iOS 8.3: the end of iOS Forensics?

The latest iOS update (iOS 8.3) is a real nightmare for digital forensics specialists. This article will try to clarify what can you really obtain from an iOS device with iOS 8.3.

As we already know from Jonathan Zdziarski blog, with the introduction of iOS 8 is no longer possible to obtain a so called "Advanced Logical" acquisition based on lockdown service.


However, when we find a device without passocode it is still possible to obtain a backup, although it may be password protected if the user has previously set a password for the local backup.


In the same way we can perform a backup if we find a turned on and locked device, but only if we are able to find a pairing lockdown certificate and the device has been unlocked at least once by the user before the seizure. The same problem about an eventual backup password previously set by the device owner applies to this case too.


The real nightmare is when, and this is the most common case, we have to acquire a device that was turned off.


In this case, also with the lockdown certificate, it is not possible to obtain a backup before unlocking at least once the device. In practical it means that we need to know the passcode to create a backup.


Moreover iOS 8.3 added a new security measure that prevents external tools (not only forensics tools but also iDevice browsing tools like iFunBox) from accessing third party applications sandbox. It means that the only way to read third party contents is to create a backup....but as we already noticed to create a backup you need an unlocked device or a locked device not turned off and a lockdown certificate.


So the question is: what can we really obtain from a locked and turned off device?


It depends, of course, if we are able or not to find a lockdown certificate.


If we haven't got a lockdown certificate we can only recover information about the device and in particular:

  • Device class (iPhone, iPad, iPod)
  • Device name
  • Device color
  • Hardware model
  • iOS version
  • Unique Device ID (UDID)
  • Wi-Fi Address
We can use the tool ideviceinfo that is available in libimobiledvice.

If we have a lockdown certificate there are some more information that we can recover by using the AFC protocol. In particular:

  • Device information
    • IMEI (for devices with telephony capability)
    • Bluetooth Address
    • Language
    • Date and time
    • Timezone
    • Battery charge level
    • Total NAND memory size
    • Empty space size
  • Backup configuration
    • Local vs. iCloud
    • For local backup we can verify if it is password protected
    • Last backup date
  • Installed application list
  • Application distribution on Springboard
  • File contained inside applications that are using iTunes File Sharing. During our test we were able to successfully recover files from:
    • Adobe Reader
    • iZip
    • WinZip
    • File App
    • Office Plus
    • Smart Office
    • USB Disk
  • iBooks folder, containing all the books (both ePub or PDF) saved by the user in the application
  • Downloads folder, containing downloaded files or, in some cases, applications updates
  • iTunes_Control folder
    • iTunes subfolder, containing the iDevice iTunes library list
    • Music subfolder, containing audio files loaded into iTunes library. Files that were originally loaded into iTunes from a PC/MAC are also available
  • Videos loaded into the Device from a PC/MAC
For other folders we can obtain the file name list. For example you can recover it from the DCIM folder and know, at least, if and how many images are stored in the iDevice.

In our test we were able to obtain filename list from:

  • DCIM
  • PhotoStramsData
  • PhotoData
  • Purchases
  • Radio
In the end a short recap:
  • Unlocked device
    • You can always create a local backup
    • If the user has previously set a backup password you need to crack it
  • Locked device
    • Turned on and with lockdown certificate
      • You can create a local backup
      • The same problem as the previous case applies if the user has previously set a backup password
      • Be sure that the device keep charging during the backup process
    • Turned off device and with lockdown certificate
      • Use AFC protocol and recover the most information that you can, as explained in this article
    • Turned on/off device without a lockdown certificate
      • Only device information (name, UDID, etc.)
So, in the end, a suggestion: if you find a turned on device try to isolate it and DO NOT TURN IT OFF before searching for a lockdown certificate on a synced PC/MAC.

For more information on this topic we suggest our book "Learning iOS Forensics", published by PacktPub in March 2015 and authored by Mattia Epifani and Pasquale Stirparo.




Popular posts from this blog

WhatsApp Forensics

Windows Phone PIN cracking

A first look at Windows 10 prefetch files