypass the requirement and use checkm8 on passcode-protected devices without removing the screen lock passcode. No such vulnerability was discovered for A11 Bionic.

Why it matters:

• For A11 Bionic devices (iPhone 8, 8 Plus, iPhone X) running iOS 16, checkm8 extraction will be unavailable if the device had a screen lock passcode configured at any time after initial setup.
• Removing the passcode will no longer re-enable checkm8 extractions on iPhone 8, 8 Plus, iPhone X running iOS 16. This limitation does not apply to other devices (e.g. iPads).
• Limited BFU (Before First Unlock) extraction is also no longer available for A11/iOS 16 devices.
• checkm8 extraction for A11 Bionic devices is available if they are running iOS 15.7 or older, or if a screen lock passcode was never used on the device after initial setup.

Lockdown Mode

iOS 16 introduces Lockdown Mode, a special mode offering an additional level of security for the users who are likely to become targets of personal attacks. When describing the feature, Apple specifically mentions “sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware”. According to Apple, turning on Lockdown Mode hardens device defenses and limits certain functionalities, thus reducing the attack surface that potentially could be exploited by targeted spyware.

Activating Lockdown Mode requires toggling a setting and rebooting the iPhone. In this mode, some device functions will be restricted. The following limitations will initially apply (with additional protections potentially available over time):

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

Passkeys

Passkeys are yet another attempt to re-invent authentication. Based on classic asymmetric cryptography, passkeys are aimed to eliminate the need to use passwords and jump through the hoops of two-factor authentication ever again.

Technically, passkeys are cryptographic key pairs of matching public and private keys as defined in asymmetric cryptography. A private key is stored on the iPhone in the keychain (and synchronized across devices via iCloud Keychain, which in turn is protected with end-to-end encryption), while a public key is stored on the service side. According to TechCrunch, Passkey is based on WebAuthn standard, so users can use biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. The standard is based on FIDO’s proposed multi-device credentials that allow users to store authentication keys across devices enabling users to log in without requiring a password. This means it should work across platforms, but Google and Microsoft are yet to implement the technology on their platforms. More information is available in What is Apple Passkey, and how will it help you go passwordless? | TechCrunch

From the forensic point of view, Passkeys are parts of credentials stored in the device keychain and iCloud Keychain. Experts can extract Passkeys from the device itself or use Elcomsoft Phone Breaker to download from iCloud Keychain. Since iCloud Keychain is end-to-end encrypted, accessing iCloud Keychain will require a screen lock passcode or system password of an enrolled device in addition to the user’s Apple ID and password.

Rapid Security Response

Rapid Security Response is an interesting new feature that can install security patches without the need for a full iOS update. The exact forensic implications of Rapid Security Response are still unknown. On the one hand, Rapid Security Response may deliver critical security patches faster without pushing the users to update the OS, thus patching any potential vulnerabilities that might otherwise be used for low-level extractions. On the other hand, some sources suggest that updates delivered through Rapid Security Response can be uninstalled by going to Settings > General > About, tapping iOS Version, and then tapping Remove Security Update.

Landscape Face ID

The iPhone 13 and 14 will be able to use Face ID in landscape orientation. This feature does not affect iOS forensics. As a reminder, Apple last improved Face ID in iOS 15.4 by adding the ability to unlock iPhones while wearing a medical mask. iOS 14.5 brought the ability to unlock iPhones while wearing a medical mask with Apple Watch. This latter feature may be a potential vector of attack.

iOS 16 Privacy Protection

Apple works hard on improving privacy protections. The features listed below are unlikely to affect forensic experts, with one notable exception.

Safety Check

According to Apple, Safety Check is designed to “check whom you’re sharing information with, restrict Messages and FaceTime to your iPhone, reset system privacy permissions for apps, change your passcode, change your Apple ID password, and more.” The feature enables reviewing and removing permissions granted to apps or people from a single point of access. Safety Check can be also used to restrict incoming messages and FaceTime calls to a single iPhone by disabling iCloud Messages and calling. As a reminder, iCloud Messages are end-to-end encrypted, and can be only extracted with Elcomsoft Phone Breaker if you have a screen lock passcode or system password of an enrolled device (in addition to login credentials and two-factor authentication).

Permission to Access the Clipboard

iOS 14 introduced a pop-up bubble informing that a certain app accessed the clipboard. The message could not be disabled system-wide, and many users were irritated by constant pop-ups.  iOS 16 attempts to solve this issue by introducing a new permission to access the clipboard in background. More information is available in UIPasteBoard’s privacy change in iOS 16 | Sarunw. When testing the feature, we found it to be half-baked since Apple did not provide a way to view or recall this permission. It turned out that the feature is, indeed, half-baked and buggy.

Hidden Photos Protection

Prior to iOS 16, hidden albums were just that. Users could ‘hide’ a picture by placing it into a ‘hidden’ album. The image would then disappear from the main photo stream, yet simply opening the hidden album would instantly reveal such pictures.

iOS 16 adds an additional layer of protection, now keeping the hidden photos locked behind a passcode or Face ID by default. Users can disable the authentication requirement in the settings.

This feature does not affect the ability to extract media files in any way. The hidden photos remain available in backups, and they are easily accessible through AFC during advanced logical acquisition with iOS Forensic Toolkit without requiring any sort of extra authentication.

Privacy Report and App Tracking Transparency

iOS 15.2 enabled Privacy Report, a feature that allows users to see details about how often apps access their data such as location, camera, microphone, and more. Users can also see information about each app’s network activity, as well as the web domains that all apps contact most frequently (About App Privacy Report). Earlier in iOS 14.5 Apple enabled App Tracking Transparency, a feature that gave users control over which apps are allowed to ask for permission if they want to track users’ activities across other apps and websites.

These thigs happened many months before the release of iOS 16. Why are we addressing them now?

“Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press”, say GARANCE BURKE and JASON DEAREN in Tech tool offers police ‘mass surveillance on a budget’ | AP News. According to the publication, the service named Fog Reveal was provided by Fog Data Science LLC, a company founded by two former high-ranking Department of Homeland Security officials.

Fog Reveal obtained the data from various ad mediators and owners of advertisement SDKs such as Waze, Starbucks, Meta, and many other companies collecting information about the users’ movements and interest. Such information is openly sold, albeit in anonymized form.

Using Fog’s data, which the company claims is anonymized, police can geofence an area or search by a specific device’s ad ID numbers, according to a user agreement obtained by AP. But, Fog maintains that “we have no way of linking signals back to a specific device or owner,” according to a sales representative who emailed the California Highway Patrol in 2018, after a lieutenant asked whether the tool could be legally used.

Despite such privacy assurances, the records show that law enforcement can use Fog’s data as a clue to find identifying information. “There is no (personal information) linked to the (ad ID),” wrote a Missouri official about Fog in 2019. “But if we are good at what we do, we should be able to figure out the owner.” (source)

It is exactly the devices’ unique advertising identifier that was used to uniquely identify each device, initially for the purposes of tracking and ad targeting. While each devices’ advertising identifier is anonymous, with enough data and some analysis it can be easily linked to a person. App Tracking Transparency gave users control over who can request permission to access the users’ advertising identifier, and Only 4 percent of US iPhone users have agreed to app tracking after iOS 14.5. Privacy Report, on the other hand, gives users important insight on which apps are abusing permissions  and which Web sites they talk to.

Conclusion

In iOS 16, Apple went a long way to protect the users’ personal information and secure their devices. The SEP patch for A11 devices caught us by surprise, rendering checkm8 extraction effectively useless on iPhone 8, 8 Plus and iPhone X devices.

iOS Forensic Toolkit 8.0 is officially released! Delivering forensically sound checkm8 extraction and a new command-line driven user experience, the new release becomes the most sophisticated mobile forensic tool we’ve released to date.

checkm8 Extraction

Released almost exactly three years ago, checkm8 came as a huge surprise. Exploiting a vulnerability in the bootloader of many Apple devices including several generations of iPhones, iPads, iPod Touch, Apple Watch and even Apple TV devices, checkm8 allows breaking into a device almost regardless of the version of iOS installed on these devices. The latest iPhone models that can be exploited include the iPhone 8, 8 Plus and iPhone X devices (up to and including iOS 15.7). For 32-bit devices the exploit can even be used to unlock devices with an unknown screen lock passcode.

Today, checkm8 is a common and widely accepted tool in the mobile forensic community. Multiple solutions exist, but none of them is perfect. We are yet to see a purely checkm8-based solution that does not borrow from checkra1n while offering repeatable extractions several times in a raw, so we developed our own implementation built from the ground up. As a result, there won’t be a trace left on the iPhone extracted with iOS Forensic Toolkit, not a single log entry and not even a changed timestamp. How did we make it possible?

checkm8 is ideal when it comes to forensic extractions. By its very nature, the exploit does not need to modify the file system; all modifications are performed on the fly in the device’s volatile memory. Our implementation works entirely in the RAM; it does not boot the OS installed on the device and does not modify the data or system partition. For that to work, during the extraction process you will need to download a matching copy of the original device firmware from Apple (the download link will be provided at the time of extraction).

Compatibility, System Requirements and Limitations

The initial release of iOS Forensic Toolkit 8.0 is available for macOS computers and can be launched on both x86 and Apple Silicon (M1/M2) computers. Linux and Windows editions are in the works.

Our implementation of checkm8 extraction is available for 76 Apple devices including a host of iPhone, iPad, iPod Touch, Apple Watch and Apple TV models. We support a number of major OS releases ranging from iOS 7 through iOS 15.7 (with limited iOS 16 support) in three different flavors (iOS, tvOS, and watchOS) for three different architectures (arm64, armv7, and armv7k). We support 18 different chips vulnerable to BootROM exploits, namely:

S5L8930, S5L8940, S5L8942, S5L8945, S5L8947, S5L8950, S5L8955, S5L8960, S5L8965, T7000, T7001, S8000, S8001, S8003, T8004, T8010, T8011, T8015

These chips include:

• 4 AppleTVs: AppleTV3,1 AppleTV3,2 AppleTV5,3 AppleTV6,2
• 40 iPads: iPad2,1 iPad2,2 iPad2,3 iPad2,4 iPad2,5 iPad2,6 iPad2,7, iPad3,1 iPad3,2 iPad3,3 iPad3,4 iPad3,5 iPad3,6 iPad4,1 iPad4,2 iPad4,3 iPad4,4, iPad4,5 iPad4,6 iPad4,7 iPad4,8 iPad4,9 iPad5,1 iPad5,2 iPad5,3 iPad5,4 iPad6,11, iPad6,12 iPad6,3 iPad6,4 iPad6,7 iPad6,8 iPad7,1 iPad7,11 iPad7,12 iPad7,2 iPad7,3, iPad7,4 iPad7,5 iPad7,6
• 25 iPhones: iPhone10,1 iPhone10,2 iPhone10,3 iPhone10,4 iPhone10,5 iPhone10,6, iPhone3,1 iPhone3,2 iPhone3,3 iPhone4,1 iPhone5,1 iPhone5,2, iPhone5,3 iPhone5,4 iPhone6,1 iPhone6,2 iPhone7,1 iPhone7,2 iPhone8,1 iPhone8,2 iPhone8,4 iPhone9,1, iPhone9,2 iPhone9,3 iPhone9,4
• 3 iPods: iPod5,1 iPod7,1 iPod9,1
• 4 Watches: Watch3,1, Watch3,2, Watch3,3, Watch3,4

In response to checkm8, Apple attempted to strengthen security of the latest vulnerable devices, the iPhone 7, 7 Plus, 8, 8 Plus and iPhone X range by hardening SEP protection. The increased security measures require removing the screen lock passcode before applying the exploit on the iPhone 8, 8 Plus and iPhone X models running iOS 14 through 15.7, yet we were able to overcome this protection for the iPhone 7 and 7 Plus.

iOS 16 support is limited. Days before the release of the final build of iOS 16 we were ready to roll out iOS Forensic Toolkit 8 with iOS 16 support on A11 devices. Apple’s last-minute change in the release version of iOS 16 included an unexpected SEP patch that broke checkm8 extraction completely. The patch effectively blocks the exploit from accessing the data if a passcode was ever configured on the device (even if subsequently removed). The new SEP hardening measures effectively prevent checkm8 extractions on the absolute majority of A11-based devices in circulation (the iPhone 8, 8 Plus, and iPhone X).

The complete compatibility matrix now looks as follows:

Passcode Unlock

checkm8 does not affect the Secure Enclave. It cannot be used to break the screen lock passcode, and without the passcode it cannot be used to decrypt most of the data in the file system (limited BFU mode access is still possible).

Having said that, we can still do the unlock for older Apple devices with no Secure Enclave by using checkm8 or another bootloader exploit. Such devices include the iPhone 4, 4s, 5, and 5c. For these iPhone models, our tool can do everything from recovering the passcode to bit-precise physical extraction. Note: the iPhone 4s requires an additional piece of hardware due to a specific USB controller (see checkm8: Unlocking and Imaging the iPhone 4s).

Unknown Passcode and BFU Extraction

As already mentioned, our solution can perform a limited BFU (Before First Unlock) extraction for 64-bit devices protected with an unknown screen lock passcode. In this mode, you can extract information that is not encrypted with a key derived from the screen lock passcode. This includes the call history log, account list, draft messages (SMS/iMessage) and attachments (drafts only!), as well as some geolocation data and some app data. In addition, WAL files (write-ahead logs) to many databases can also be extracted.

checkm8 vs. Advanced Logical Acquisition

Advanced logical acquisition is the easiest and most compatible extraction method that includes local backups, media files, crash logs and shared files. Advanced logical extraction often delivers just enough data to jump-start the investigation. What is not included with the advanced logical process are many types of data such as chats occurring in the most secure messaging apps such as Signal or Telegram, email messages, low-level system data, SQLite databases with their respective write-ahead logs, location data, and many system logs that may reveal every detail of device usage history. All of that and much more is readily available when you use checkm8 extraction.

checkm8 or checkra1n?

The first checkm8-based solutions in mobile forensics were built with checkra1n, a public, closed-source jailbreak that is based on the open-source checkm8 exploit. checkra1n extractions deliver the same amount of data as any other low-level extraction method. However, the use of checkra1n inevitably alters the content of the device, which impacts its use in mobile forensics.

Compared to checkra1n-based extractions, our checkm8 extraction process has the following differences:

• Repeatable, verifiable extractions
• Unaltered system and data partitions
• 100% of the patching occurs in the RAM
• Supports 76 devices, 3 different architectures, and several generations of iOS from iOS 7.0 through iOS 15.7 (with limited iOS 16 support)
• Passcode unlock available for armv7 devices (iPhone 4 through iPhone 5c)
• BFU (Before First Unlock) extraction supported
• Supports iPhone, iPad, iPod Touch, Apple Watch and Apple TV devices

The Command Line

iOS Forensic Toolkit 8.0 brings a new, advanced user experience built around the command line. The use of the command line enables full control over every step of the extraction workflow, allowing experts to stay in control of every step of the process. Thanks to the command line, experts can also build their own scripts to automate their specific routines.

Conclusion

With this update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iOS acquisition tool on the market. The toolkit now supports all possible acquisition methods including advanced logical, agent-based and checkm8-based low-level extraction.

Bootloader-based acquisition is the only 100% forensically sound data extraction method for Apple devices. It is the only way to acquire the full set of data from those devices that run iOS 16, albeit with a huge caveat that makes the whole thing more of a brain exercise than a practical forensic tool. Let’s review the iOS 16 compatibility in iOS Forensic Toolkit and go through the whole process step by step.

Supported devices

The checkm8 exploit is compatible with multiple generations of Apple devices. However, only some of those devices are compatible with Apples’ latest iOS builds. Here is the full list of devices that are compatible with both the bootrom-based acquisition method and can run iOS 16 and its variants such as iPadOS and tvOS:

• iPhone 8, iPhone 8 Plus, iPhone X
• iPad 5/6/7
• iPad Pro (1^st and 2^nd gen)
• Apple TV HD (4^th gen) and Apple TV 4K (1^st gen)

iPad and iPro devices do not have iPadOS 16 update yet. iPadOS 16.1 soon will be available, but there are some bad news coming.

First, the “…cannot be fixed with a software patch” mantra about the bootloader vulnerability and the checkm8 exploit did not actually work. For the most part, Apple was able to fix it in iOS 16, specifically for devices based on the A11 SoC, which includes the iPhone 8, 8 Plus and iPhone X. The first part of the fix arrived with the release of iOS 14. Back then you had to disable the screen lock passcode in order for checkm8 to work. iOS 16 improved this even further: if the device had a passcode set at any time after it was initially set up, the data volume cannot be unlocked anymore. The file system extraction, let alone keychain decryption, of a passcode-locked iPhone 8/X running iOS 16 is no longer possible if you know the passcode and even if you remove it from the device.

Second, iPadOS 16.1 (and iOS 16.1) will bring significant changes (in particular the ramdisk format) that will prevent our software from working. At this point we cannot say whether this change is made to improve security (probably not). We can fix it, but we need more time.

Prerequisites

A compatible device. This is the trickiest part. If you are working with an iPhone 8, iPhone 8 Plus or iPhone X and it has a passcode set, you are out of luck. With iOS 14 or 15, you had to remove the passcode first (see How to Remove The iPhone Passcode You Cannot Remove for more details), but that does not work anymore with iOS 16. For iOS 16 and an iPhone 8, iPhone 8 Plus or iPhone X you’ll need a phone that never had a passcode at any point after the user set it up.

You’ll need a Mac. For the time being, iOS Forensic Toolkit 8.0 can only be used on a Mac. We do have a Windows build, but it currently lacks support for bootloader-based acquisition. Both Windows and Linux editions with full support for bootloader-based acquisition are currently under development. iOS Forensic Toolkit can work even on older Mac running macOS High Sierra, but we recommend one of the newer models instead. If you have a choice, pick one based on Apple Silicon running macOS Big Sur or Monterey. Note that we have not tested iOS Forensic Toolkit on macOS 13 Venture, although it should work.

Please note that we do not officially support virtual machines or Hakintoshes.

A USB-A to Lightning cable. If your Mac has USB-C or Thunderbolt ports only, you will also need a hub with at least two USB-A ports (one to connect the device, and the other to connect the iOS Forensic Toolkit dongle).

For iPads, there is still no need to remove the passcode prior to the acquisition, but you must know the passcode; however, as noted above, we don’t support iPads running iPadOS 16 yet, sorry (working on that).

Finally, Apple TV does not have passcode protection, so there is nothing to worry about.

Installation

We have two separate installation packages:

• Legacy: for macOS High Sierra, Mojave and Catalina (Intel-based Macs)
• Current: for macOS Big Sur and Monterey (intel or Apple Silicon)

Make sure to download a package compatible with your system.

To install the downloaded package, first mount the installation file (.dmg) using the installation password you received, and copy EIFT8 (or EIFT8L for legacy version) folder to a known location on your computer, such as desktop.

Next, start the Terminal app and remove the quarantine flag:

xattr -r -d com.apple.quarantine 

Now you can cd into the iOS Forensic Toolkit folder and start the program. The general syntax is:

./EIFT_cmd 

Entering DFU

Placing the device in DFU is probably the trickiest part of the process. Entering DFU is always manual; you need to press and hold the buttons on the device in a particular order with precise timings. The steps are different for different devices, and every little detail (such as ports and cables) matters.

We posted a lot about DFU. You can start with DFU Mode Cheat Sheet. There is something specific to the Apple TV 4K that does not have a USB port (Apple TV 4K Keychain and Full File System Acquisition); and we have a detailed (and carefully tested) set of instructions for the iPhone 8 and iPhone X range: Entering DFU: iPhone 8, 8 Plus, and iPhone X.

In short, we recommend starting iOS Forensic Toolkit first with boot command and -w flag (which means “wait for device in DFU mode”) like this:

./EIFT_cmd boot -w

The programs will keep looking for connected devices and will indicate once such device is connected or disconnected (in any mode), which makes things simpler.

Usage

If you did everything right, the bootloader exploit will be applied automatically and immediately as soon as iOS Forensic Toolkit founds a device connected in DFU mode. The tool will then detect the installed iOS version; unfortunately, in some cases the exact iOS version cannot be determined, and the tool will print out the closest range of iOS builds.

You will then have to provide the tool with a path to a proper firmware image; a download link will be printed out by iOS Forensic Toolkit. If the exact iOS version could not be determined, you will receive several download links; in that case, select the first one from the list. You can either download the firmware and specify name and path to the local file in iOS Forensic Toolkit, or just paste the download link instead, in which case iOS Forensic Toolkit will download only the mandatory data, which is a bit faster.

iOS Forensic Toolkit will perform further steps, booting a proper ramdisk and making the necessary patches in the device’s volatile memory. If everything is OK, the device screen will display the Exploited message.

You can now acquire the data by following the steps:

./EIFT_cmd ramdisk unlockdata

The command unlocks the data partition. Yes, you do NOT need to run “ramsisk loadnfcd” command (that mounts the relevant filesystems and starts ncfd daemon) as before. It is still needed for iOS 15 and lower, though.

If the passcode is set (or was set before, and later removed), the command fails. There is currently absolutely no way to acquire the data (keychain and full file system) from iPhone 8/X devices running iOS 16 protected with the passcode using checkm8 exploit, at least for now.

./EIFT_cmd ramdisk keychain -o 

The keychain is should be normally extracted first as it contains some of the most valuable data: see Keychain: the Gold Mine of Apple Mobile Devices for details.

./EIFT_cmd ramdisk tar -o By default, only the data partition is extracted, and it is the recommended setting. The system partition does not contain any user-specific data, and its extraction will slow down further analysis. Only pull the system partition if the device is jailbroken or you think that it might be compromised with something like Pegasus spyware.

iOS Forensic Toolkit saves the file system in a form of a .tar archive that can be analyzed, for example, with open-source iLEAPP software. Of course, commercial software like Cellebrite UFED, Magnet AXIOM, MSAB XRY or Oxygen Forensic Detective will also work. Some of these products may not support iOS 16 file system analysis at this point, but I am sure they will. For the time being, it looks like iLEAPP does the job (and it is free!)

Troubleshooting & error reporting

I bet you will get some troubles entering DFU at first; this is normal. Just follow the instructions exactly (and remember about the hub and USB-A cable).

Still, applying the exploit may fail, sometimes because the device is in a “wrong” DFU mode (see the DFU article above for more details); if this happens, just try again.

The other error you may encounter occurs when the output file with the same name (keychain or .tar archive with the file system) already exists; just check that the output file name is unique.

From time to time, you may get an error when booting the ramdisk or data unlocking the data partition. Such errors may occur randomly, and they are completely unpredictable. If this happens, we would love to receive the complete log file(s) created by iOS Forensic Toolkit to develop a solution; the log files are saved at:

~/Elcomsoft/EIFT/logs

By request, we can provide you with a debug version of iOS Forensic Toolkit that logs even more information that may help us locate and fix the problem.

TL;DR

So, here is the sequence of commands once iOS Forensic Toolkit is installed:

• Start terminal and change current folder to EIFT
• ./EIFT_cmd -w
• Place the device in DFU mode
• Supply the firmware file or link
• ./EIFT_cmd ramdisk unlockdata
• ./EIFT_cmd ramdisk keychain -o
• ./EIFT_cmd ramdisk tar -o

Conclusion

Despite limitations, our implementation of checkm8-based extraction is still the best and most forensically-sound acquisition method for supported devices. With the release of iOS 16, the iPhone 8, 8 Plus and iPhone X became practically invulnerable to the “unpatchable” bootloader exploit. Forensic specialists will be unable to extract real-life devices that are (or ever were) protected with a passcode, at least not until a SEP exploit emerges. There is also a possibility that an OS-level vulnerability will be discovered in iOS 16, making agent-based extraction possible. This, however, is a distant project as Apple complicated a lot of things in iOS 16.

DFU (Device Firmware Update) is a special service mode available in many Apple devices for recovering corrupted devices by uploading a clean copy of the firmware. Forensic specialists use DFU during checkm8 extractions (Elcomsoft iOS Forensic Toolkit). Unlike Recovery, which serves a similar purpose, DFU operates on a lower level and is undocumented. Surprisingly, there might be more than one DFU mode, one being more reliable than the others when it comes to forensic extractions. The method described in this article works for the iPhone 8, 8 Plus and iPhone X.

Before You Begin

Before you begin, make sure you have everything to proceed. Check out our past articles on the subject including iPhone X, DFU mode and checkm8, How to Put an iOS Device with Broken Buttons in DFU Mode, and DFU Mode Cheat Sheet.

• Only use USB-A to Lightning cables; no Type-C cables!
• For better compatibility, use a hub instead of a USB-C to USB-A adapter.
• Unless you practiced before, placing an iPhone into DFU rarely succeeds on the first try. We recommend practicing the steps on a ‘safe’ device.
• The iPhone 8/X devices have two slightly different DFU modes, and only one of them can be reliably for extractions. One cannot tell between the two DFU modes, so following the correct procedure is extremely important. If the iPhone is placed into the wrong DFU mode, the exploit may fail or you may experience issues during subsequent extraction steps.

Step 1: enter Recovery

Before placing the device into DFU, we recommend entering the Recovery mode first. There are two different ways to do that depending on the iPhone’s power-on status.

If the device is powered off and not connected to a PC:

• press and immediately release Vol+;
• press and immediately release Vol-;
• press and hold Power; while holding the Power button, connect the iPhone to the computer with a Lightning cable.
• Keep holding the Power key until you see the recovery image:

 

If the device is powered on and already connected to a PC:

• press and immediately release Vol+;
• press and immediately release Vol-;
• press and hold Power until you see the recovery image.

Step 2: Entering DFU

Once the iPhone is in Recovery and connected to the computer, launch iOS Forensic Toolkit with the following command:

./EIFT boot -w

On the iPhone:

• press and immediately release Vol+;
• press and immediately release Vol-;
• press and hold Power until the iPhone you see the “iPhone disconnected” message in iOS Forensic Toolkit on the computer. This message means that the iPhone has been disconnected from the computer. If you are not using iOS Forensic Toolkit, you can check Finder instead.
• Once the iPhone disconnects from the computer, keep holding the Power button and press and hold Vol-.
• Keep holding the buttons for 4 seconds, then release Power (keep holding Vol-).
• iOS Forensic Toolkit will pick up and start booting the iPhone once the device is in DFU. When this happens, release the Vol- button.

Note: if you keep holding the buttons longer than the 4 seconds, the iPhone will be rebooted instead of entering DFU.

In macOS, Finder will show the iPhone in “Recovery” more regardless of whether the device is in DFU or Recovery. However, in Recovery you will see both Update and Restore, while in DFU you will only see Restore (the Update button will be disabled).

 

 

iOS Forensic Toolkit 7.60 brings gapless low-level extraction support for several iOS versions from iOS 15.2 up to and including iOS 15.3.1, adding full file system extraction support for Apple devices based on Apple A11-A15 and M1 chips.

What’s it all about

Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.

Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone and iPad models running iOS 9 through iOS 15-15.1.1, delivering full file system extraction and keychain decryption. In this release, we are once again extending the range of supported iOS builds, now covering iOS 15.2 through iOS 15.3.1 on Apple A11-A15 and M1 based devices. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.3.1 for all compatible iPhone and iPad models.

Benefits of agent-based extraction

There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.

Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

Breaking iOS 15.2-15.3.1

Unlike checkm8-based extraction, which exploits a boot loader-level vulnerability only available on legacy devices, the extraction agent relies on kernel exploits. These exploits enable the extraction agent to escape the sandbox and gain low-level access to the file system and establish a communication channel between the iPhone and the computer.

Apple actively resists low-level extraction attempts, making it more difficult to sideload apps. Today, sideloading only works reliably in macOS. We are working on improving the process.

iOS 15.2 introduced a new memory protection mechanism that makes it more difficult to apply the exploit. While in this release we can only extract the file system, we are working on keychain decryption as well.

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.

Low-level extraction in iOS Forensic Toolkit 7.60

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1 INSTALL - Install acquisition agent on device
2 KEYCHAIN - Acquire device keychain
3 FILE SYSTEM - Acquire device file system (as TAR archive)
4 FILE SYSTEM (USER) - Acquire user files only (as TAR archive)
5 UNINSTALL - Uninstall acquisition agent on device

Detailed instructions:

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.60 or newer.
3. On the computer, sideload the extraction agent by using the 1 INSTALL command in iOS Forensic Toolkit.
4. On the iPhone, launch the extraction agent by tapping its icon.
   Windows: developer account required. Use app-specific password.
   macOS: developer account not required but strongly recommended.
5. If supported, extract the keychain with 2 KEYCHAIN.
6. Extract file system image (full file system or data partition) with 4 FILE SYSTEM (USER). We recommend extracting the data partition only; the full image (3) may be usable e.g. to check the system partition for persistent malware.
7. On the iPhone, uninstall the extraction agent in a regular way or by using the 5 UNINSTALL command.

You may now disconnect the iPhone and start analyzing the data

Low-level extraction in iOS Forensic Toolkit 8.0 Beta

iOS Forensic Toolkit 8.0 features a new, command-line driven user interface, and employs a whole different set of commands compared to EIFT 7.x. To perform agent-based extraction in EIFT 8, follow these steps.

To install the extraction agent onto the device, connect and pair the device to the computer. Then, in the EIFT folder, run the following commands:

• Connect and pair the device to the computer: ./EIFT_cmd normal pair
• Install extraction agent: ./EIFT_cmd agent install
  You Will be prompted for Apple ID and password followed by two-factor authentication if the device is not trusted yet.
• If a regular, on-developer Apple ID was used, you will have to verify the certificate on the device.
• Tap the app icon to launch the extraction agent.
• Type ./EIFT_cmd agent keychain -o keychain.xml to extract the keychain (supported versions of iOS only)
• Type ./EIFT_cmd agent tar -o data.tar to extract the full file system image. Important: use a unique file name, or the extraction will fail.
• Type ./EIFT_cmd agent uninstall to uninstall the agent.

 

Disk encryption is widely used desktop and laptop computers. Many non-ZFS Linux distributions rely on LUKS for data protection. LUKS is a classic implementation of disk encryption offering the choice of encryption algorithms, encryption modes and hash functions. LUKS2 further improves the already tough disk encryption. Learn how to deal with LUKS2 encryption in Windows and how to break in with distributed password attacks.

Disk Encryption Basics

Disk encryption tools rely on symmetric cryptography to encrypt data. The default encryption algorithm today is hardware-accelerated AES-256 encryption, although Microsoft BitLocker defaults to using AES-128. Some disk encryption tools offer the choice of encryption algorithms, while others can only alter the key length and/or encryption mode.

The symmetric encryption keys are derived from the user’s password (or other data) by using a Key Derivation Function (KDF). The KDF employs multiple rounds of one-way transformations (hashing) of the user’s input to produce a binary key. This binary key is rarely used directly to encrypt or decrypt data. Instead, it is typically used to protect and unprotect (wrap/unwrap) the actual symmetric encryption key. Different hash functions and with numerous hash iterations are used to slow down the speed of potential brute force attacks.

The Original LUKS Encryption

LUKS is a platform-independent disk encryption specification originally developed for the Linux OS. LUKS is a de-facto standard for full-disk encryption in Linux, facilitating compatibility among various Linux distributions and providing secure management of multiple user passwords. Today, LUKS is widely used in nearly every Linux distribution on desktop and laptop computers.

When attacking an encrypted disk, one must know the exact combination of encryption and hashing algorithms, as well as the number of hash rounds. Attacking a disk using the wrong parameters will not result in a successful recovery. LUKS offers users the choice of various encryption algorithms, hash functions and encryption modes, thus providing many possible combinations. The default encryption settings for LUKS encrypted disks are aes-cbc-essiv:sha256 with 256-bit symmetric encryption keys, but these can be changed by the user or the developers of a Linux distro. The exact encryption settings are stored in metadata in the encrypted disk’s header.

Elcomsoft Distributed Password Recovery automatically detects LUKS encryption settings by analyzing the encryption metadata, which must be extracted with Elcomsoft Forensic Disk Decryptor prior to launching the attack.

LUKS2: A Stronger LUKS

LUKS2 is a newer, better, and more secure version of LUKS. According to the developers, LUKS2 extends LUKS with more flexible ways of storing metadata, redundant information to provide recovery in the case of corruption in a metadata area. It also introduces an interface to store externally managed metadata for integration with other tools.

What is probably more important is the change in how LUKS2 implements the default Key Derivation Function (KDF). Instead of infinitely bumping the number of hash rounds to the millions, LUKS2 developers decided to go with Argon2, a key derivation function that was selected as the winner of the 2015 Password Hashing Competition. The new default KDF is designed to maximize resistance to GPU cracking attacks.  The new KDF is as fast as the one used in the original LUKS when mounting the encrypted disk or performing other operations, yet by design it makes it very costly to perform large-scale hardware-accelerated attacks. This in turn required us to make use of the computer’s CPU instead of the much faster GPU to attack LUKS2 disks protected with argon2id .

The choice of Argon2 as a KDF makes GPU acceleration impossible. As a result, you’ll be restricted to CPU-only attacks, which may be very slow or extremely slow depending on your CPU. To give an idea, you can try 2 (that’s right, two) passwords per second on a single Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz. Modern CPUs will deliver a slightly better performance, but don’t expect a miracle: LUKS2 default KDF is deliberately made to resist attacks.

What if a LUKS2 disk is protected with a KDF other than Argon2, such as PBKDF2+SHA-256? In this case, full GPU acceleration is available with much better speeds. The Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz can enumerate 29 passwords per second, while using a NVIDIA GeForce RTX 2070 GPU results in 381 p/s, which is about 190 times faster than the speed of a CPU-only attack on Argon2.

Breaking LUKS2 Encryption Step 1: Extracting Encryption Metadata

To secure access to the data stored in the encrypted device, you must first recover the original, plain-text password. There are several steps involved requiring the use of several different tools.

1. Extract the encryption metadata from the encrypted device or disk image using Elcomsoft Forensic Disk Decryptor or Elcomsoft System Recovery.
2. Use the extracted metadata (a small file) to launch an attack on the password with Elcomsoft Distributed Password Recovery.
3. Once the password is found, mount the disk volume, or decrypt the data.

We have two different tools for extracting LUKS encryption metadata. The choice of the right tool depends on whether you are working in the field or in a lab. If you are analyzing the suspect’s computer, Elcomsoft System Recovery can be used to boot the system from a USB flash drive and extract the encryption metadata from the storage devices connected to the computer.

Note: LUKS2 encryption is supported in Elcomsoft System Recovery 8.30 and newer. If you are using an older version of the tool, please update to the latest version to obtain LUKS support.

1. Download Elcomsoft System Recovery, launch the installer and create a bootable USB drive.
2. Use the USB drive to boot the target system into the Windows PE environment.
3. Elcomsoft System Recovery will be launched automatically.
4. Review the attached disks.
5. Select LUKS2-encrypted partitions and click “Dump” to extract the encryption metadata.
6. Transfer the encryption metadata on your computer and use it with Elcomsoft Distributed Password Recovery to launch an attack on the LUKS2 encryption password.

If you are working in a lab and processing disks or disk images, you’ll be using Elcomsoft Forensic Disk Decryptor. Extracting encryption metadata with Elcomsoft Forensic Disk Decryptor is simple.

Note: LUKS2 encryption is supported in Elcomsoft Forensic Disk Decryptor 2.20 and newer versions. If you are using an older version of the tool, please update to the latest version to obtain LUKS2 support.

1. Launch Elcomsoft Forensic Disk Decryptor.
2. Select “Extract/prepare data for further password recovery”.
3. Open the physical device or disk image containing LUKS2 volume(s). In the example below, we’re dealing with a physical device.
4. EFDD will display the list of encrypted volumes. Select the volume you are about to extract encryption metadata from.
5. Click Next to extract the encryption metadata and save it into a file.

Breaking LUKS2 Encryption Step 2: Attacking the Password

While LUKS2 offers strong protection against brute force attacks by using Argon2(id), we have significant advances in password recovery attacks compared to what we had in the past. Brute-forcing a password today becomes significantly faster due to the use of CPU optimizations across the board, distributed and cloud computing. Up to 10,000 computers and on-demand cloud instances can be used to attack a single password with Elcomsoft Distributed Password Recovery.

To set up the attack, do the following.

1. Launch Elcomsoft Distributed Password Recovery.
2. Open the file containing the encryption metadata that you obtained with Elcomsoft Forensic Disk Decryptor during the previous step.
3. The available key slots along with the number of hash iterations will be displayed. Specify the key slot to attack.
4. Configure and launch the attack.

Brute force attacks became not just faster, but much smarter as well. The user’s existing passwords are an excellent starting point. These passwords can be pulled from the user’s Google Account, macOS, iOS or iCloud keychain, Microsoft Account, or simply extracted from the user’s computer. The user’s existing passwords give a hint at what character groups are likely used:

Elcomsoft Distributed Password Recovery offers a number of options to automatically try the most common variations of your password (such as the Password1, password1967 or pa$$w0rd):

Masks can be used to try passwords matching established common patterns:

Advanced techniques allow composing passwords with up to two dictionaries and scriptable rules:

Conclusion

The original LUKS is still among the most commonly used encryption specifications in Linux. LUKS2 makes Linux disk encryption even more secure with a new Key Derivation Function, effectively banning GPU acceleration when attacking LUKS2 volumes.

Modern versions of Windows have many different types of accounts. Local Windows accounts, Microsoft accounts, and domain accounts feature different types of protection. There is also Windows Hello with PIN codes, which are protected differently from everything else. How secure are these types of passwords, and how can you break them? Read along to find out!

The classic passwords

When attacking Windows account passwords, one has to deal with several different ways the password hashes are produced, protected, and stored.

LM hashes are the oldest types of passwords used since the original version of Windows was released. Microsoft discontinued the use of LM hashes quite some time ago in Windows Vista/Server 2008, but you may still encounter one of those in an older system. LM hashes are stored locally in the SAM database, or the NTDS database on the Domain Controller.

NTLM hashes are the modern replacement of LM. Microsoft still uses the NTLM mechanism to store passwords in modern versions of Windows. These passwords are also stored in the SAM database, or in the NTDS database on the domain controller. Surprisingly, NTLM hashes are even faster to break than LM due to the way the algorithm is implemented.

NTLM hashes protect local Windows accounts as well as the newer types of accounts introduced in Windows 8: the Microsoft Account sign-in. Windows caches the password hash and stores it locally on the computer. This allows users to log in to their computer while using it offline. On another hand, this also allows extracting the cached hash file and running an offline attack to recover the original password. The hashed Microsoft Account passwords are stored locally in the SAM database along with the rest of NTLM hashes. Technically, the locally cached Microsoft Accounts passwords are protected with the same NTLM mechanism as other types of cached credentials, which makes them just as easy and as fast to attack as local Windows passwords.

NTLM hashes are poorly salted. Microsoft uses cryptographic salt to protect LM and NTLM password hashes. However, the same salt is used to protect all LM and all NTLM passwords, which allows attacking all user accounts that present on a certain computer simultaneously. This only changed in Windows Hello PINs.

Windows also has DCC, which stands for Domain Cached Credentials. These are locally stored, cached password hashes that are used to log in to the domain. Domain Cached Credentials are protected differently compared to all other types of credentials, and feature a significantly stronger protection compared to LM and NTLM passwords.

Microsoft Account passwords

In Windows 8, Microsoft introduced a different authentication system, Windows Hello. Users of Windows 8, 10 and Windows 11 are encouraged to set up a PIN and use it instead of their account password. Microsoft claims that the PIN is more secure than a traditional password, which is generally true only if the user’s computer is equipped with a configured TPM module. Without a TPM, the PIN becomes just another password – and a very weak one if the user follows Microsoft’s defaults and sets up a 4-digit or 6-digit PIN. If, however, the user configures an alphanumerical PIN (which, basically, is yet another name for the password), the situation changes.

Windows Hello PIN codes

Attacking Windows Hello PIN codes is significantly slower compared to NTLM attacks. According to the table below, the attack on an alphanumerical Windows Hello PIN with Elcomsoft Distributed Password Recovery can be some 50,000 to about 150,000 times slower compared to the attack on the NTLM hash. In addition, Windows Hello PINs are individually salted, which means that all PIN-protected accounts must be attacked in sequence.

While Windows 11 requires a Trusted Platform Module (TPM), older versions of Windows can do without while still using PIN-based Windows Hello sign-in. We prove that all-digit PINs are a serious security risk on systems without a TPM, and can be broken in a matter of minutes.

Traditionally, Windows accounts are protected with a password, which is used to sign-in to the computer and unlock protected items (such as authentication credentials, browser stored passwords or file system encryption). Resetting the account password, while granting access to the user’s account, would also invalidate such protected credentials, rendering encrypted files inaccessible and effectively blocking access to the user’s stored passwords. Accessing such protected items would require recovering the original password.

Starting with Windows 8, Microsoft introduced a new way to sign-in by using the online credentials to the user’s Microsoft Account. To help secure the user’s account, Microsoft developed an additional authentication system, Windows Hello. In Windows 8, Windows 10 and Windows 11 users are encouraged to set up a PIN and use it instead of a password. Microsoft even goes as far as claiming that the PIN is more secure than a traditional password. In Why a PIN is better than an online password (Windows), Microsoft states the following:

PIN is tied to the device

One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.

This information suggests that the PIN code is always protected by a Trusted Platform Module (TPM) chip, is always tied to the device, and is inherently more secure than the password. These claims are misleading in a way that they are only true if the computer is equipped with a Trusted Platform Module (TPM) module (or emulation), and the TPM is configured to be used in Windows. This is not always the case. Older computers (especially desktop computers) equipped with 7th generation and older Intel Core processors typically do not have a TPM or its emulation, while many newer systems (including many mainboards supporting the 9th generation Intel Core CPUs) come with TPM emulation turned off in UEFI BIOS by default.

While Windows 11 won’t run without a TPM for good reasons, Windows 8 and Windows 10 happily do. These older systems do not report the presence of the TPM to the user when setting up Windows Hello yet still allowing (and even encouraging) using Windows Hello and the PIN code. This in turn is a serious vulnerability that affects users who choose simple all-digit PINs.

When setting up Windows Hello, the system suggests using an all-digit PIN, with alphanumeric PINs being an option. Users commonly choose 4-digit and 6-digit PINs.

To prove this statement, we’ll use the recently updated Elcomsoft System Recovery 8.30. Note that one can only break Windows Hello PIN codes on systems without a TPM.

First, boot the target computer from the USB drive made by Elcomsoft System Recovery. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery and accept the license agreement, you will see the program’s main window. Click SAM – Local User Database:

Then select the target computer’s system drive:

Click Change local user account:

Set up the attack as shown on the screen shot below (the “Check weak PINs” option must be selected):

 

The tool will then detect user accounts protected with PIN codes, and automatically run a brute-force attack. Once the PINs are discovered, they will be shown in the corresponding window:

Here’s how long it takes us to enumerate all-digit PINs on a 7 year old Intel Core i7-5930K CPU @3.5GHz:

• All 4 digit PINs: 2 seconds
• All 5 digit PINs: 18 seconds
• All 6 digit PINs: 2 minutes

Checking all 4-digit, 5-digit and 6-digit combinations takes up to 2:20 min. If there more than one PIN-enabled account is present, the attacks will be performed separately on all accounts – quite unlike the attack on NTLM hashes, which can be recovered all at once due to shared salt. Interestingly, we discovered that even deleted accounts leave enough traces to launch a PIN attack.

Alphanumeric PIN codes and all-digit PINs that contain more than 6 characters must be attacked offline with Elcomsoft Distributed Password Recovery (update required).

Conclusion

Windows Hello is a great authentication system when used in combination with a TPM. If the computer is not equipped with a TPM chip or firmware-based emulation, or if the TPM is not configured, the use of PIN-based authentication poses a serious security risk if a weak PIN is used.

Elcomsoft System Recovery 8.30 introduced the ability to break Windows Hello PIN codes on TPM-less computers. This, however, was just one of the many new features added to the updated release. Other features include the ability to detect Microsoft Azure accounts and LUKS2 encryption, as well  as new filters for bootable forensic tools.

Microsoft Azure accounts

There are several types of user accounts in Windows that include local accounts, Active Directory, and Microsoft Accounts. Local accounts used to be the most common among home users, now being phased out by Microsoft in favor of online Microsoft Account. For corporate users, domain accounts are the most common type.

Elcomsoft System Recovery supports all of these account types. The tool can be used to reset account passwords, assign administrative privileges to a given account, or change the account type from (e.g. converting a Microsoft Account into a local account). The tool supports the newest type of Windows 11 accounts with passwordless sign-in.

However, there is yet another type of account tied to Microsoft Azure. Microsoft Azure accounts belong to Microsoft Works and School Accounts. They are relatively little known. Microsoft Azure accounts are not listed in the Settings app. Elcomsoft System Recovery 8.30 can now detect the presence of Microsoft Azure accounts on the user’s computer.

LUKS2 encryption

The many features of Elcomsoft System Recovery are targeted to Windows computers. However, the tool supports macOS and Linux systems to a limited extent. For these systems, Elcomsoft System Recovery can detect encrypted disks and extract encryption metadata for subsequent recovery in Elcomsoft Distributed Password Recovery. Previous versions of the product supported a long list of disk encryption standards including TrueCrypt, VeraCrypt, BitLocker, FileVault (HFS+/APFS), PGP Disk, and LUKS.

LUKS is the most common disk encryption system in many Linux distributions. The latest Elcomsoft System Recovery update can not detect disks encrypted with its successor, LUKS2. Compared to the original LUKS, LUKS2 is even more secure, supporting more algorithms and more hash iterations.

We are working on an update to Elcomsoft Distributed Password Recovery that will support the recovery of LUKS2 encrypted drives with optimized performance on modern graphics cards. However, you can extract LUKS2 encryption metadata today.

An update to bootable forensic tools

Elcomsoft System Recovery helps forensic experts overcome the challenge of accessing a locked system, delivering a straightforward workflow for investigating computers in the field. A recent update added several bootable forensic tools, which include:

• Timeline: allows reviewing the user’s activities logged by the Windows Timeline. This includes the list of launched apps and past activities laid out in the convenient timeline view.
• Recent files and folders: lists recently accessed files and folders.
• Installed apps: lists applications installed in the system.

Thanks to these features, experts can simply boot a PC from a USB flash drive and quickly review the user’s latest activities. The shortcut saves the time and effort of removing and imaging the hard drive(s), making it possible to make real-time decisions in the field.

In real life, the amount of data returned by these tools quickly becomes overwhelming. Moreover, a significant chunk of that data might be irrelevant to the investigation. To streamline the analysis, we introduced a powerful filtering system. By using filters, one can quickly configure the tool to only display data that belongs to a certain date and time range, or only include files located in specific directories, or exclude files located in a specific folder (such as C:Windows for system files).

To access the new Forensic Tools section, boot the computer being investigated from a dedicated USB media with Elcomsoft System Recovery 8.30 or newer. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery and accept the license agreement, you will see the program’s main window. Click the “Forensic Tools” shortcut at the bottom of the window. You will see the list of available forensic tools:

 

The Installed apps tool displays the list of applications installed in the system being investigated. By default, the tool lists all apps installed on the computer:

You can easily configure the tool to only include certain apps (or exclude certain apps) with newly added filters:

Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications, searches, documents, and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage. By analyzing the Timeline data, experts can access to timestamped information about the app usage and Web page visits.

Timeline data is collected individually per user. When analyzing the timeline, you will have to specify the Windows installation path as well as the path to the user profile. The user’s password is not required. The sheer amount of Timeline data can quickly overwhelm even the most experienced expert:

The newly added filters help restrict the amount of data displayed, allowing experts to concentrate on what’s really important:

The filtered result is much easier to read:

Just like the Timeline, Recent files and folders is a user-specific feature, requiring the path to the user profile. Just like the Timeline, Recent files and folders may contain an overwhelming number of records. The newly added filters help concentrate on files stored under specific paths or exclude irrelevant information:

Conclusion

Originally released as a simple tool for resetting Windows users’ passwords, Elcomsoft System Recovery is quickly evolving into a fully featured bootable forensic toolkit. The new release makes field analysis faster and more straightforward while still producing court admissible evidence with write-blocking disk imaging. Conveniently, using many of the newly added features do not require the user’s or administrator’s password.

Elcomsoft iOS Forensic Toolkit supports checkm8 extraction from all compatible devices ranging from the iPhone 4s and all the way through the iPhone X (as well as the corresponding iPad, iPod Touch, Apple Watch and Apple TV models). The new update removes an important obstacle to the acquisition of the iPhone 7 and iPhone 7 Plus devices running recent versions of iOS.

The Issue

At the time checkm8 was initially released, it was often referenced as a “permanent, unpatchable” exploit. However, Apple introduced new security measures in iOS 14 specifically for the newer devices including the iPhone 7, iPhone 8 and iPhone X range that changed the way the device boots and how the data volumes are unlocked. These patches had an immediate result on iOS forensics. In order to extract the file system and decrypt the keychain, the screen lock passcode had to be removed from the device prior to exploiting and unlocking. There are several problems with this approach:

1. The extraction process is no longer forensically sound as many changes are made to the device.
2. Under certain circumstances, the passcode cannot be removed until one signs in to iCloud from the affected device, which creates the obvious risks of remote wipe/lock, as well as unwanted data sync.
3. If you use a workaround described in How to Remove The iPhone Passcode You Cannot Remove, the reset of device settings causes even more changes on the device, let along it’s not always possible (e.g. if a Screen Time password is set, or the device is managed).
4. The passcode removal causes some data to be permanently lost, such as Apple Pay transactions, downloaded Exchange-based mail, some application tokens etc.
5. The device is no longer “trusted” in a sense of accessing end-to-end encrypted data stored in iCloud.

The Solution

Our approach to solving the issue is applying a SEP exploit. SEP (Secure Enclave Processor) is exploitable on the iPhone 7, and the exploit is available in public. With this exploit, we were able to improve the checkm8 extraction of the iPhone 7, eliminating the need to remove the screen lock passcode. The data partition is successfully unlocked even in iOS 15, but only if you know the passcode. If you don’t, you will be limited to BFU (Before First Unlock) extraction, which is honestly not a lot but still better than nothing.

Unfortunately, the same approach cannot be implemented for the iPhone 8 and iPhone X devices running iOS 14 or newer. No SEP exploit is available for these models, and so performing a full file system extraction with checkm8 still requires you to remove the screen lock passcode from the device. Alternatively, you may perform agent-based acquisition, which is currently limited to iOS 15.1 and lower (support for newer versions is under development).

Conclusion

With the latest update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iPhone acquisition product on the market, supporting all possible acquisition methods (extended logical, checkm8 and agent) supporting a wide range of devices and iOS versions.