11/11/2014

Getting Past the iOS Passcode

From Search Warrant to Data Recovery

PATCtech

Glenn Bard, CTO

Scott Lucas, Instructor and Examiner

Steve Dempsey, Instructor

Brian Sprinkle, Case Manager and Software Consultant

iOS passcode bypass

• Three ways we are covering in this presentation: – Software to crack or bypass it – Lockdown Plist work around – Apple search warrant

1 11/11/2014

What types of security does iOS offer?

• Fingerprint (iPhone 5s, 6, 6 Plus, iPad Air 2, iPad Mini 3)

• Simple passcode (4 digit)

• Passcode

Touch ID

Cellebrite Physical Analyzer

• Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6 • Real‐time decryption and decoding of data, applications, and keychain real‐time decryption while revealing user passwords • Advanced decoding of applications

Source: http://www.cellebrite.com/mobile‐forensics/products/applications/ufed‐physical‐analyzer

2 11/11/2014

iOS Toolkit

• iPhone 4S, iPhone 5, iPad 2+, iPad Mini and iPod Touch 5th gen support is limited to jailbroken devices only (iOS 5 ... 7). • Source: http://www.elcomsoft.com/eift.html

Software bypass

• Let’s see it done using CelleBrite’s Physical Analyzer. Depending on the device and iOS, there are two end results, sometimes it can give you the password, others it can’t give the passcode but can simply bypass it. Let’s check it out:

Physical Analyzer

• Bypassing the passcode

3 11/11/2014

4 11/11/2014

5 11/11/2014

6 11/11/2014

Physical Analyzer

• Recovering the passcode:

7 11/11/2014

8 11/11/2014

9 11/11/2014

10 11/11/2014

iOS Toolkit

• Comes in both Windows and Mac versions. • It is a Command line utility.

• Let’s take a brief look at the tool:

iOS Toolkit

iOS Toolkit

• Can be purchased directly from Elcomsoft

• Can be purchased as part of Secure View NUC

11 11/11/2014

So let’s use iOS Toolkit on a locked iPod Touch

We access iOS Toolkit from within Secure View

12 11/11/2014

This sends us to iOS Toolkit

13 11/11/2014

14 11/11/2014

Took about 45 minutes

Found our password

15 11/11/2014

Lockdown Plist

• The Lockdown Plist is created on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required. • Let’s take a look:

Lockdown Plist

• They will be located at the following locations: • Windows XP – C:\Documents and Settings\All Users\Application Data\Apple\Lockdown • Windows Vista / 7 / 8 – C:\ProgramData\Apple\Lockdown • Mac – C:\Library\Lockdown

16 11/11/2014

Lockdown folder

Lockdown Plist

• The Plist will be named after the UDID of the device. • UDID –Universal Device Identifier • This is the same number that iTunes will display and the backup folder is named after. • Let’s take a look:

17 11/11/2014

Lockdown Plist

• How the procedure works is to copy the Lockdown Plist off of the bad guys computer system and then import it into the forensic software. If you don’t know which one to copy, then copy them all.

18 11/11/2014

Lockdown Plist

• NOTE: – To get the Lockdown plist off of a bad guy’s computer we will NEVER turn it on. It must be done forensically. A qualified examiner must copy it off using tools such as Encase, FTK or P2 Commander. Never turn the bad guy’s machine on and navigate to that file.

Lockdown Plist

• Many forensic tools are able to do this procedure, I am going to demonstrate Oxygen:

19 11/11/2014

20 11/11/2014

21 11/11/2014

22 11/11/2014

23 11/11/2014

Lockdown Plist

• Keep in mind, this method will defeat both simple and complex passcodes, on even the newest devices and versions of the OS.

• Let’s try it live on an iPhone 6, running iOS 8.1

Before we send the phone away…

• Are there any other possible avenues?

• How about the backup file?

Backup files

• From our suspect’s computer (you took that, too; right?)

• From the iCloud (time to type a search warrant)

24 11/11/2014

Our backup files contain all the data that the phone did, at that point in time

Apple search warrant

• Generally, a last resort, as it involves a several month wait and sending the device away to Apple.

Apple Warrant

• The process: – Create the draft warrant language – Send it to Apple for their review – Then get the warrant signed – Wait until Apple calls and asks for the phone – Ship it to them and wait. – You will get the phone and a Disk back with the data.

25 11/11/2014

Apple Warrant

• Let’s take a look at the warrant wording:

From Apple:

From Apple:

26 11/11/2014

Things have changed significantly with the release of iOS 8

Most importantly:

27