You might have heard about our new product – iOS Forensic Toolkit. In fact, if you are involved in mobile phone and smartphone forensics, you almost certainly have. In case our previous announcements haven’t reached you, iOS Forensic Toolkit is a set of tools designed to perform physical acquisition of iPhone/iPad/iPod Touch devices and decrypt the resulting images. This decryption capability is unique and allows one to obtain a fully usable image of the device’s file system with the contents of each and every file decrypted and available for analysis. And the fact is, with today’s update, iOS Forensic Toolkit is much more than just that.
The update we’re releasing today contains the following improvements:
- The ability to decrypt contents of the device keychain
- The ability to perform logical acquisition of the device
- Logging of all operations performed within Toolkit
- Support for iPhone 3G
- Support for iOS 3.x on compatible devices
- Support for iOS 4.3.4 (iOS 4.2.9 for iPhone 4 CDMA)
- Let me give a short description of each of the new features.
iOS Forensic Toolkit now includes the ability to extract and decrypt keychain data from iOS devices running iOS 3.x and 4.x. Keychain is a system-wide storage for users’ data. Apple recommends using it to store highly sensitive information like account names and passwords. Therefore, it is natural that the device keychain is of great interest for anyone conducting analysis of an iOS device.
For devices running iOS 3.x, all that you need to decrypt keychain data is physical access to the device. All items are encrypted using the same encryption key, and the Toolkit can extract this key from the device, allowing offline decryption of keychain contents.
On devices running iOS 4.x, most keychain items cannot be decrypted without knowing the original device passcode or having access to escrow keys. However, once you’ve recovered the passcode (the Toolkit includes this feature, too) or obtained the escrow keys from the computer running iTunes to which the iOS device have been synced or connected at least once, the Toolkit will decrypt everything from the keychain. If for some reason both the passcode and escrow keys are not available, the Toolkit will still do its best and decrypt some of the keychain items.
This is the feature some of our customers been asking for. Sometimes, you do not need the full physical dump (or simply do not have enough time to obtain one), and only need actual files stored on the user partition (i.e. no unallocated space or file system metadata). Logical acquisition is designed for this exact scenario. What you get is an almost exact copy of files from user partition (with directory tree retained) conveniently packed into a single TAR archive. It is “almost exact” because, in case of iOS 4.x, the files that are encrypted using the passcode (i.e. Mail.app databases) are not included with the logical image at this time.
Another feature requested by our law-enforcement customers is logging of all activities occurring while the Toolkit is running. We are happy to offer this ability in the newly released version for both Mac OS X and Windows. Now, every time you start the Toolkit, it will create a unique log file (file name is based on current time) and mirror all user input as well as output produced by the Toolkit or any invoked programs to that file.
iPhone 3G and iOS 3.x Support
When we first released the Toolkit, it was specifically designed to circumvent iOS 4.x encryption on devices equipped with hardware encryption module, so we never thought we will be asked to add support for older iOS versions and/or devices. However, based on feedback from our customers, we had to reconsider. We are adding support for iPhone 3G (running iOS 3.x or iOS 4.x) and for iOS 3.x on compatible devices (iPhone 3G, iPhone 3GS, iPod Touch 3rd Generation, and iPad). Note that with iPhone 3G, even if it running iOS 4.x, the user partition is not encrypted (iPhone 3G simply does not have the relevant encryption hardware).
The good thing is that iOS 3.x is much simpler to deal with from analysts’ point of view. First, device passcode does not need to be brute-forced – instead, it is recovered and displayed instantly. Second, the user partition is not encrypted, making it unnecessary to decrypt the obtained image.
Compatibility with iOS 4.3.4 and iOS 4.2.9
On July 15, 2011, Apple has released iOS 4.3.4 (and iOS 4.2.9 for iPhone 4 CDMA) that fixed certain vulnerabilities used by recent “jailbreaks”. Although older versions of the iOS Forensic Toolkit can be used to perform acquisition and passcode recovery of a device running iOS 4.3.4/4.2.9, the device would not boot after an older version of the Toolkit had been used on it. Other vendors of iPhone forensic tools have also confirmed the problem, and we believe all others who haven’t confirmed this yet are also affected.
We don’t believe this is a result of Apple intentionally blocking forensic tools or detecting tethered jailbroken boots, but rather an unpleasant side-effect of other (rather significant in some sense) changes in the firmware. Anyway, long story short, the newly released version of iOS Forensic Toolkit is compatible with iOS 4.3.4/4.2.9 and will not brick the iOS device.
It goes without saying that this update is free for all existing customers with a valid iOS Forensic Toolkit license. We are committed to delivering the best product for iOS forensics, and we are happy to be the first to provide iOS 4.3.4/4.2.9 support to our customers.