The Worst Mistakes in iOS Forensics
What can possibly go wrong with that iPhone? I’ll have a look (oh, it’s locked!), then switch it off, eject the SIM card and pass it on to the expert. Well, you’ve just made three of the five most common mistakes making subsequent unlock and extraction attempts significantly more difficult. Learn about the most common mistakes and their consequences.
The first and probably the most important step (or at least one of) is data preservation, to make sure that the device content does not change, device will not discharge, will not be remotely locked or wiped etc. We made some introduction to the process in our The Art of iPhone Acquisition article, but you know what many forensic “experts” (sorry for the quotes) do first, instead of turning the airplane mode on or placing the device into Faraday bag?
They turn it off.
Granted, a powered-off device won’t make an accidental connection or self-discharge rapidly. However, if the device is powered off, you’re making the device switch from the forensic-friendly AFU* mode into the locked-down BFU* mode. As a result, several things happen.
- The encryption keys are wiped from the device RAM (no instant AFU extraction possible)
- Passcode recovery attack falls to BFU speeds (much slower than AFU attacks)
- Biometric authentication becomes impossible
- Lockdown records become useless; logical acquisition impossible
- Extremely limited BFU extraction
AFU: After First Unlock; the condition in which the device has been unlocked with a passcode at least once after being powered on or rebooted.
BFU: Before First Unlock; the condition in which the device rebooted or powered on and has never been unlocked.
Ejecting SIM card
What’s the next most common mistake in mobile forensics? It’s removing the SIM card, usually just to make sure that device does not make an accidental connection to a mobile network. I would not say it is fatal, but here is what happens, at least when the device is running iOS 11, 12 or 13:
- The phone locks immediately
- Biometric unlock disabled (until unlocked with the passcode)
- USB restricted mode activated
More on biometric authentication: Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12; on USB restricted mode: USB Restricted Mode Inside Out (updates: iOS 12 Enhances USB Restricted Mode and USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two).
I believe no further explanation is needed. In short, you may completely lose an opportunity to unlock or further analyze the device.
“Don’t hold it that way”
Steve Jobs was never wrong. If you hold a modern iPhone equipped with Face ID, you’re likely to waste one or more attempts to unlock the device by pointing it towards the suspect. Why? This YouTube clip shows what happened during the iPhone X announcement.
As to the iPhones with Touch ID, make sure to never touch the fingerprint sensor. Otherwise you’ll just lose one of the five biometric unlock attempts.
Resetting backup password
In most cases (unless the device can be jailbroken or vulnerable to the checkm8 exploit), an iTunes backup is the main source of data. iPhone backups, however, are really special (see
The Most Unusual Things about iPhone Backups for details).
If the backup is password-protected, it could be a problem. Starting with iOS 10.1, brute-force password recovery is virtually impossible (though we can try, and have the software for that). However, as you know, iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password.
The problem is that all passwords in Apple ecosystem are connected to each other (Four and a Half Apple Passwords). And if you reset the backup password (as it was done recently by FTI Consulting when investigating the hack of Jeff Bezos’ Phone, see the report), then the iPhone passcode is also reset. And that has bad, really bad consequences. First, you are going to lose the saved Wi-Fi passwords, Apple Pay transaction history, downloaded Exchange mail and some other data. Second (and this is critical), you lose all the things you could do with the passcode. Like what things? See iOS 11 Horror Story: the Rise and Fall of iOS Security and Protecting Your Data and Apple Account If They Know Your iPhone Passcode. This includes (but not limited to) access to end-to-end encrypted data in iCloud including the iCloud keychain, synced messages, Health data etc.
iOS logical acquisition
In fact, logical acquisition is not as simple as it sounds. Just create iTunes-styles backup and that’s it, right? Not quite. Several things can go wrong.
Creating a backup with iTunes. This is acceptable in general; all forensic packages create exactly the same backups as iTunes. In fact, backups are made by the service running on the iPhone itself, and not by desktop software. However, if you forget to disable iTunes sync in advance (before connecting the iPhone to the computer), the content on the device may change.
Making a passwordless backup. A backup without a password is easier to analyze, right? Yes, it is, but the devil is in the details. Backups without a password contain less data than password-protected backups. You will not get the keychain, Health data, Safari browsing history and call logs (at least).
Miss something. Well, actually a lot. Proper logical acquisition is not limited to backups. In fact, backups are just the beginning. You can also obtain media files (and not just files but also a metadata, sometimes even on deleted files), app shared data (including but not limited to media players, office packages and even some password managers), crash and diagnostic logs (the ultimate source of data that could really help building the timeline). All of that regardless of whether or not the user has a backup password. This, by the way, can be done for Apple Watch and Apple TV devices, thanks to Elcomsoft iOS Forensic Toolkit.
I just listed the most common mistakes made by the law enforcement and forensic experts. We’ve seen many more of those, albeit less frequently. Strictly following the correct workflow, documenting your every step, ensuring that your steps are repeatable and results verifiable, cross-matching the results and proper reporting are essential. Just using a “tool” is not nearly enough, even if it’s the best tool on the market. The environment is always changing, and you either keep up, or fall behind. Taking a training course is one of the better ways to keep up with the ever changing mobile forensic and computer forensic environment.