To demonstrate this method, we will use Elcomsoft's iPhone Password Breaker. This software enables forensic access to password-protected backups for iPhone and iPad devices. It recovers the plain-text password that protects encrypted backup files. It can also read and decrypt keychains for devices running iOS version 4.

A device is not needed to use this software; only the encrypted backup files (specifically “Manifest.plist”) are used. When the software is run, the main screen is displayed as in Figure 5.4. When the user clicks “open,” a list of backed up devices is displayed. As we are looking for the encrypted backup file, we would select the device with a lock shown next to it (in Figure 5.5, this is the “3GS-4.0” device).

Next, we did a brute-force attack and selected only five characters and all numerics (see next section for specific testing done on the various brute-force attacks). The four-digit passcode was revealed in less than 1 second and displayed within the main screen of the software (see Figure 5.6).

Another feature of this software is its ability to display passwords or other data that is typically encrypted within the iPhone's keychain database. To view this information, select File > Keychain Explorer from the main menu; then select the encrypted backup once again. The contents of the keychain file are immediately displayed on the screen (Figure 5.7) and can even be exported into a text file:

Using Keychain Explorer, user names and passwords were recovered for wireless access points as well as the voice-mail passcode used on the device. Also recovered, but not displayed in the screenshot, were e-mail accounts and passwords as well as user names and passwords for any applications using Apple's keychain database as a back end.

iTunes began supporting encrypted backups ever since the release of version 8.1. The user has the option to enter a password to protect the backup file. For this test, multiple encrypted backup files were created with varying password lengths. There is currently no software available that will read an encrypted backup, so other methods were utilized in order to crack the encryption passcode. ElcomSoft's iPhone Password Breaker can recover the plain-text password by decrypting the Manifest.plist file discussed earlier. With the development of iOS 4, Apple has set hardware level encryption. Once a user creates a passcode on the device, he or she has the option to check the “Data protection is enabled” option as mentioned earlier in Chapter 2.

The iPhone Password Breaker supports all models and iOS versions, so the enhanced encryption feature is not an issue in cracking the backup passcode. Table 5.1 outlines the various tests run on the backup file using this software, given the following hardware specifications of the system:

Each password in the “Numbers only” row started with a “1.” This is important because the brute-force attack used within this software systematically checks all possible characters until the correct one is found, starting with the earliest. For example, with a four-digit, all numeric PIN, the attack will start with the number 1, then gradually go up to 9 until the correct number is found. The “expected time remaining” that is shown in the software is assumed to be the longest amount of time expected. For example, using the combination of “all numbers” and a character length of eight, the software reported an expected remaining time of 20 minutes. However, the time was significantly decreased to 5½ minutes, most likely because the password started with a 1.

In the “Alphanumeric” row, with the number of characters being four and five, the software was able to successfully crack the password in a small amount of time. The remaining columns will show an estimated time, as we did not allow the software to run for that long.

In testing, it was noticed that the possibility of an individual instinctively using the iPhone's four-digit PIN code as their backup encryption password is likely. Some individuals might think they need to enter their iPhone PIN instead of creating a brand new password. As you can see in the chart, a numeric, four-digit passcode can be cracked in a very small amount of time.

One of the first steps for any iPhone acquisition is to locate both the model of the device as well as the running iOS version. This is an important step because many of the commercially available tools only support certain firmware versions. In addition, when using Zdziarski's method, a different set of automated tools is used for each unique model and firmware version combination. For these reasons, it is important to understand what is running on the device.

The model number is easy, as it is displayed on the back of the device. The firmware version can be complex, especially if the device is passcode-protected. If the examiner can access the device (in other words, it is powered on and unlocked), the firmware version can be found under Settings > General > About > Version. In the event that the phone is turned off or it cannot be accessed because it is locked with a passcode, an alternative method must be performed.

iRecovery, which was mentioned earlier in Chapter 2, can be run on the device in order to locate the firmware version. To do this, the device should be placed in Recovery mode (see Chapter 2) and connected to a forensic workstation. Using a terminal window, the examiner will need to change into the directory in which iRecovery was installed. In the example that will follow, iRecovery was located in the Applications directory on a Mac. Next, the iRecovery command was used to identify the iBoot version running on the device. The “-s” flag following the command spawns a shell, displaying general information.

From the output of iRecovery, the “BUILD_TAG” version can be accessed. In this example, it was iBoot-636.66.33. This is Apple's stage 2 bootloader and, if you recall from Chapter 2, it is this that runs Recovery mode on Apple devices. The iBoot version can be translated to its appropriate firmware version by searching various websites. The iPhone Wiki typically does a decent job of providing the iBoot revisions and their corresponding firmware version. As the links continually change, a direct link is not provided here; however, going to http://theiphonewiki.com and searching for “bootloader” or “iBoot versions” will typically provide the necessary results. In this example, iBoot-636.66.33 is known to run iOS version 3.1.3.

If a device is not found, the iRecovery output will display that information accordingly and report “No iPhone/iPod found.”

Most, if not all, forensic acquisition tools rely on iTunes. Therefore, once the firmware version of the device is known, a version of iTunes that supports that iOS version must be installed. If iTunes version 8.2 is installed, and the particular iOS version required is 9.1 or higher, the computer will not recognize that an Apple device is connected and the acquisition will fail.

The question you might be asking yourself is, “Okay, so which iTunes version do I need for each iPhone or iPad firmware version available?” As with many aspects of mobile forensics, the answer is not always a direct one. However, Table 5.2 provides guidelines that suggest the iTunes version that may be required for the particular device that an examiner might wish to acquire. These suggestions are based on the iTunes versions required by each of Zdziarski's Automated Tools. For a few of Zdziarski's Automated tools, multiple iTunes versions are required; however, if using another commercial tool, it is suggested that the version listed first be installed. If the acquisition process is unsuccessful even after the suggested iTunes version has been installed, it might be worthwhile to either upgrade or downgrade to another version as the computer is evidently not recognizing the connected Apple device. Most of the commercial tools will display an iTunes error, and technical support can help an examiner determine which iTunes version is required.

Once the iTunes version is determined, it needs to be installed. If you need to upgrade to a higher version, a standard install will be sufficient. This will automatically replace the older version with the newer install. If a lower version of iTunes is required than the version currently installed, iTunes will first need to be uninstalled, including the removal of the iTunes helper files. To ensure that all iTunes artifacts are uninstalled from the machine, the following commands can be run in a terminal window:

Once the above commands are run, try to open iTunes in order to make sure that the software was successfully removed (a “?” should appear over the iTunes icon on a Macintosh computer, as there is no longer a linked reference to the software). Next, install the iTunes version that you wish to have running by following the installation wizard. When the installation is complete, the forensic workstation will have to be restarted in order to complete the downgrade. If the machine is not restarted, the acquisition will likely not work.

The first step is to connect the iPhone to the computer via a USB cable. If iTunes is automatically launched when the device is connected, be sure to exit the software before proceeding to the next step. Prior to running the script, the iPhone will need to be put in either Recovery or DFU mode, depending on the firmware version. Most versions will require the device to be in DFU mode, but specific instructions provided with the tool will specify this information, as does the output after running each script.

Some of the more recently developed Automated Tools require the use of Linux. The tools for these specific devices are developed to be used only on a Linux workstation (or virtual machine, VM) and do not require the use of iTunes.

Prior to running the first scripts, a setup process that downloads the files needed must be completed in order to complete the acquisition process successfully. To ensure you are using the most up-to-date files, it is a good idea to run the setup process prior to each acquisition.

When the setup is complete, a message will indicate that the first script can now be run. The examiner will also be informed about the next step as well as the operating mode the device needs to be in.

The first of three scripts that are required for the imaging process installs a recovery agent onto the device. On most occasions, the phone will need to be in DFU mode for this step; however, there are exceptions for certain models (i.e., the iPhone 3GS running firmware version 3.1.3 as well as the iPad running 3.2.2). These two devices need to be in Recovery mode for the first step. Refer to Chapter 2 for details on how to boot a device into DFU or Recovery mode.

Shortly after running the script, the user will be prompted on-screen to disconnect and reconnect the device from the USB. The examiner will then see additional packets being sent over the USB connection, and when complete, the next step can be completed.

After the device is rebooted, the second script in this process can be run. When executed, the live recovery agent that was installed with the previous command will now become active. Once again, the examiner will need to place the device in the specified operating mode, disconnect and reconnect the device from USB, and follow the on-screen instructions. Once the script has been executed, it should inform the examiner whether the operation was successfully completed, and then the iRecovery tool is initiated to restart the device. Upon restart, the agent should be active.

Now that the recovery agent has been installed and activated, and the iPhone or iPad has been rebooted into normal mode, it is time to initiate the actual recovery. Prior to October 2010, Zdziarski's Automated Tools contained the setup script within each individual folder (as mentioned in the first step). With the updates released in the third quarter of 2010, some restructuring was done, preventing the module from requiring a setup process. As part of these updates, “usbmux-proxy,” which is proprietary for iTunes, is replaced with the open-source version, “usbmuxd.” Usbmuxd stands for “USB multiplexing daemon” and it is what allows for communication to the device over USB (Martin, 2011). By replacing usbmux-proxy with the open-source version, Zdziarski is preventing the need for iTunes to be installed in order to successfully run an acquisition. The intention of providing this replacement was so that iTunes versioning would no longer be an issue in imaging an iPhone or iPad device. Because these updated tools are still in their infancy, at times iTunes is still needed for some modules; however, certain devices (such as the iPad running iOS 3.2.2) have been acquired successfully on a Linux machine with no installation of iTunes.

To begin the final acquisition process, the provided recovery script must be used to initiate a physical acquisition of the raw disk image on the device. An image file is created on the forensic workstation, which will continue to slowly grow in size if the process is successful. If the file remains as 0 bytes, it is possible that either the live recovery agent was not installed correctly or not activated properly. Troubleshooting steps would include checking the iTunes version to ensure the workstation was even recognizing that a device was connected. Next, the three scripts are walked through again (after rebooting the device), keeping an eye on the output from the script to ensure that there are no errors during the installation or activation process.

Assuming the device is imaging as expected, do not interrupt the process until it is complete. You will know that the acquisition is finished when the “Cannot connect to usbmux” message appears within the terminal window.

Once the acquisition is complete, several commands will need to be executed from a separate terminal window in order to properly stop the running processes, as specified in Zdziarski's instructions within the Automated Tools.

Next, the image should be renamed to a case name, number, or other unique identifier. If the image is mounted on a Mac, the extension will also need to be changed to “.dmg”. If prompted when the extension is changed, just click “Use dmg,” as shown in Figure 5.8.

After modifying the file name, no other changes need to be made to the image file; therefore, it can be marked as read-only. On a Mac, right-click on the file and select “Get Info” (or on the keyboard, hold down “command+i”). This will bring up the properties of the file, and from here the “Locked” check box should be selected, as displayed in Figure 5.9.

Once the image file is locked, it is suggested that the examiner calculate a hash value for the image and document this information in a report. This process can be done through a Terminal window using the following command:

For either of these commands, the output will be displayed within the Terminal window. If an examiner wishes to copy the hash value directly to a text file, the following can be run to redirect the output:

The image is now ready to be mounted and analyzed.

First, the iPhone should be connected to the forensic workstation using a USB cable. In the testing done in Chapter 7, a VM was used that required extra steps to ensure that the iPhone was being seen by the VM rather than the host machine. Once the device is connected and the acquisition process initiated, the examiner is prompted to place the device in DFU mode with the help of a timer in the upper right-hand corner of the software. Next, the wizard walks the examiner through the installation of device drivers.

Moving forward in the process, the next step instructs the user that the Stage 1 bootloader is being sent to the device. The new hardware must first be verified, and then the process repeated for Stage 2 and Stage 3 bootloaders. These preparation steps lead to the start of the actual physical acquisition of the device.

The user is prompted to select the iPhone model that he or she wishes to acquire; then, after selecting the “Forensic Image” option (as opposed to a logical download), the imaging process begins.

Once the imaging is complete, the examiner is left with a dmg file, which can be mounted and analyzed. Similar to the steps taken for Zdziarski's method, this file should first be marked as read-only and a hash value calculated prior to any type of examination.

Prior to accessing the device in any way, a wireless network must be created (or an existing network used) in order to allow the forensic workstation to remotely connect to the device. For this procedure, a Mac OS X system will be used. While an existing network can also be used, let us go through the steps of creating a separate network for this scenario.

On a Mac, a new wireless network can be created through the system's Network Preferences. For this example, the network was named “iPhone-Book” as shown in Figure 5.10.

Next, a static IP address must be set for both the Mac and the iPhone. To set on a Mac, run the following command in a terminal window:

When running a command beginning with “sudo,” the examiner will be prompted to enter the administrator password.

To set the static IP address on the iPhone, navigate to Settings > Wi-Fi, then connect to the newly created network (iPhone-book). Once connected, the user will need to select the right arrow for that network, then “Static” and enter 192.168.0.2 with a netmask of 255.255.255.0 (see Figure 5.11). Once complete, the user selects “Wi-Fi Networks” in the upper left-hand corner to save these settings.

Now that both the Mac and the iPhone are on the same subnet, the two devices should be able to communicate with each other and are ready for the next step.

The examiner can now connect remotely to the device over SSH. On most jailbroken phones, the user name is “root” and the password is “alpine” by default; however, some research will need to be done on the examiner's part to ensure that this is true for the jailbroken device he or she is working with.

Run the following command on the Mac in order to connect to the iPhone:

If this is not successful, it is most likely because SSH is not installed on the device. As part of the jailbreaking process, most users will take the time to install the source packages suggested by the jailbreaking site that instructed them on how to gain root access on the device. However, some users may not complete this step. If SSH is not installed, the examiner will need to do some research on how to manage the Cydia sources on the device (or whatever was used to jailbreak the device, if not Cydia) and install “OpenSSH.”

Once connected to the device, let us make sure that we have the necessary files before beginning the imaging process. To do this, we need to make sure both “dd” and “netcat” are installed on the device by running the following commands from the iPhone:

Typically, if the “which” command is run and the software is installed, the output will display the path to the source file. Since there was no path shown, we can assume that dd and netcat are not yet on the device. We can copy these tools to the iPhone from the Mac. First, we will need to find where these tools are stored on the Mac, and then run the “scp” command to copy the files.

Those last two commands used “scp” (or “Secure Copy”) to transfer the nc and dd tools from the forensic workstation to the iPhone, and stored these tools in the /bin folder on the root of the device. Now, let us SSH back into the iPhone to make sure these files are where they should be:

Now that all of the necessary tools are installed, the imaging process can begin.

Using this technique, imaging is done over a program called netcat. Netcat creates a tunnel that allows two devices to communicate and transfer files back and forth over a specified port. One end of the tunnel must be set up on the forensic workstation and the other end configured on the iPhone. This process, as well as imaging the raw disk, is all done within two commands (one on the Mac and one on the iPhone).

The first step is to run netcat on the Mac using the following command:

This command tells netcat to “listen” on port 7000 and to create the output file “rdisk0s2.dmg” on the desktop, based on the input from the other end of the tunnel (which is yet to be initiated). Upon hitting enter, it will appear as though nothing is happening; however, the Mac is waiting for the other end of the connection.

Next, let us take a look at the raw disk files on the iPhone to determine which one to create an image of:

These files were discussed in the “iPhone Disk Partitions” section of Chapter 3. As a recap, rdisk0 is the entire raw disk (including all partitions). Rdisk0s1 is the firmware partition, and rdisk0s2 is the user data partition (rdisk0s2s1 is unique to the 3GS device). So, when the dd command is initiated, we will want to acquire rdisk0s2 to get a full image of the user data partition.

To begin the acquisition, the following command should be run from the iPhone, which has been connected to over SSH:

Let us break down this command to gain a better understanding:

To summarize, we initiated the dd command to image the “rdisk0s2” file, took that output, and sent it through a netcat tunnel, which is connected to our forensic workstation. As soon as this command is run, we should see the “rdisk0s2.dmg” file created on the desktop of the Mac and it should be increasing in size (see Figure 5.12).

Once the imaging process is complete (it will likely take several hours to acquire depending on the size of the device), the image file can be marked as read-only, mounted, hash value calculated, and analyzed.