Getting Past the iOS Passcode
iOS
• Apple’s mobile operating system
• Originally known as iPhone OS
• Unveiled in 2007
• Current version is 9.3, released March 21, 2016
iOS
• Runs on: • iPhone • iPod Touch • iPad (and mini and Pro)
• Newest version runs on: • iPhone 4S and newer • iPad 2 and newer • iPad Pro • iPad mini (all models) • iPod Touch 5 th Gen
1 iOS passcode bypass
• Methods we will be discussing in this presentation: – Software to crack or bypass it – Hardware devices – Lockdown plist work-around – Apple search warrant
What types of security does iOS offer?
• Fingerprint (iPhone 5s, 6, 6 Plus, iPad Air 2, iPad Mini 3)
• Simple passcode (4 digit)
• Complex passcode (6 digit)
• Alphanumeric passcode
2 Touch ID
Determining the version of iOS
• Before we undertake any efforts to unlock an iOS device, it is often helpful to determine the version of the operating system it is running
• Newer versions of iOS may return the device to factory settings by default when certain tools are used, regardless of the user settings
3 iFunBox
• iFunBox is a “file and app management tool for iPhone, iPad & iPod Touch”
• We need the older version, iFunBox 2014 (the new version will not work)
• Will tell us the version of iOS running on the device, even when the device is locked
4 I haven’t told my phone to trust …but iFunBox is still telling this computer (because I can’t; me what version of iOS it it’s locked)… is running
CelleBrite Physical Analyzer
• Full mobile forensic suite
• Can bypass passcodes on older devices
• Will tell us what version of iOS the device is running
5 6 Software bypass
• CelleBrite’s Physical Analyzer
• Elcomsoft’s iOS Toolkit
Software bypass
• Physical Analyzer
– May bypass the passcode and retrieve data, leaving the device locked
– May recover the passcode and provide it to you
Physical Analyzer
• Bypassing the passcode
7 iOS extraction wizard
8 9 10 Physical Analyzer
• Recovering the passcode
11 12 13 14 iOS Toolkit
• Comes in both Windows and Mac versions. • It is a Command line utility.
• Let’s take a brief look at the tool:
iOS Toolkit
15 iOS Toolkit
• Can be purchased directly from Elcomsoft
• Can be purchased as part of Secure View NUC
So let’s use iOS Toolkit on a locked iPod Touch
We access iOS Toolkit from within Secure View
16 This sends us to iOS Toolkit
17 18 19 Took about 45 minutes
Found our password
Hardware solutions
• IP Box • MFC Dongle • SvStrike • CelleBrite UFED User Lock Recovery Tool
20 The IP Box
The IP Box
The IP Box
21 The IP Box
The IP Box
The IP Box
22 The IP Box
The IP Box
The IP Box
23 The IP Box
The IP Box
• Works great with devices up to iOS 8
• With iOS 8.1 and 8.2, the device is partially disassembled and the power supply is interrupted
The IP Box
• REMEMBER: The IP box may restore the phone to factory settings. If this occurs, all the data is gone forever.
• Be aware of the risk
• Evaluate your situation
24 The MFC Dongle
• Similar technology to the IP Box
• Will defeat simple passcodes on iOS devices, HTC Androids and Samsung Androids
The MFC Dongle
SV Strike
• From Susteen, creators of Secure View
• Works on iOS and Android
• Can defeat 4 and 6 digit passcodes
• May return device to factory settings
25 CelleBrite
• UFED User Lock Recovery Tool
• Works on iOS and Android
• May return device to factory settings
26 Lockdown plist
• The Lockdown plist is created on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required.
Lockdown Plist
• They will be located at the following locations: • Windows XP – C:\Documents and Settings\All Users\Application Data\Apple\Lockdown • Windows Vista / 7 / 8 – C:\ProgramData\Apple\Lockdown • Mac – C:\Library\Lockdown
27 First, we have to unhide it…
28 Lockdown Plist
• The plist will be named after the UDID of the device. • UDID – Universal Device Identifier • This is the same name that iTunes will display, and any backups will be placed in a folder with this name
29 Lockdown Plist
• To unlock the device using the lockdown plist, we copy it from the bad guy’s computer and import it into our forensic software. If you don’t know which one to copy, then copy them all.
30 Lockdown Plist
• NOTE: – To get the Lockdown plist off of a bad guy’s computer we will NEVER turn it on and look around. It must be done forensically. A qualified examiner must copy it off using tools such as EnCase, FTK or P2 Commander. Never turn the bad guy’s machine on and navigate to that file.
Lockdown Plist
• Many forensic tools are able to do this procedure, I am going to demonstrate Oxygen:
31 32 33 34 35 • Here is the same process with CelleBrite’s Physical Analyzer:
36 37 38 39 Or, how about iTunes?
• Once the plist is placed in the lockdown folder, create a backup using iTunes.
• Examine the files in the backup using a forensic tool
• Reincubate’s iPhone Backup Extractor is a great (and cheap!) tool
Lockdown Plist
• Keep in mind, this method will defeat both simple and complex passcodes, on even the newest devices and versions of the OS.
• However, there may be time constraints, and the device needs to remain powered on.
40 Before we send the phone away…
• Are there any other possible avenues?
• How about the backup file?
Backup files
• From our suspect’s computer (you took that, too; right?)
• From the iCloud (time to type a search warrant)
Our backup files contain the data that the phone did, at that point in time
41 Apple search warrant
• Generally, a last resort, as it involves a several month wait and sending the device away to Apple.
Apple Warrant
• The process: – Create the draft warrant language – Send it to Apple for their review – Then get the warrant signed – Wait until Apple calls and asks for the phone – Ship it to them and wait. – You will get the phone and a Disk back with the data.
Things changed significantly with the release of iOS 8
42 Most importantly:
43 In summary…
• Each case is different
• The order in which you use each of the preceding methods will depend on the specific situation
• Be aware of any potential risks. Know your tools.
Follow PATCtech!
PATCtech @PATCtech
Forensic Digital Evidence Investigators (LinkedIn Group)
• Updates & PATCtech Research • Public Safety News • Training Opportunities
44