Ios 8 – What It Changes for Forensic Investigators

iOS 8 – What it Changes for Forensic Investigators

This appendix shows the current status, as of February 2015, of the ongoing research related to the possibilities of forensic examination of a device with the iOS 8 operating system.

The first aspect toconsider is the detail of the devices that support this version of the operating system. As for the iPhone, the supported models are all those starting from 4s (that is, 4s, 5, 5c, 5s, 6, and 6 Plus), while regarding the iPad, the supported models are all those from the iPad 2 (that is, 2, 3, 4, Air, Air 2, Mini, Mini 2, and Mini 3).

The second aspect of interest is related to the types of acquisitions that are possible. At present, it is not possible to engage in physical acquisition of non-jailbroken devices. From a hardware point of view, as explained in the book, are unknown exploits at the bootrom level, and therefore it is not possible to inject an alternative operating system from which we make this type of activity. Instead, techniques for jailbreaking of iOS 8 devices are already known and available (that is, Taigu and Pangu). The company Elcomsoft, released in January 2015 a new version of its tool iOS Forensic Toolkit for the acquisition of 32-bit devices already jailbroken and with iOS 8 operating system (more information is available at www.elcomsoft.com/news/592.html). It only works with devices jailbroken with Taigu and it is important to remark that this jailbreak tool requires that the Find My Phone feature is disabled; otherwise, it is not possible to jailbreak the device. This means that if we have an unlocked device not jailbroken and we need to create a physical copy, we have to perform the following steps:

1. Verify whether the Find My Phone feature is activated. 2. Disable this feature (it requires an Apple ID and password; if not available, they can be recovered by creating an encrypted backup and cracking it). iOS 8 – What it Changes for Forensic Investigators

3. Jailbreak the device with Taigu. 4. Acquire the physical image and decrypt it with the Elcomsoft iOS Forensic Toolkit.

It is also important to note that Elcomsoft is working on support for 64-bit devices, like iPhone 6 and 6 Plus.

Following the publication of the paper Identifying back doors, attack points, and surveillance mechanisms in iOS devices, Jonathan Zdziarski (http://www.zdziarski. com/blog/wp-content/uploads/2014/08/Zdziarski-iOS-DI-2014.pdf), Apple has solved the issue related to the possible acquisition activities through the lockdown service, thus making it unusable the so-called "advanced logical" acquisition. In this regard, see the article Apple Addresses Surveillance and iOS Forensics Vulnerabilities (http://www.zdziarski.com/blog/?p=3820) for more information.

On non-jailbroken devices (and if you cannot jailbreak the device for technical or legal matters), it is possible to access the content of the device only in two ways: through a logical acquisition using the backup service of iTunes or forensic software, or through software that allows you to browse the device content.

However, regarding logical acquisition, two additional parameters should be taken into account: the presence of the passcode and the presence of a backup password set by the user.

So, there are at least three scenarios of interest, as follows:

• Device not protected by a passcode and without a backup password • Device not protected by a passcode but with a backup password • Device protected by a passcode

In the first case, it is always possible to make a local backup of the device using iTunes or a forensic acquisition software (such as those already listed in Chapter 3, Evidence Acquisition from iDevices) and then analyze their content. Of course, the traditional observations in terms of precautions for the isolation of the device always apply.

[ 190 ] Appendix C

In the second case, it is possible to make a local backup of the device or an acquisition with forensic software; however, the result of the acquisition will be encrypted. For this reason, it will be necessary, if possible, to attempt to crack the password of the backup acquired using one of the software discussed in Chapter 5, Evidence Acquisition and Analysis from iTunes Backup. However, the backup password is useless for the protection of some elements such as camera reel, videos, recordings, podcasts, books, and other media, as well as all third-party application data (for details, see the article Your iOS 8 date is Not Beyond Law Enforcement's Reach ... Yet, posted on J. Zdiziarski's blog on September 17, 2014, at http://www.zdziarski.com/blog/?p=3875). In fact, in these cases, you can access the data stored on the device directly without the need to make a backup and then decrypt it.

The third case is certainly the most complex and can make it impossible to look for any acquisition activities. First, there are no known safe techniques that allow an attack on the passcode. The market offers some hardware solutions to perform a brute force attack, but these are not yet sufficiently tested by the forensic community and therefore side effects are not known (for example, Device reset). As an example, we show the IPBOX (http://forum.gsmhosting.com/vbb/f937/ipbox-smart-tool-ver8-1- hot-ios-8-x-x-supported-1889093/) and MFC BOX (http://www.mfcbox.com/ shop/) devices. Detective Cindy Murphy has put together a quick guide on how to use the IPBOX and explains the basics of how the tool works. You can find the document at www.teeltech.com/wp-content/uploads/2014/11/IP-Box-documentation- rev2-1-16-2015.pdf.

The only alternative to bypass the passcode is to select a lockdown certificate from a previously-used computer to synchronize the device. For some specific iOS 8 versions, bugs that allow access to at least some contents have been discovered. An example is available at http://www.forbes.com/sites/kashmirhill/2014/09/15/siri- lets-anyone-bypass-your-iphones-lockscreen-feature-or-bug/.

If there are no computers with a lockdown certificate available, you cannot make the logical acquisition of the device. Instead, if the certificate is available, we are faced with two more scenarios, as follows:

• The device was found on and preserved switched on • The device was found off or turned off during seizure

In the first case, if the device is still on, it is possible to copy the lockdown certificate in the acquisition computer and perform the acquisition using backup or forensic software. In the second case, however, it will not be possible to access the device to make a backup or acquisition with forensic software because the new operating system requires the unlocking of the device at least once via passcode.

[ 191 ] iOS 8 – What it Changes for Forensic Investigators

The research activities carried out by Zdziarski (refer to the article iOS 8 Protection Mode Bug: Some User Files At Risk of Exposure at http://www.zdziarski.com/ blog/?p=3890) have shown, however, that there is still some data that is in any case at risk if you have a lockdown certificate available, even if the device is locked with a passcode and has been turned off before the acquisition, because these files are not protected with the passcode. In particular, as reported in the article:

Any files copied over from iTunes using "File Sharing" under "Apps". Any videos copied in from iTunes that fall under the "Home Videos" section of the Videos app. This likely extends to music videos and movies. Any databases stored in Third Party applications are protected, but their -shm (shared-memory write-ahead index) counterpart files are at risk.

In addition to this information, tests carried out by us on an iPad 2 with iOS 8.0.2 led to recovery as follows:

• The metadata related to PDF and eBook files present within the application Book (file name, date last modified, size) • Metadata related to the JPG images and the MOV videos taken with the device camera (file name, date last modified, size) • The Downloads folder, typically used by apps to download additional content • The pictures of the music albums downloaded and/or synchronized through iTunes (iTunes_Control\iTunes\Artwork\) • The list of songs and albums inside the iTunes library (the MediaLibrary. sqlitedb file) • The list of installed applications (the iTunesPrefs.plist and iTunesDRMDB. itlp files)

One aspect to take into account anyway is that the recovery of the lockdown certificate allows you, in any case, to access information related to the type of backup set by the user. From this information, we can discover if the user had set up the backup on iCloud, and this is definitely useful to get ready (from a legal and technical perspective) to access this source of information.

On the basis of the research described in this appendix, it is clear that in the case of a device protected by a passcode and found switched on, it becomes of vital importance for a consistent acquisition, retrieving a lockdown certificate before the phone goes off, and in any case, maintaining access via auxiliary battery during the search of the certificate. In this case it is also advisable to prevent network connections by using a Faraday bag or Airplane mode.

[ 192 ]