The extraction agent establishes a communication channel between the device and the computer, escalates privileges, and gains access to the file and the encryption keys required to decrypt the content of the keychain. Instead of relying on public jailbreaks and exploits, which are not designed to be forensically sound, we developed our own solution based on the extraction agent. When extracting an iOS device, we still need low-level access to the device. In addition, limited BFU (Before First Unlock) extraction is available for all iPhone 5s – iPhone 7 devices, as well as for iPhone 8/8 Plus/iPhone X devices running iOS 13.x.įile system imaging and keychain decryption (without a jailbreak). On the plus side, bootrom extractions are more forensically sound compared to jailbreaking, and support those versions of iOS for which no kernel-level exploits are available. For general use, this method was superseded with agent-based extraction. On some models (iPhone 5s through iPhone X), a bootrom exploit can be used to image the device regardless of the installed iOS version. This method was superseded with agent-based extraction.įile system imaging and keychain decryption (with bootrom exploit). Jailbreaks are both hardware-specific and iOS-specific. While decidedly not forensically sound, this process was the only chance of accessing the full content of the device including all keychain records, private chats and application data not included in backups. We developed a workflow to allow experts imaging the device’s file system and decrypting the keychain based on publicly available jailbreaks. When extracting an iOS device, one needs low-level access to the device. Starting with the iPhone 5s, the encryption keys protecting the data are safeguarded with Secure Enclave, a hardware security subsystem, and there is no known way to extract these keys from the chip.įile system imaging and keychain decryption (with a jailbreak). While this is the deepest and most comprehensive acquisition method, it is not applicable to modern devices. When analyzing an old, 32-bit device such as the iPhone 4, 5 or 5c, one can make a bit-precise image of the data partition, decrypting everything down to the last bit. On the other hand, media files (including metadata) can be extracted regardless of the backup password, while log files may help recover some of the device usage timeline. Breaking the password might be time-consuming or not even possible depending on the length and complexity of the password, while resetting the password involves removing the screen lock passcode on the iPhone, which, in turn, has important consequences. This method is one of the most limited, too: both Apple and developers can restrict which parts of data are backed up, and the user can protect local backups with a password, which must be broken or removed in order to access the data. With logical acquisition, experts can make the phone create the full local backup of its data, pull pictures and videos, and obtain certain logs and shared files. This is the most universal and the most compatible extraction method based on Apple’s APIs and protocols. Speaking of iOS devices, there are several extraction methods of varying quality and applicability. With this exclusive jailbreak-free coverage experts will be able to image all iPhone models based on 64-bit SoC (iPhone 5s through iPhone 12). In the end, the tool delivers the complete, zero-gap coverage for iPhone devices without a jailbreak from iOS 9 onwards, up to and including iOS 14.3 on supported devices. In addition, the toolkit can image other iPhone and iPad models running the same versions of iOS (iPhone 6s/SE models and newer). The latest update of iOS Forensic Toolkit enabled jailbreak-free, low-level extraction of A14 Bionic devices, which includes the entire iPhone 12 model range, running the iOS versions 14.0 through 14.3. Learn how to image the latest iPhone models without a jailbreak. This includes the entire range of iPhone 12 models as well as all other devices capable of running iOS 14.0 to 14.3. IOS Forensic Toolkit 7.0 brings low-level extraction support for the latest generation of Apple devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |