As we already know from Jonathan Zdziarski blog, with the introduction of iOS 8 is no longer possible to obtain a so called "Advanced Logical" acquisition based on lockdown service.
However, when we find a device without passocode it is still possible to obtain a backup, although it may be password protected if the user has previously set a password for the local backup.
In the same way we can perform a backup if we find a turned on and locked device, but only if we are able to find a pairing lockdown certificate and the device has been unlocked at least once by the user before the seizure. The same problem about an eventual backup password previously set by the device owner applies to this case too.
The real nightmare is when, and this is the most common case, we have to acquire a device that was turned off.
In this case, also with the lockdown certificate, it is not possible to obtain a backup before unlocking at least once the device. In practical it means that we need to know the passcode to create a backup.
Moreover iOS 8.3 added a new security measure that prevents external tools (not only forensics tools but also iDevice browsing tools like iFunBox) from accessing third party applications sandbox. It means that the only way to read third party contents is to create a backup....but as we already noticed to create a backup you need an unlocked device or a locked device not turned off and a lockdown certificate.
So the question is: what can we really obtain from a locked and turned off device?
It depends, of course, if we are able or not to find a lockdown certificate.
If we haven't got a lockdown certificate we can only recover information about the device and in particular:
- Device class (iPhone, iPad, iPod)
- Device name
- Device color
- Hardware model
- iOS version
- Unique Device ID (UDID)
- Wi-Fi Address
If we have a lockdown certificate there are some more information that we can recover by using the AFC protocol. In particular:
- Device information
- IMEI (for devices with telephony capability)
- Bluetooth Address
- Date and time
- Battery charge level
- Total NAND memory size
- Empty space size
- Backup configuration
- Local vs. iCloud
- For local backup we can verify if it is password protected
- Last backup date
- Installed application list
- Application distribution on Springboard
- File contained inside applications that are using iTunes File Sharing. During our test we were able to successfully recover files from:
- Adobe Reader
- File App
- Office Plus
- Smart Office
- USB Disk
- iBooks folder, containing all the books (both ePub or PDF) saved by the user in the application
- Downloads folder, containing downloaded files or, in some cases, applications updates
- iTunes_Control folder
- iTunes subfolder, containing the iDevice iTunes library list
- Music subfolder, containing audio files loaded into iTunes library. Files that were originally loaded into iTunes from a PC/MAC are also available
- Videos loaded into the Device from a PC/MAC
In our test we were able to obtain filename list from:
- Unlocked device
- You can always create a local backup
- If the user has previously set a backup password you need to crack it
- Locked device
- Turned on and with lockdown certificate
- You can create a local backup
- The same problem as the previous case applies if the user has previously set a backup password
- Be sure that the device keep charging during the backup process
- Turned off device and with lockdown certificate
- Use AFC protocol and recover the most information that you can, as explained in this article
- Turned on/off device without a lockdown certificate
- Only device information (name, UDID, etc.)
For more information on this topic we suggest our book "Learning iOS Forensics", published by PacktPub in March 2015 and authored by Mattia Epifani and Pasquale Stirparo.