11/11/2014
Getting Past the iOS Passcode
From Search Warrant to Data Recovery
PATCtech
Glenn Bard, CTO
Scott Lucas, Instructor and Examiner
Steve Dempsey, Instructor
Brian Sprinkle, Case Manager and Software Consultant
iOS passcode bypass
• Three ways we are covering in this presentation: – Software to crack or bypass it – Lockdown Plist work around – Apple search warrant
1 11/11/2014
What types of security does iOS offer?
• Fingerprint (iPhone 5s, 6, 6 Plus, iPad Air 2, iPad Mini 3)
• Simple passcode (4 digit)
• Passcode
Touch ID
Cellebrite Physical Analyzer
• Bypassing simple and complex passcode while performing physical and file system extraction on selected devices running iOS 3.0 or higher including iOS 6 • Real‐time decryption and decoding of data, applications, and keychain real‐time decryption while revealing user passwords • Advanced decoding of applications
Source: http://www.cellebrite.com/mobile‐forensics/products/applications/ufed‐physical‐analyzer
2 11/11/2014
iOS Toolkit
• iPhone 4S, iPhone 5, iPad 2+, iPad Mini and iPod Touch 5th gen support is limited to jailbroken devices only (iOS 5 ... 7). • Source: http://www.elcomsoft.com/eift.html
Software bypass
• Let’s see it done using CelleBrite’s Physical Analyzer. Depending on the device and iOS, there are two end results, sometimes it can give you the password, others it can’t give the passcode but can simply bypass it. Let’s check it out:
Physical Analyzer
• Bypassing the passcode
3 11/11/2014
4 11/11/2014
5 11/11/2014
6 11/11/2014
Physical Analyzer
• Recovering the passcode:
7 11/11/2014
8 11/11/2014
9 11/11/2014
10 11/11/2014
iOS Toolkit
• Comes in both Windows and Mac versions. • It is a Command line utility.
• Let’s take a brief look at the tool:
iOS Toolkit
iOS Toolkit
• Can be purchased directly from Elcomsoft
• Can be purchased as part of Secure View NUC
11 11/11/2014
So let’s use iOS Toolkit on a locked iPod Touch
We access iOS Toolkit from within Secure View
12 11/11/2014
This sends us to iOS Toolkit
13 11/11/2014
14 11/11/2014
Took about 45 minutes
Found our password
15 11/11/2014
Lockdown Plist
• The Lockdown Plist is created on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required. • Let’s take a look:
Lockdown Plist
• They will be located at the following locations: • Windows XP – C:\Documents and Settings\All Users\Application Data\Apple\Lockdown • Windows Vista / 7 / 8 – C:\ProgramData\Apple\Lockdown • Mac – C:\Library\Lockdown
16 11/11/2014
Lockdown folder
Lockdown Plist
• The Plist will be named after the UDID of the device. • UDID –Universal Device Identifier • This is the same number that iTunes will display and the backup folder is named after. • Let’s take a look:
17 11/11/2014
Lockdown Plist
• How the procedure works is to copy the Lockdown Plist off of the bad guys computer system and then import it into the forensic software. If you don’t know which one to copy, then copy them all.
18 11/11/2014
Lockdown Plist
• NOTE: – To get the Lockdown plist off of a bad guy’s computer we will NEVER turn it on. It must be done forensically. A qualified examiner must copy it off using tools such as Encase, FTK or P2 Commander. Never turn the bad guy’s machine on and navigate to that file.
Lockdown Plist
• Many forensic tools are able to do this procedure, I am going to demonstrate Oxygen:
19 11/11/2014
20 11/11/2014
21 11/11/2014
22 11/11/2014
23 11/11/2014
Lockdown Plist
• Keep in mind, this method will defeat both simple and complex passcodes, on even the newest devices and versions of the OS.
• Let’s try it live on an iPhone 6, running iOS 8.1
Before we send the phone away…
• Are there any other possible avenues?
• How about the backup file?
Backup files
• From our suspect’s computer (you took that, too; right?)
• From the iCloud (time to type a search warrant)
24 11/11/2014
Our backup files contain all the data that the phone did, at that point in time
Apple search warrant
• Generally, a last resort, as it involves a several month wait and sending the device away to Apple.
Apple Warrant
• The process: – Create the draft warrant language – Send it to Apple for their review – Then get the warrant signed – Wait until Apple calls and asks for the phone – Ship it to them and wait. – You will get the phone and a Disk back with the data.
25 11/11/2014
Apple Warrant
• Let’s take a look at the warrant wording:
From Apple:
From Apple:
26 11/11/2014
Things have changed significantly with the release of iOS 8
Most importantly:
27