Oh no! I have a wiped iPhone, now what?

By -

One of the most common questions I got asked during presentations and conferences is: "During a search and seizure we found a wiped iPhone, what can we do next?"


First and foremost: you cannot recover data stored on the device before wiping occurred.
The encryption keys you need to decrypt the data are gone forever.
Full stop :)

If you are aware of any method, technique, tool or magic box that can do that, please let me know :)

You have three options to recover data:

  • Data stored on computer(s) (Windows or Mac)
    • On Windows you can search for
      • Lockdown certificates
        • C:\ProgramData\Apple\Lockdown
      • iOS Backups 
        • C:\Users\<username>\AppData\Roaming\Apple Computer\MobileSync\Backup
        • C:\Users\<username>\Apple\MobileSync\Backup
      • Synced CrashLogs
        • C:\Users\<username>\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice
      • MediaStream
        • C:\Users\<username>\AppData\Roaming\Apple Computer\MediaStream\
      • iPodDevices.xml
        • C:\Users\<username>\AppData\Local\Apple Computer\iTunes\iPodDevices.xml
  • Data stored on iCloud
    • iCloud backup
    • Synced data (e.g. Contacts, Photos, Messages, and so on)
    • Keychain
  • Data stored on synced devices:
    • iPad
    • Apple Watch
    • Apple TV
    • Apple HomePod
In the past, I took some presentations and wrote articles on synced iOS devices. 
Here some references:
Over the last couple of days, I tried answering those question:
  • Is there any general method that I can use to extract some data from an iOS device in a reset state ("Hello" screen), before setting it up?
  • Which kind of information can I recover?
By connecting the device to a computer and by using various tools, you can extract basic device information, including:
  • Product Type
  • Sales Model
  • Model Number
  • IMEI
  • Serial Number
  • ECID
  • iOS Version
  • CPU
  • Charge Times
  • Battery Life
  • Bluetooth Address
  • Wi-Fi Address
  • Cellular Address
  • Disk size
  • Disk Usage information
If the device is checkm8-vulnerable, you can try to obtain a full file system by using a forensic tool or checkra1n.

More in general, also with a non-checkm8-vulnerable device, while the device is in the "Hello" screen, you can start the generation of a "sysdiagnose" with the physical button combination (hold the two volume buttons and the side button for 1-1.5 seconds).

I wrote the paper "Using Apple Bug Reporting for forensic purposes" with Heather Mahalik and Adrian Leong, also covering sysdiagnose.

The generated sysdiagnose file can be extracted by using any tool able to extract crash logs. 

In picture, you can see crash logs and the sysdiagnose file extracted with idevicecrashreporter.


In the specific context of a wiped device, the most interesting files to analyze are:
  • \logs\MobileInstallation\mobile_installation.log.0 (or mobile_installation.log.1): specifically search for the string "Did not find last build info; we must be upgrading from pre-8.0 or this is an erase install.".

    The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
  • \logs\MobileLockdown\lockdown.log: specifically search for the string "_load_dict: Failed to load /private/var/root/Library/Lockdown/data_ark.plist.".

    The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
  • \logs\MobileLockdown\lockdown.log: specifically search for the string "_load_dict: Failed to load /private/var/root/Library/Lockdown/data_ark.plist.".

    The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
  • \logs\MobileContainerManager\containermanagerd.log.0: specifically search for the string "containermanagerd performing first boot initialization".

    The associated timestamp, in Pacific Timezone (Cupertino) corresponds to the time of wiping
  • \logs\powerlogs\powerlog_YYY-MM-HH_MM_SS_XXXXXXXX.PLSQL, that has the internal structure of a PowerLog file (just rename it as CurrentPowerLog.PLSQL). It can contain, for example, information about Battery Level and so discover if and when the device was on charge
  • \WiFi\wifi_scan_cache.txt: containing Wi-Fi networks "seen" by the device. It includes SSID and BSSID.
In conclusion, you cannot recover user data, but you can at least understand precisely when the device was wiped and what happened on it before you generate the sysdiagnose. If you are lucky enough you could find SSID and BSSID in the WiFi cache.

Comments

Post a Comment

Popular posts from this blog

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information

By -
Image
As explained in the first blog post, I would like to start discussing the acquisition and processing details. The acquisition was done by Josh Hickman using the Cellebrite Premium tool and the result is a Full File System capture in the traditional file format created by UFED. If you open the file EXTRACTION _FFS.zip ZIP you will see that UFED organizes the extracted full file system into 5 subfolders; filesystem1 : extraction of system partition, without the mount point “/private/var/mobile/” (“user data") filesystem2: extraction of the mount point for user data (“/private/var/mobile”) metadata1: metadata for files stored in “filesystem1” metadata1: metadata for files stored in “filesystem2” extra: iOS Keychain As always, when an acquisition is made with UFED, the ZIP file is accompanied by a UFD file that contains all the details of the acquisition process. UFED PA can load an acquisition created with UFED 4PC/Premium by simply loading the UFD file into PA GUI. The user has just
Keep reading

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading