Mobile devices present a unique set of challenges compared to desktop computers when approaching the data acquisition phase. While in the world of desktop computers there is a consolidated workflow that allows an investigator to carry out a so-called forensically sound acquisition, when we're dealing with mobile devices there is no single, one-size-fits-all procedure that can be adapted to each and every device. This becomes even more evident when we are dealing with iOS devices, as the variety of models and different versions of iOS implies that the procedure to be carried out to achieve a satisfactory acquisition will be different, depending on the device itself. Often, a particular tool, exploit, or vendor solution will stop working if the device is updated to a new iOS release. This is the case for most jailbreaks that rely on publicly disclosed vulnerabilities that are subsequently patched by Apple. A further challenge is represented by the possibility of dealing with locked devices; in this case, the chances of extracting useful information from the device are much more limited.
For these reasons, data acquisition is arguably the most challenging aspect of the iOS forensic workflow. In this chapter, therefore, we will discuss various solutions, starting by distinguishing the different types of acquisition methods and their limits. We will then move on to the practical phase, in which we will learn how to perform a logical, a filesystem, and a physical acquisition of an iOS device.
In this chapter, we will cover the following topics:
In the first chapter, we briefly discussed acquisition methods and the difference between a logical, filesystem, and physical extraction. We will now be building on that foundation and diving deep into more advanced topics to gain a full understanding of how they work and what kind of data we can expect from each of these acquisition methods.
A logical acquisition is usually the easiest and fastest way to extract the most common types of evidence from an iOS device. If the device is unlocked or if you have the passcode, you will certainly be able to perform a logical acquisition, as all iOS devices support it; based on the Apple File Connection (AFC) protocol, this acquisition is essentially equivalent to running a local (iTunes) backup, and some forensic tools will actually rely on Apple's libraries and iTunes capabilities to extract data from the device.
A logical acquisition can be performed using free software like iTunes, third-party libraries such as libimobiledevice, or by using forensic software. In the following sections of this chapter, we will use three of the most popular digital forensics tools to perform a logical acquisition: Cellebrite UFED, Elcomsoft iOS Forensic Toolkit, and Magnet ACQUIRE.
As we've learned from the previous chapter, the main limitation in a logical acquisition is the depth and quality of the data that is extracted; although it will include most user-generated content, such as text messages, call logs, photos, and notes, it will not include other precious artifacts, such as emails, location data, third-party apps, and precise system logs. The key point to understand here is that both Apple and iOS developers can restrict logical extractions by deciding which files will be included in a backup and which files will not be backed up. For instance, many popular applications, such as Twitter, Facebook, Instagram, Telegram, or Signal, do not include their files in a local backup, so these artifacts will not be available through a logical acquisition.
To make things even more complicated, with the release of iOS 4, Apple introduced a feature that enables the user to encrypt local backups using a password. This setting can be activated by using iTunes and, once enabled, all subsequent backups will be automatically encrypted using the provided password. In other words, if I decide to enable backup encryption, the next time I attempt a local backup on any computer, the password will be required to read the backup files. Clearly, this poses a problem for the forensic investigator on several fronts; if backup encryption is enabled and the password is unknown, data extracted from a logical acquisition will be useless, as it won't be possible to decrypt it. Some forensic tools, such as Elcomsoft Phone Breaker, allow investigators to attack the encrypted backup by brute-forcing the password; however, this does not guarantee that the password will be effectively recovered, and brute-force attacks usually take quite a long time.
There is, however, another option. Since iOS 11, Apple introduced the possibility of removing the password used to encrypt local backups directly from the device.
Here's the caveat: although this solution works perfectly, it does not only remove the encryption password but also resets all the device's settings. Clearly, this will have an effect on some of the files stored in the device, but it may be your only option if you don't have access to the backup password.
Here's how to reset the local backup encryption password:
By following this procedure, you will not lose any user data or other passwords, but it will reset general device settings, such as wallpaper, display settings, and so on. This will, of course, cause some changes to system files and databases; for this reason, if you're dealing with a device in a criminal case, be sure you understand the consequences of making changes to the original device and make sure you have the legal authority to perform this kind of operation.
Tip
It's important to note that, since iOS 13, if the user decides to encrypt a local backup, a lot more data will be included, including some data from Keychain, calls, health data, Safari history, and so on. When performing a logical acquisition, most forensic tools check whether backup encryption is enabled, and if it's not, it is temporarily enabled to acquire the biggest amount of data and then disabled again when the acquisition process finishes. Keep this in mind – if you don't encrypt backups before performing a logical acquisition, you will miss crucial evidence!
To have a better understanding of what artifacts you can expect to find in a logical extraction, take a look at the following screenshot taken from Cellebrite Physical Analyzer, which shows what data was acquired from an iOS device through a logical acquisition:
The main reason why you would want to perform a logical acquisition is when working with newer devices, because they are generally supported following the release of an iOS update, so you won't have to wait too long to start collecting evidence; however, as we've already discussed, many items will not be included in a logical acquisition.
In comparison with a standard logical extraction, a full filesystem extraction or a physical extraction gives investigators access to a lot more user data on iOS devices, including full access to Keychain, which will also include encryption keys that can be used to decrypt data from secure apps, such as Signal, Wickr, Snapchat, or Facebook.
By acquiring the full filesystem, investigators will also gain access to many of the system artifacts, such as the complete history of events that occurred on the device (locked/unlocked states, user interaction, installed applications, AirDrop, Bluetooth, camera, and airplane mode history). Also, a lot more geodata will be available from a full filesystem acquisition, including artifacts from cell towers, Wi-Fi connections, and GPS locations with the corresponding geo-coordinates and timestamps.
The following screenshots show the differences between a logical acquisition and a full filesystem acquisition from the same device; the full filesystem extraction, on the right, contains a lot more data:
By now, you should have a clear understanding of the benefits and limits of a logical acquisition and why it may not be sufficient to gather the required evidence. We will learn how to perform a logical acquisition later on, but before that, let's take a look at how we can extract the device filesystem by performing a physical or full filesystem acquisition.
In the first chapter, we briefly introduced physical acquisitions and learned how a physical extraction will contain the biggest amount of evidence from a device, including data present in unallocated space on the disk that can be used to recover deleted artifacts.
A physical acquisition can be defined as a bit-per-bit copy of the device's flash memory. Clearly, this is the best of all worlds for a forensic examiner, but it isn't always possible; since data on an iOS device is encrypted, using traditional techniques such as imaging the physical volume would result in the acquisition of encrypted data, which would be completely useless. We've already seen how Apple manages security by protecting encryption keys within the Secure Enclave, so starting with the iPhone 5s, there is no way of obtaining a physical extraction of the device.
At the time of writing, the latest device that allows a physical acquisition to be performed is the iPhone 5c, a device released almost eight years ago. It's safe to say that, at present, it's highly unlikely that an investigator will run into one of these devices; nevertheless, a physical acquisition can be carried out by using the Elcomsoft iOS Forensic Toolkit.
A full filesystem acquisition provides a logical representation of all files on an iOS device, and this is a great compromise between a logical acquisition and a physical one. All the data we previously saw in a logical extraction is still obtained during a filesystem acquisition, but the examiner is also granted access to raw files stored within the device. This allows investigators to access, for example, databases of all third-party applications without restrictions, and recovery of deleted artifacts can also be attempted.
Although there are many tools that allow you to perform this kind of acquisition, Apple restricts direct access to the device's filesystem, so you will have to find a workaround to gain full access to the device before a full filesystem acquisition can be performed.
So, you may be wondering – how do I access the device filesystem? Is a jailbreak required? Although jailbreaking is one of the available options, it is not the only one.
At the time of writing, there are three different solutions to gain access to the device's filesystem:
The publication of the Checkm8 vulnerability in 2019 by the hacker @axi0mX, which is based on an unpatchable vulnerability present in the BootROM of millions of iOS devices, is arguably the biggest game changer ever in the forensics industry.
Checkm8 is compatible with A5 to A11-based devices; this includes all devices starting from the iPhone 5s up to the iPhone X, as there is no working implementation for 4S hardware.
Before we get into the details, it's useful to understand how the iOS boot procedure works and why the Checkm8 vulnerability cannot be patched.
The first layer of security in the iOS platform is the secure boot chain, which refers to the sequence of steps carried out by the application processor, starting with the loading of the BootROM and ending with the loading of the iOS. This ensures that attackers cannot run a modified operating system or malicious applications on the device. The boot process relies on a chain of trusts, which begins from the key that is embedded into hardware during manufacturing.
The boot process of an iOS device can be broken down into five steps: the BootROM, the Low-Level Bootloader (LLB), iBoot, the kernel bootloader, and the main operating system. iOS has a very strict process of booting the operating system, where each stage checks the authenticity of the following stage. This is achieved by digitally signing each step of the process. The steps are as follows:
The following diagram illustrates the entire process:
As you can see, the first step in the boot process is the execution of the code from the device's BootROM. This stage of the process is implicitly trusted because, as its name implies, the BootROM is a read-only memory component that cannot be modified after manufacturing by anyone, not even by Apple.
The Checkm8 exploit is based on a vulnerability that resides within this portion of read-only memory, so this means that Apple has no way of patching it, leaving hundreds of millions of iOS devices vulnerable. To have a better understanding of what a breakthrough this is, keep in mind that the previous BootROM exploit was discovered in 2010!
Tip
If you're interested in the technical details, you can find a full report on the Checkm8 vulnerability at the following link: https://habr.com/ru/company/dsec/blog/472762/.
Although Checkm8 allows developers to get around Apple's security and run low-level code on the device's BootROM, Checkm8 is not a jailbreak by itself, as it requires additional software that leverages the exploit to perform a fully fledged jailbreak.
checkra1n is the first publicly available jailbreak based on the Checkm8 vulnerability, and it's the result of the hard work carried out by hackers and security researchers from all over the world. Jailbreaking the device via checkra1n allows users to gain root permissions and install unofficial applications and repositories, such as Cydia.
Investigators that are dealing with a device that is vulnerable to Checkm8 have the possibility of jailbreaking the device through checkra1n, thus gaining access to the entire filesystem and successfully performing a full filesystem acquisition.
However, from a forensics perspective, checkra1n definitely has its drawbacks:
In light of these limitations, some vendors have come up with a built-in solution that allows investigators to perform a full filesystem acquisition, exploiting the Checkm8 vulnerability but without actually jailbreaking the device.
Currently, this feature is available in some of the most popular forensic tools, including Cellebrite UFED, Elcomsoft iOS Forensic Toolkit, and Oxygen Forensic Detective.
The difference between these solutions and performing a traditional jailbreak through checkra1n is that these tools do not modify the device in any way; the exploit is performed in the device's RAM. Once the acquisition process ends, the device will reboot normally, leaving no traces.
Whenever possible, this should be the preferred method to acquire the full filesystem from an iOS device, as this is definitely the most forensically sound solution.
The main drawback in Checkm8 acquisitions is that they're not supported by newer devices like the iPhone 12 or the iPhone 13, as these devices are not vulnerable to the Checkm8 exploit.
In 2020, vendors responded to these limitations by providing an alternative method to extract the full filesystem from any iOS device, including the latest iPhone 12; this solution relies on installing an extraction agent that will exploit software vulnerabilities, gain access to the entire filesystem, and establish a secure connection between the device and the computer.
Although this method requires installing an application (the agent) on the device, this is considered forensically safe, as the agent leaves a drastically smaller footprint compared to other solutions, like jailbreaking the device. The only traces left on the device are some minor changes in system log files; however, because of this, depending on your jurisdiction, you may need authorization or legal authority to use this method.
The following is a list of requirements to use this method:
Currently, Elcomsoft iOS Forensic Toolkit and Belkasoft Evidence Center X are the only tools that provide agent-based extraction capabilities.
Finally, let's talk about jailbreaks! We've seen how it's possible to extract a full filesystem from an iOS device by exploiting the Checkm8 vulnerability or by performing an agent-based acquisition. However, as we've learned, both these methods have their limitations, and there could be some cases where jailbreaking the device is your only option to perform a filesystem acquisition.
Applying a jailbreak will leave some permanent traces on the device, so this option should only be considered as a last resort and only if you have the legal authority to do so.
At the moment, the most popular jailbreaks are checkra1n and unc0ver. Both these jailbreaks allow investigators to install third-party tools such as SSH, which will give unrestricted access to the device's filesystem.
In the following table, you can check the compatibility for both these jailbreaks:
Previously in this chapter, we introduced checkra1n and we learned about its features and limitations. We'll now take a deep dive and learn how to actually perform the jailbreak:
If your device runs iOS 14.6 or later, you will need to head into Options and then enable Allow Untested Versions:
When the device reboots, you will find the checkra1n icon. Launching that application will allow you to install Cydia. Once Cydia is installed, you can proceed to install any third-party packages, such as SSH.
Remember that checkra1n is a semi-tethered jailbreak; if you reboot the device, you will have to jailbreak it again using the checkra1n tool.
Once the device has been successfully jailbroken, you can perform a full filesystem acquisition using the tool of your choice.
When you're dealing with iOS devices, it's useful to gather some information directly from the device prior to starting the acquisition process. Knowing what iOS version is running on the device, for instance, can be useful to determine what the best acquisition method is. For this purpose, we're going to use libimobiledevice.
The libimobiledevice library is a cross-platform library that allows users to communicate with an iOS device using their native protocol to provide access to the device's filesystem, including information about the device and its internals. It works with all devices, including the most recent ones.
The first step is to head to http://libimobiledevice.org, where the library can be downloaded for free. If you're running Windows, instead of downloading the source files and compiling them, you can download precompiled binaries from the project's GitHub repository.
If you're running macOS, you can install the library simply by running the following command from the terminal:
brew install libimobiledevice
If you're running a Linux distribution that supports the apt packet manager, you can install the library by running the following command:
sudo apt-get install usbmuxd libimobiledevice6 libimobiledevice-utils
Once you have installed the library, connect the device to your forensic workstation and run the following command from the terminal:
ideviceinfo
This command will connect to the device, parse data relevant to the hardware and software, and display it on screen. Keep in mind that the device will have to be paired with the host system by entering the passcode. If you're running Linux or macOS, you can combine the previous command with the grep command to view some key data:
You can read the device model by running the following command:
ideviceinfo | grep ModelNumber
To identify what version of iOS the device is running, you can run the following command:
ideviceinfo | grep ProductVersion
The device's serial number can be parsed by running the following command:
ideviceinfo | grep SerialNumber
Finally, to identify the phone number related to the SIM card in the device, run the following command:
ideviceinfo | grep PhoneNumber
Once the device has been seized, it has been correctly isolated, and you have identified the hardware model and iOS version, the next step in the examination process is assessing what the best acquisition method is to extract the richest dataset from the device while preserving data integrity.
Generally speaking, you'll want to keep these two concepts in mind before performing any actions on the device:
The first step in any acquisition process is determining the volatility of the data of interest; for example, if the scope of the investigation is to extract photos from a device or parse text messages, clearly this doesn't pose any kind of concern because this data is written on the flash memory, it isn't volatile, and any acquisition method will extract these artifacts. However, if the investigation seeks to understand how the device was used, or if there was any human interaction on a particular date and time, or where the device was located a few days ago, these artifacts are much more volatile, as log files and databases on iOS devices are constantly overwritten. For instance, location data is generally maintained on the device for several weeks; however, precise location data, including cell tower data, is only maintained for a few days. In this case, we'll want to extract this kind of data as soon as possible before it gets overwritten. This means performing a full filesystem acquisition (if possible) before anything else, as logical acquisitions do not contain this data.
The investigator should have a clear understanding of how forensic tools work and what impact they have on data and on the device itself:
A logical acquisition will have virtually no impact on the device, so most often, this will be your first choice. If the device is vulnerable to Checkm8 and if you have tools that can perform this kind of acquisition, a Checkm8 acquisition will be the best option to gain access to the entire filesystem without making any changes to the device. If this is not an option, the next step would be considering an agent-based acquisition. Finally, as a last resort, jailbreaking the device will give the investigator access to the entire filesystem, but make sure you understand how this will affect the device and its data.
Now that we've learned the theory, it's time to put it into practice by performing our first logical acquisition.
Almost all forensic tools can perform a logical acquisition; we'll concentrate on two of the most popular ones, Cellebrite UFED and Elcomsoft iOS Forensic Toolkit.
Cellebrite UFED is considered the industry standard, as it allows investigators to perform a variety of different acquisitions, including a traditional logical acquisition, a partial filesystem, a full filesystem acquisition through Checkm8, and a full filesystem acquisition from devices that have been jailbroken.
Elcomsoft iOS Forensic Toolkit, on the other hand, can perform logical acquisitions, a full filesystem acquisition from jailbroken devices, full filesystem acquisitions through agent-based extractions, and it also supports physical acquisitions from older devices.
In this example, we'll acquire an iPhone 6 running iOS 12:
You can view the extracted data by loading the logical acquisition into a forensic tool, such as Belkasoft Evidence Center X, Elcomsoft Phone Viewer, or Cellebrite Physical Analyzer.
Another great tool to perform acquisitions from iOS devices is the forensic toolkit by Elcomsoft. This toolkit has been specially designed for iOS devices and offers some unique features, such as agent-based extractions. The steps for this are as follows:
At the end, the toolkit will give you a summary of the acquisition process. The extracted files can now be examined using the forensic tool of your choice.
We've seen how to perform logical acquisitions using two different tools. Keep in mind that there are a variety of different tools that can perform this kind of acquisition, including free tools. In the next section, we'll learn how to perform a full filesystem acquisition.
In the first part of this chapter, we learned that a full filesystem acquisition is generally the best way to extract the largest number of artifacts from an iOS device and that this acquisition can be carried out by jailbreaking the device, exploiting the Checkm8 vulnerability, or by performing an agent-based acquisition.
We'll now put this into practice by performing a Checkm8 full filesystem acquisition using Cellebrite UFED, which has a built-in Checkm8 solution. Then, we'll perform an agent-based acquisition using Elcomsoft iOS Forensic Toolkit.
Both acquisitions provide the same result: an image of the entire filesystem. Checkm8 acquisitions can be considered forensically sound and represent the best option, although newer devices are not compatible with this method. On the other hand, agent-based acquisitions require you to install an application on the device, which will make some minor changes to system log files, but this solution is compatible with newer devices, such as the iPhone 12.
Cellebrite UFED features a built-in solution to perform Checkm8 acquisitions, so the entire process is made extremely easy by simply following the onscreen instructions:
When the acquisition process ends, the device will automatically reboot normally. The resulting DAR archive can be analyzed by importing it into Cellebrite Physical Analyzer or the tool of your choice.
Elcomsoft iOS Forensic Toolkit is one of the few tools that supports agent-based acquisitions. As this method requires sideloading an application (the agent) onto the device, you'll need an Apple ID. On the Windows version, you'll need an Apple Developer ID, while on macOS, you can use a traditional account:
That concludes our filesystem acquisition!
Both Checkm8-based acquisitions and agent-based acquisitions are a complete breakthrough, as they allow forensically sound extractions of the entire filesystem, including all files related to third-party apps. As you've learned, a full filesystem will contain so much more data compared to a logical extraction. In the following chapters, we'll delve into these files and learn how to analyze them to gain meaningful evidence.
In this chapter, we learned the differences between acquisition methods and what kind of data we can expect to find in an iOS extraction. We learned how the Checkm8 exploit works, how this vulnerability can be used to gain access to a device's filesystem, and its limits. Then, we discussed agent-based acquisitions and learned what iOS versions support this acquisition.
Jailbreaks are a fascinating topic in the iOS world; we discussed two of the most popular ones, checkra1n and unc0ver, and their compatibility. Then, we learned how to jailbreak a device using checkra1n.
Finally, we learned how to perform a logical acquisition using Cellebrite UFED and Elcomsoft iOS Forensic Toolkit, and we approached two different options to perform a full filesystem acquisition.
Keep in mind that in this chapter, we focused on After First Unlock (AFU) acquisition methods, so it's imperative that the examiner has full access to the device. Over the course of the next chapters, we will look into Before First Unlock (BFU) acquisition methods to understand what kind of artifacts we can find in locked devices.
In the next chapter, we will discuss forensic tools, which ones are most popular, and how to use these to analyze extracted data.