UNITED STATES DISTRICT COURT for the Western District of Michigan

Total Page:16

File Type:pdf, Size:1020Kb

UNITED STATES DISTRICT COURT for the Western District of Michigan Case 1:12-mj-00304-JGS Doc #4 Filed 10/09/12 Page 1 of 5 Page IDiffllED- GR . October 9, 2012 3:46PM AO 93 (Rev. 12109) Search and Seizure Warrant TRACEY CORDES, CLERK U.S. DISTRICT COURT WESTERN DISTRICT OF MICHIGAN BY: dmh /____ _____ UNITED STATES DISTRICT COURT for the Western District of Michigan In the Maner of the Search of (8riefl.v describe the property to be searched or identify the person by name and address) Case No. 1: 12-mj-304 an Apple 1-Phone model A 1332 with IC # SEARCH AND SEIZURE WARRANT To: Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Western District of Michigan (identify thl! person or describe the property to be searched and giw its location): One black-colored Apple 1-Phone telephone bearing model# A 1332 and IC # ••••. recovered from····· bedroom localed at····· The person or property to be searched, described above, is believed to conceal (id('ntif:v til(' pason ur dt•saib~t the property to be sei=ed): historical information regarding call activity, "phone book" directory information. stored voice-mails and text messages. and electronic files, photographs, and video images I find that the affidavit(s). or any recorded testimony, establish probable cause to search and seize the person or property. YOU ARE COMMANDED to execute this warrant on or before ·---··- ... Sep~ l9. ~1.2. ··--· ·--..... (not to I!.T,'el!d I-I days) gf in the daytime 6:00 .a.m. to I 0 p.m. 0 at any time in the day or night as I find reasonable cause has been established. Unless delayed notice is authorized below. you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken . The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to United States Magistrate Judge Joseph G. Scoville (name) 0 I find that immediate notification may have an adverse result listed in I 8 U.S.C. § 2705 (except for delay of trial). and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (clreck thl! appropriate bo.TJ Ofor days (notro exceed 30) . •.,...,...,. ... · ying, the later specific date of _ ______ _ _ . Date and time issued: ~ ~, J-t:Jt z_ I :3~ City and state: Grand Rapids, Michigan Printed name and tit/!! Case 1:12-mj-00304-JGS Doc #4 Filed 10/09/12 Page 2 of 5 Page ID#9 AO 93 {Rev 12/09) Scarth and Seizure Warranl {Page 21 Return Case No.: Date and tim/warr~nt executed: Copy .~fJ/ant and inventory left with: 1:12-mj-304 9'/JJ //,l. ~ <2c_, v ~u..- 7 ~ ,;,0 .F " -· L-::>~,--,c ~ Inventory made in the presence of: /Cr +.-:-0.--c.<J.f J Lo-r / Inventory ofthe property taken and name of any person{s) seized: / ,,.. r c -r- ' -<· J (. I - Certification I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge. / / /' Date: £Tecuting officer ·s signature / ~ --· ;;He ( /-/ s r Printed name and title -l / y 5,! I Summary Connection Type Cable No. 110 Extraction start date/time 9/13/20 12 12:00:01 PM Extraction end data/Ume 9/13120 12 4:28:21 PM UFED Physical Analyzer version 3.0.1.7 Case number GP13CR12GP0008 Case name Aguilera el. al. Notes ·····1-Phone I FPFII20122271400011701 f Physical Examination Examiner name Special Agent Cory Howe Department Homeland Security Investigations LocaUon Grand Rapids, Ml Device Information II Name Value - __-_ _[_~? User_System_Data I 2 Activation Stale WildcardActivated 1 l - 3 Application Entries ,o ~ -~ 4 Application Siza (bytos) ,o 5 Board n90ap I I G Book Entries 0 7 , Book Size (bytes) 0 8 Capacity 14GB 9 Cloud BaCkup Enabled False 10 CPID 8930 11 Data Entries 1 12 Data Size (bytes) 4366336 13 ECID 14 Free Memory (bytes) t4231298048 15 iBoot (firmware) version iBoot-1219.62.16 16 ICCID 17 Last Backup Computer Name Adriana Mac8ook Pro 18 Last Backup Computer Type Mac 19 Last Sync 6125/20 12 6:45:37 AM(UTC-4) 20 last Used ICCID 21 Locale Language on_U S 22 Memory Size (bytes) 14758297600 23 Owner Name monica 24 Passcode 25 Phone Number 26 Proofing Entries 0 27 Proofing Size (bytes) 0 28 Ringtone Entries 0 29 Ringtone Size (bytes) 0 30 Serial number 31 Sync Host Name Adriana Mac8ook Pro ·­' 32 Synced with Computer: Adriana MacBook Pro\User: Cachetes 33 Synced with Computer: Useras Power Mac GS (3)\User: User 34 USB( Ethernet) MAC -·. - - ·~- .. 35 voiceMemo €!-a~ 1:12-mj-00304-JGS. Doc #4 Fil ed 10/09/12 Page 4 of 5 Page JD.#l~L .. -~ .. 36 ; Vo_lceMemo Size. (by1es) 0 37 WI-FiMAC : CC:08:EO:B2:4F:83 Image Hash Details ' 1) • Name Image Path iPhone4GSM_5.1. IJ>hysicai_Physlcel_13-09-12_ 12-00-01.1mg Size (Bytue) 15955189780 Plugins :_·v~----~ ~ -· · ·. ·· t Name ·-.. ". ., .. ,.~ .. ....., ··. .· __ ___ _ • IPhonePhyslcallnputiD CeUebrllo 2.0 2 . DMGOpener CeUebrile 2.0 3 MBRGenel1c CeUebrlto 2.0 ( • • ' ' I . ' ' .!o: • , . '' · '' " t ' ' ; o•l'o•l .'•' J •' t ,'•< •I • • •. · !• :1 . -: . .... .: .. 4 ApplePaltltlonMap CeUebrite 2.0 5 GUIDPII/UtlonTabla Cellebrite 2.0 8 TARArdtlveOpener CeUebrite 2.0 7 HFS CeUebrlte 2.0 8 IPhoneCaUlog Cellebrile 2.0 9 IF'tlone databases Cellebrite 2.0 , , ' 11! , • . .• : . ... 10 QulcldlmeMelada1a CeUebrite 2.0 1 : • : lo : • ' • I ,:,, 1 > t ·' · ·~ 'o ' • il t ;< ' ' .1 t"' · 11 !Phone deYtce Info Cellobrito 2.0 12 Cellebrite 2.0 ..:. ., ,· .• • · . • , ,· . ' ·· • , •! · ··" ' .,· ·•·I· · 1! 1· ! • • .11 . • \.· u 1~ !: :• •· · •. • .. ,, ! · • • r• • ·(,i ~t ~ : ,, ... ..· ·.t • • • • • • . .. .. •• , • • •• •. 13 Cellebrite 2.0 Contents ····-··---- -- Type i .. ···- ·· --. -. -.-~- -- _ ] · CaDLog 104 (-IOcletml) 104 (4 Deleted) " Incoming 23 (1 Deleted) 23 (1 Oeloted) w Missed 48 48 33 (3 Deleted) 33 (3 Deleted) 2 (t Deleted) 2 (1 Deleted) 2 (1 Deleted) 2 (1 Deleled) "' iMessage: • •••• Ueontacts 18 18 ' Installed Appllcelions 37 37 ·2 IP Connectlons 13 13 ~Locations 659 (28 Deletec11 659 (28 Deleted) "' CeUtowers 227 227 e Harvested Wlfl Locations 28 (28 Deleted) 28 (28 Deleted) e Media Locations . 1 . e Win networks 403 403 1 ·_ Notes Cas~l: 12-mj -00304-JGS Doc #4 Fi led 10/09/12 ~ge 5 of 5 . Page _lp~ ~~--- ---~:~-- .i Passwords ·a 8 ··> SMS Messages 422 (63 Deleted) 422 (63 Deleted) ~ Drafts o lnbox 228 (34 Deleted) 228 ( 34 Deleted) e Sent 193 (29 D~<letcdl 193 (29 Deleted) _ User Accounts '·. User Dictionary 577 577 iD.Web Bookmarks ORoot U Web History 151 151 :i" Wireless Nebovorl<s 6 6 {ij: Data Files . 10149 i t89 D cl e tl~) 10149 (189 Deleted) o Audio 292 292 o Configuration 3185 ( 1 ?0 Dt!letMl 3185 (170 Deleted) o Database . 135 135 • Images 6340 (11! !:>e:ll!led) 6340 ( 19 Deleted) o Text 198 198 •VIdeos . 1 'cy Carved Files 0 0 Call Log 11 i}1 J ..L • These detaJls are cross-rafenlncecl from this device's contacts Incoming r:):; , ·~-- ~ -- - · ·- - · i · ~ -·- ·· ~ - ~ - ·r··- . ·: 'l1me · -r~ ; VIde : Souro& - -:-·--:·--+·--- · - ~ • .i = ! Party 1 ocan . -. -·.. '~ · :~ ..·:;· ,· - ~ j ·:t ...=• ...... l .... ... __;,_j .._, -· .. i. ! ... I 310 410 Pedro' 712912012 7:30:13 00:01 :04 ves 1 ~ .. .AM(UTC+O) ···----- -···--1··--·4 2 ' 310 410 Pedro· 7/30/2012 1:36:51 00:01 :12 I : AM(UTC.+O) ; ; ... -· ·' 3 310 410 Dad' 7/3012012 2:34:08 00:00:32 _AM(UTC+O) ------r. --- -----· -- · 4 310 410 Dad' 7130/2012 5:38:54 00:00:37 _PM(UTC+O) .. ·--·--+I · 5 310 . 410 Cesar' 7/3012012 5:44:59 00:00:59 ! PM(UTC+O) i " - -···-·- - ------- -!-: - -- ~- -- 6 310 410 ' Bmo· 7/3012012 5:49:11 00:02:17 _PM(UTC+O) ... ····-------- ,-·- . 7 310 410 Beto' 7/30/2012 5:58:55 00:02:21 i _PM(UTC+O) .. ... - .. -----· ... "t-- _.. 8 310 410 Cesar· 7/3012012 6:43:12 00:01 :47 _PM(YTC+O) ' ' ' .. ___,... ... ~· - · -· '' 9 310 410 BP.tO' 713012012 8:04:57 00:00:22 I PM(UTC+O) I •• I " • ... 10 310 410 Bow· 7130/2012 9:28:43 00:01:58 .. ---·--t-· .PM(UTC+O) ! i --··----.-·--- -4> 11 310 410 Pedro· 7/3012012 10:41:18 00:01:21 I _PM(UTC+O) . --·---1-.. 12 310 410 Bcto' 7/3112012 12:18:02 00:03:27 I !·- .AM(UTC+O) ... --·- ·-J--..... ' 13 310 410 Esmeralda' 7/3112012 1:02:47 00:00:15 I ... .. PM(UTC+O) . I .. ··~ t· -._ ____ l ____ 14 :310 410 7/3112012 1:17:51 00:05:28 ! ... ... .P~(UTC+O) i· ·:- " '·----··· --t- --- 15 !310 410 Beto' 7131/2012 1:23:18 00:02: 11 I I _PM(UTC+O) ' ... .., ... · --~ .. ' ·-- ----- -L .......... ~ 16 310 410 Felix" 713112012 2:48:39 00:00:43 I PM(UTC+O) ________ L. .
Recommended publications
  • Porting Darwin to the MV88F6281 Arming the Snowleopard
    Porting Darwin to the MV88F6281 ARMing the SnowLeopard. Tristan Schaap 1269011 Apple Inc. Platform Technologies Group Delft University of Technology Dept. of Computer Science Committee: Ir. B.R. Sodoyer Dr. K. van der Meer Preface! 3 Introduction! 4 Summary! 5 Building a new platform! 6 Booting iBoot! 7 Building the kernelcache! 8 Booting the kernel! 10 THUMBs down! 16 Conclusion! 18 Future Work! 19 Glossary! 20 References! 21 Appendix A! 22 Appendix B! 23 Skills! 23 Process! 26 Reflection! 27 Appendix C! 28 Plan of Approach! 28 2 Preface Due to innovative nature of this project, I have had to limit myself in the detail in which I describe my work. This means that this report will be lacking in such things as product specific- and classified information. I would like to thank a few people who made it possible for me to successfully complete my internship at the Platform Technologies Group at Apple. First off, the people who made this internship possible, John Kelley, Ben Byer and my manager John Wright. Mike Smith, Tom Duffy and Anthony Yvanovich for helping me through the rough patches of this project. And the entirety of Core OS for making my stay an unforgettable experience. 3 Introduction About the Platform Technologies Group As it was described by a manager: “We do the plumbing, if we do our jobs right, you never see it.”. The Platform Technologies Group, a subdivision of the Core OS department, works on the embedded platforms that Apple maintains. Here, platforms are brought up and the embedded kernel and lower level support for the platforms is maintained.
    [Show full text]
  • Cache Attacks on the Apple A10 Fusion Soc
    iTimed: Cache Attacks on the Apple A10 Fusion SoC Gregor Haas, Seetal Potluri, and Aydin Aysu Department of Electrical and Computer Engineering North Carolina State University fghaas, spotlur2, [email protected] Abstract—This paper proposes the first cache timing side- devices which cannot be obtained legally [8]. Additionally, channel attack on one of Apple’s mobile devices. Utilizing Apple ensures that applications cannot arbitrarily interact a recent, permanent exploit named checkm8, we reverse- with other applications or the operating system by strictly engineered Apple’s BootROM and created a powerful toolkit for running arbitrary hardware security experiments on Ap- enforcing the allowed inter-process communication (IPC) ple’s in-house designed ARM systems-on-a-chip (SoC). Using interfaces. As shown in the literature [9], even determining this toolkit, we then implement an access-driven cache timing which interfaces exist is a challenging research problem. attack (in the style of PRIME+PROBE) as a proof-of-concept In the context of hardware security research on iPhones, illustrator. useful resources such as documentation or development The advanced hardware control enabled by our toolkit allowed us to reverse-engineer key microarchitectural details tools are even rarer than for software security research. For of the Apple A10 Fusion’s memory hierarchy. We find that the one, Apple does not release any detailed documentation SoC employs a randomized cache-line replacement policy as for their in-house designed hardware modules. Some in- well as a hardware-based L1 prefetcher. We propose statistical formation can be found in Apple’s patents for a dynamic innovations which specifically account for these hardware voltage frequency modulation (DVFM) module [10], secure structures and thus further the state-of-the-art in cache timing attacks.
    [Show full text]
  • Red Hat Enterprise Linux Openstack Platform 7 Bare Metal Provisioning
    Red Hat Enterprise Linux OpenStack Platform 7 Bare Metal Provisioning 安装、配置和使用 Bare Metal Provisioning(Ironic) OpenStack Team Red Hat Enterprise Linux OpenStack Platform 7 Bare Metal Provisioning 安装、配置和使用 Bare Metal Provisioning(Ironic) OpenStack Team [email protected] 法律通告 Copyright © 2017 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/ . In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
    [Show full text]
  • From Cves to Proof: Make Your USB Device Stack Great Again
    From CVEs to proof: Make your USB device stack great again Ryad Benadjila1, Cyril Debergé2, Patricia Mouy1, Philippe Thierry1 [email protected] [email protected] 1 ANSSI 2 IRSN Abstract. Nowadays, many devices embed a full USB stack, whose main components are made of software elements dealing with hardware IPs. USB sticks, hard-disk drives, smartphones, vehicles, industrial automa- tons, IoT devices: they all usually offer a USB physical connection, and a USB software driver dealing with it. In critical environments where attackers are able to tamper with this interface, any exploitable software Run Time Error (RTE) such as a buffer overflow might lead to a remote code execution on the vulnerable device, usually in privileged mode. This is even worse when the USB stack runs from a BootROM [12,45], yielding unpatchable software. This matter of fact exhibits the need for a portable RTE-free USB stack with concrete proofs: the current article proposes an open-source implementation of such a stack using the Frama-C frame- work [35], with proofs and various use cases (DFU, HID, mass storage, and more to come). Beyond providing the mere implementation, we bring a generic methodology to adapt complex protocols software stacks to Frama-C with strong embedded contexts constraints. 1 Introduction Software is becoming the core component of many systems, from small embedded devices to bigger desktop Personal Computers. Even for what seems to be simple and low-level tasks, dedicated hardware with hard- wired logic circuits are almost always driven by pieces of software that tend to become more and more complex.
    [Show full text]
  • Iboot-G2s.Pdf
    Web Enabled Power Switch Models: iBoot-G2S iBoot-G2+ March 2021 Congratulations on purchasing the best network controlled power switch available. This manual covers two models, iBoot-G2+ and iBoot-G2S. This manual refers to the iBoot-G2+ and notes the changes for the iBoot-G2S. Web Setup and Control: Simple browser interface for one click reboot and all configuration. iBoot Cloud Service: Control all your iBoots from a single sign-on. Eliminates port-forwarding and security issues. Telnet: setup and control of all fuctions. Allows easy scripting. Network Switch: Built-in 2 Port 10/100 Network Switch (iBoot-G2S only). Eliminates need for extra router port and simplifies installation. Expansion: Add low cost iBoot-EXP units for up to three outlets controlled. I/O Control: Control or Monitor your own digital Inputs and Outputs. Use inputs to control the local AC outlet. iBoot-G2+ AutoPing: Automatic monitoring and action for failed equipment. Graceful Shutdown: attempt a soft shutdown or reboot before controlling power. Disable Off: To prevent accidental off state of an outlet. Event Scheduling: Power actions on regular intervals. (14 events) Management Utility: Easy Setup, Firmware upgrades and Reset to Factory Default Easy Software Integration: Use the DxP Protocol to build your own custom applications. Control Software: Create batch files or Shortcuts to control power. URL control: Create your own website link to control power. API control: Control and setup Utalizing the cloud registration *API protocol is detailed in a separate document iBoot-G2S 1. Table of Contents 1. Table of Contents .................................... 1 8. iBoot Cloud Service .............................. 27 2.
    [Show full text]
  • An Analysis on Ios Jailbreak
    An analysis on iOS Jailbreak 1. Introduction • What is iOS Jailbreak iOS is Apple's mobile operating system, which is derived from Mac OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system. Being developed originally for the iPhone, it then has been used on the iPod Touch, iPad and Apple TV as well. So in this report iOS is specifically refer to the mini-operation system that run on the iDevices (iPhone, iPod, iPad and Apple TV. In this little apple operation system, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer, which in total will roughly use 500 megabytes of the devices’ storage. For security and commercial reasons and considerations, Apple does not permit the OS to run on third- party hardware and also has a limitation on the usage of iOS on these iDevices. Therefore iOS has been subject to a variety of different hacking methods focusing on attaching functionality not supported by Apple. This hacking procedure is called iOS Jailbreak. • Why to Jailbreak—a Self-redemption Jailbreaking is a process that allows these iDevices users to gain the root access to the command line of the iOS operating system, in order to remove usage and access limitations imposed by Apple. Once jailbroken, iPhone users are able to download extensions and themes that are unavailable through the App Store (via installers such as Cydia) and perform other tasks that are not possible on store-bought devices, including installing non-Apple operating systems such as Linux, running multi-task on old version of iDevices (the new Generation of store-bought devices includes this function).
    [Show full text]
  • Ios-Security-Guide.Pdf
    iOS Security iOS 9.3 or later May 2016 Contents Page 4 Introduction Page 5 System Security Secure boot chain S y s t e m S o f t w a r e A uthorization S e c u r e E n c l a v e T o u c h I D Page 10 Encryption and Data Protection Hardware security features File Data Protection Passcodes Data Protection classes Keychain Data Protection Access to Safari saved passwords Keybags Security Certifications and programs Page 18 App Security App code signing Runtime process security Extensions App Groups Data Protection in apps Accessories HomeKit HealthKit Secure Notes Apple Watch Page 28 Network Security TLS VPN Wi-Fi Bluetooth Single Sign-on AirDrop security Page 32 Apple Pay Apple Pay components How Apple Pay uses the Secure Element How Apple Pay uses the NFC controller Credit and debit card provisioning Payment authorization Transaction-specific dynamic security code Contactless payments with Apple Pay Paying with Apple Pay within apps Rewards cards Suspending, removing, and erasing cards iOS Security—White Paper | May 2016 2 Page 39 Internet Services A p p l e I D i M e s s a g e F a c e T i m e i C l o u d i C l o u d K e y c h a i n S i r i C o n t i n u i t y Spotlight Suggestions Page 52 Device Controls Passcode protection i O S p a i r i n g m o d e l Configuration enforcement Mobile device management (MDM) Shared iPad Apple School Manager D e v i c e E n r o l l m e n t Apple Configurator 2 Supervision Restrictions R e m o t e W ipe Lost Mode Activation Lock Page 59 Privacy Controls Location Services Access to personal data P r i v a c y p o l i c y Page 60 Conclusion A commitment to security Page 61 Glossary Page 63 Document Revision History iOS Security—White Paper | May 2016 3 Introduction Apple designed the iOS platform with security at its core.
    [Show full text]
  • Ios Security Decoded.Key
    iOS Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback - http://j.mp/psumac33 Why care about iOS Security? 800M • 800 million iOS 600M devices activated 400M • 130 million in last year 200M • 98% of Fortune 500 0M Sep '10 Oct '11 Mar '12 Sep '12 Jan '13 Jun '13 Oct '13 Jun '14 Definitions Public and Private Keys Certificate AES-256 Definitions Public and Private Keys • Two mathematically linked keys • One is public and can be used to encrypt data • One is private and can be used by the recipient to decrypt data. ! Definitions AES-256 and SHA-1 • Two specs for encrypting data • AES-256 generates 256 bit keys • SHA-1 generates 160 bit keys ! Definitions Certificates and Certificate Authorities • A certificate is an electronic document used to prove the ownership of a public key. • A certificate authority (CA) is a trusted group who digitally signs a certificate to signify its veracity. ! iOS Security Decoded Secure Boot Chain Hardware Security Software Security Network Security Best Practices Secure Boot Chain � Starts at power on. Each step verifies the next. If any step fails, device enters Device Firmware Upgrade (DFU) mode. Secure Boot Chain Step 1 - Boot ROM ! • Implicitly trusted • Cannot be changed • Verifies signature of next Low-Level Bootloader via embedded Apple Root CA public key • Runs Low-Level Bootloader ! Secure Boot Chain Step 2 - Low-Level Bootloader (LLB) ! • Lowest level of code on device that can be updated • Verifies signatures of firmware and iBoot • Runs iBoot Secure Boot Chain Step 3 - iBoot ! • Verifies signature of iOS Kernel (XNU) • Starts kernel • If kernel verification fails, device goes into Recovery Mode (Connect to iTunes Mode) Secure Boot Chain Baseband and Secure Enclave have their own secure boot chain processes which run before the kernel is loaded.
    [Show full text]
  • Assurance Activity Report for Apple Filevault 2 on T2 Systems Running Macos Catalina 10.15
    Assurance Activity Report for Apple FileVault 2 on T2 systems running macOS Catalina 10.15 Apple FileVault 2 on T2 systems running macOS Catalina 10.15 Security Target Version 2.5 collaborative Protection Profile for Full Drive Encryption – Authorization Acquisition, Version 2.0e collaborative Protection Profile for Full Drive Encryption – Encryption Engine, Version 2.0e AAR Version 1.9, April 2021 Evaluated by: 2400 Research Blvd, Suite 395 Rockville, MD 20850 Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme 1 © 2021 Apple Inc., All rights reserved. This document may be reproduced and distributed only in its original entirety without revision. The Developer of the TOE: Apple Inc. The Author of the Security Target: Acumen Security, LLC. The TOE Evaluation was Sponsored by: Apple Inc. Evaluation Personnel: Danielle Canoles Rutwij Kulkarni Dayanandini Pathmanathan Acumen Security, LLC. Common Criteria Version Common Criteria Version 3.1 Revision 5 Common Evaluation Methodology Version CEM Version 3.1 Revision 5 2 © 2021 Apple Inc., All rights reserved. This document may be reproduced and distributed only in its original entirety without revision. Revision History VERSION DATE CHANGES 1.0 November 2020 Initial Release 1.1 December 2020 Update based on updated ST 1.2 January 2021 Internal Review 1.3 February 2021 Updates based on updated ST and AGD 1.4 March 2021 Internal Review 1.5 March 2021 Updates based on updated vendor documents 1.6 March 2021 Updates based on updated ST 1.7 April 2021 Updates based on validator feedback 1.8 April 2021 Updates bases on validator feedback 1.9 April 2021 Updates bases on validator feedback 3 © 2021 Apple Inc., All rights reserved.
    [Show full text]
  • Processing Iphones Richard Gilleland Sacramento Police Department [email protected]
    Processing iPhones Richard Gilleland Sacramento Police Department [email protected] This document describes the Jonathan Zdziarski method for processing iPhones. Jonathan Zdziarski has designed a number of tools (along with great documentation) that can be used to both remove the passcode from an iPhone as well as to image an iPhone. Zdziarski offers his tools and documentation free to law enforcement through his website which is located at ‘www.iphoneinsecurity.com/’. Once an account has been established at iphonesecurity.com, users have access to the tools and documentation that Zdziarski has created. Access to these tools is necessary to process iPhones using this method. I highly recommend reading ‘iPhone Forensic Investigative Methods.pdf’ by Zdziarski for a comprehensive description of processing iPhones. This document is not meant to take the place of Zdziarski’s comprehensive publication, it is simply meant to provide a short / detailed description for processing iPhones. Prior to processing an iPhone, its firmware version must first be established. An iPhone’s firmware can be determined in both a Windows environment and a Mac environment. The following steps can be used to determine the phones firmware version in a Windows environment. Go to page 6 of this document for instructions in a Mac environment. Page 2 Determining iPhone Firmware Version - Windows Page 6 Determining iPhone Firmware Version - Mac Page 10 Removing the iPhone's Pass Code Page 15 Imaging the iPhone Page 23 Working with the Image File Pages 27 / 28 Cheat Sheets 1 Determining iPhone Firmware Version Firmware determined using Windows XP OS; System requirements; Windows XP iTunes (I used version 9.1.1.12 for this test) Internet access (* This method may not work for Vista and Windows 7 systems) 1.
    [Show full text]
  • XNU: a Security Evaluation XNU: a Security Evaluation
    XNU: a security evaluation XNU: a security evaluation D Keuper (s1019775) University of Twente and Certified Secure December 13, 2012 Abstract The XNU kernel is the kernel that powers Apple's OS X and iOS operating system. Originally developed by Next, but later acquired by Apple it has been around for more then twenty years. It is only since the introduction of code signing on iOS that hackers have developed a real interest in XNU. Prior to iOS 2.0 only a handful of articles were published on XNU in the context of security. In the past few years the interest of hackers increased by the popularity of jailbreaking (the process of removing the security restrictions of iOS) and iOS security is often discussed at the various security conferences. The interest of hackers in the XNU kernel has not gone unnoticed by Apple, which started to harden the security of their XNU kernel. In the latest releases of their operating systems they added different mitigation techniques such as kernel ASLR. The latest release of OS X (Mountain Lion) and iOS (6) are hardened with new protection mechanisms, which should reduce the risk of successful exploitation. In this thesis we describe all techniques that are meant to protect the kernel from attackers and their implementation. We argue the effectiveness of those techniques and how an attacker might try to circumvent them. We conclude this thesis with a comparison with other kernels, our opinion on the current security state of the XNU kernel and some recommendations on how to further improve the security.
    [Show full text]
  • Ivan Krstić Head of Security Engineering and Architecture, Apple
    Behind the Scenes of iOS and Mac Security Ivan Krstić Head of Security Engineering and Architecture, Apple Mac secure boot iOS code integrity protection Find My Mac secure boot iOS code integrity protection Find My Gatekeeper User Privacy Protection Gatekeeper macOS Catalina First use, quarantined First use, quarantined Non-quarantined Malicious content scan No known malicious content No known malicious content No known malicious content Signature check No tampering No tampering − All new software requires All new software requires Local policy check − notarization notarization Users must approve First launch prompt User must approve − software in bundles User Data Protections Data that requires user consent to access Contacts Calendars Reminders Photos User Data Protections Data that requires user consent to access Contacts Calendars Reminders Photos User Data Protections Data that requires user consent to access Contacts Desktop Calendars Documents Reminders Downloads Photos iCloud Drive Third-party cloud storage Removable volumes Network volumes What about secure boot? Apple Requirement UEFI Signature verification of complete boot chain System Software Authorization (server-side downgrade protection) Authorization “personalized” for the requesting device (not portable) User authentication required to downgrade secure boot policy Secure boot policy protected against physical tamper System can always be restored to known-good state Mac Secure Boot T2 Mac Secure Boot T2 x86 Mac Secure Boot T2 x86 Mac Secure Boot T2 x86 UEFI T2 ROM iBoot
    [Show full text]