Digital forensics

iPhone Forensics

January 7, 2012 by Satish B.

[highlight color=”blue”]Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available. [/highlight]

iPhone forensics can be performed on the backups made by iTunes (escrow key attack) or directly on the live device. This article explains the technical procedure and the challenges involved in extracting data from the live iPhone.

iPhone 4 GSM model with iOS 5 is used for forensics.

GOAL

Extracting data and artifacts from iPhone without altering the information on the device

Researchers at Sogeti Labs have released open source forensic tools (with the support of iOS 5) to recover low level data from the iPhone. The details shown below outline their research and give an overview on the usage of iPhone forensic tools.

Steps involved in iPhone forensics include:

  • Creating & Loading a forensic toolkit on to the device without damaging the evidence
  • Establishing a communication between the device and the computer
  • Bypassing the iPhone passcode restrictions
  • Reading the encrypted file system
  • Recovering the deleted files
  • Creating & Loading the forensic toolkit



Imagine a computer which is protected with an OS level password – we can still access the hard disk data by booting a live CD, or by removing the hard disk and connecting it to another machine. When we compare computers to the iPhone, it is an embedded device. So it is not easy to take out the chips (hard disk) and dump data into it. To perform iPhone forensics, we use the Live CD approach. As the iPhone has only one serial port, we are going to load custom OS over the USB to access the hard disk of the device. The problem here is: the iPhone only loads firmware designed by Apple.

In order to create and load the forensic toolkit, first we need to understand iPhone functions at the operating system level. iOS (previously known as iPhone OS) is the operating system that runs on all Apple devices like iPhone, iPod, Apple TV and iPad. iOS is a zip file (ships with .ipsw extension) that contains boot loaders, kernel, system software, shared libraries & built in applications.

When an iPhone boots up, it walks through a chain of trust, which is a series of RSA signature checks among the software components in a specific order as shown below:



The BootRom is Read-only memory (ROM) and it is the first stage of booting an iOS device. BootRom contains all the root certificates to signature check the next stage.

iPhone operates in 3 modes – Normal Mode, Recovery Mode, DFU mode

In Normal mode, BootRom start off some initialization stuff and loads the low level boot loader (LLB) by verifying its signature. LLB signature checks and loads the stage 2 boot loader (iBoot). iBoot signature checks the kernel and device tree, while the kernel signature checks all the user applications.

In DFU mode, iPhone follows the boot sequence with a series of signature checks as shown below. BootRom signature checks the second level boot loaders (iBSS, iBEC). Boot loader signature checks the kernel, and the kernel signature checks the Ramdisk.



During iOS update, the Ramdisk gets loaded into RAM and it loads all the other OS components. In Forensics, we will create a custom Ramdisk with our complete forensic tool kit and load it into the iPhone’s volatile memory. Signature checks implemented at various stages in the boot sequence do not allow us to load our custom Ramdisk. To load our custom Ramdisk, we have to bypass all these signature checks. In the chain of trust boot sequence, if we compromise one link, we can fully control all the links that follow. The hacker community has found several vulnerabilities in BootRom. By using these, we can flash our own boot loader and patch all other signature checks in all the subsequent stages. Apart from signature checks, every stage is also encrypted. These encryption keys can be grabbed from JailBreaking tools.

Building a custom Ramdisk

First, we will build a custom ram disk using all of our forensic tools and patch the ram disk signature checks in kernel. Later, we will use jailbreak tools to load our kernel by patching BootRom signature checks.
With the open forensic toolkit released by Sogeti Labs, we can build Ramdisk only on MAC OS X. The entire forensic toolkit contains python scripts, a few binaries and a few shell scripts.

In order to run the tools, we first need to install all the dependencies (use the commands listed below from OS X terminal).

Download ldid, grant execute permissions and move it to /usr/bin directory.

Download and install OSXFuse.

Download & install python modules – pycrypto, M2crypto, construct and progressbar.


Download and install Mercurial (http://mercurial.selenic.com/) to check out the source code from the repository.

Download redsn0w to fetch encryption keys to decrypt Ramdisk and Kernel.

To patch the signature checks in kernel, supply iOS 5 ipsw file to kernel_patcher.py

The above python script creates a patched kernel and a shell script to create Ramdisk.

Running the shell script downloads, the forensic tool kit adds it to the Ramdisk. The Ramdisk image is just a plain HFS+ file system (native to Macs, making it fairly simple to add files to it). All of the steps listed above create a patched kernel and a custom Ramdisk with forensic tools.
Note: I have created the patched kernel and a custom Ramdisk for iPhone 4. You can directly download these files and skip all the above steps.

Download Link for:

  • myramdisk.dmg
  • kernelcache.release.n90.patched
  • iphone forensics.pptx

 

Loading Forensic Toolkit

In order to load the forensic toolkit, supply iOS 5 ipsw file, patched kernel and custom Ramdisk to redsn0w tool: connect the device to computer using USB cable and run the below command. Follow the steps displayed by redsn0w to boot the device in DFU mode. In DFU mode, redsn0w exploits the BootRom vulnerability and loads patched kernel & custom Ramdisk on to the device.


If the process fails with the No identifying data fetched error, make sure that the host computer is connected to the internet. After redsn0w is done, the Ramdisk boots in verbose mode.

Establishing a communication between the device and the computer

Once booted with custom Ramdisk, networking capabilities (like WI-FI) are not enabled by default. So a different way is chosen to communicate with the device by following the approach that Apple took with iTunes. USBMUX is the protocol used by iTunes to talk to the booted iPhone and coordinate access to its iPhone services by other applications. USB multiplexing provides TCP like connectivity over a USB port using SSL. Over this channel, iTunes uses AFC service to transfer files. But here we use this channel to establish a SSH connection and get a shell on the device.

SSH works on port 22. Tcprelay.py script redirects port 22 traffic to 2222 port.

SSH is now accessible at localhost:2222.

At this point, we get access to the file system. To make things even more complicated, every file is encrypted with its own unique encryption key, tied to a particular iOS device. Furthermore, the data protection mechanism introduced with iOS 4 adds another layer of encryption that does not give access to the protected files and keychain items when the device is locked. Data protection is the combination of using hardware based encryption along with a software key. Every iPhone (>3gs) contains a special piece of hardware (AES processor) which handles the encryption with a set of hardcoded keys (UID, GID). OS running on the device cannot read the hardcoded keys, but it can use the keys generated by UID (0x835 and 0x89B) for encryption and decryption. The software key is protected by a passcode and is also used to unlock the device every time the user wants to make use of the device. So in order to access the protected files, first we have to bypass the passcode.

3. Bypassing the iPhone passcode restrictions

Initially (< iOS 4), passcode is stored in a file which can be removed directly over SSH. Since the introduction of data protection (from iOS 4), the passcode is used to encrypt protected files and keychain items on the device. So in order to decrypt the data, we have to supply the valid passcode.

Passcode validation is performed at two levels: one at the springboard and another one at kernel level. Bruteforce attacks performed at the springboard level lock the device, introducing delays and possibly leading to wiped out data. However, these protection mechanisms are not applicable at kernel level (AppleKeyStore method) and lead to bruteforce attacks. To make brute force attacks less practical, a passcode key derived from the user passcode is tied to the hardware UID key. The brute force can only be performed on this device; it is not possible to prepare pre compute values (like rainbow tables) offline.

Port 1999 opened with tcprelay.py is used by the bruteforce script. It connects to the custom restored_external daemon on the Ramdisk, collects basic device information (serial number, UDID, etc.), unique device keys (keys 0x835 and 0x89B), downloads the system keybag and tries to bruteforce the passcode (4 digits only).

Below table illustrates the time required to bruteforce different passcodes.

Passcode Complexity Bruteforce time
4 digits 18 minutes
4 alphanumeric 51 hours
5 alphanumeric 8 years
8 alphanumeric 13,000 years

4. Reading the encrypted file system

Upon a successful passcode brute force, the script automatically downloads the keychain. Keychain is a Sqllite database which stores sensitive data on your device. The keychain is encrypted with hardware key; it also restricts which applications can access the stored data. Each application on your device has a unique application-identifier (also called as entitlements). The keychain service restricts which data an application can access based on this identifier. By default, applications can only access data associated with their own application-identifier. Later, Apple introduced keychain groups, enabling applications which belong to same group to share the keychain items. There are two ways to access all the keychain items: One is by writing an application and making it a member of all application groups. The other is by writing an application and granting com.apple.keystore.access-keychain-keys entitlement.

Keychain database contents can be extracted using keychain_tool.py

Execute the dump_data_partition shell script to dump the file system

The script reads the file system from the device and copies it to UDID directory as an image (.dmg) file. The image file can be opened using the modified HFSExplorer that will decrypt the files on the fly.

To decrypt it permanently, emf_decrypter.py script can be used.

It decrypts all files in the file system image. To view the decrypted files, mount the file system with below command.

As soon as the file system is decrypted, there are various files of interest available such as the mail database, the SMS database and location history, etc…

5. Recovering the deleted files

Deleting a file on iPhone only deletes the file reference. So it is possible to recover the deleted files; to do so, run emf_undelete.py script.

With this technique it is possible to recover valuable data like call logs, deleted images, deleted SMS, deleted contacts, deleted voicemail and deleted emails.

Check out the next articles in the series:

iPhone Forensics- Analysis of iOS 5 Backups: Part 1

iPhone Forensics- Analysis of iOS 5 Backups: Part 2

References

  1. iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald
    http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf
  2. iPhone data protection tools

    http://code.google.com/p/iphone-dataprotection/

  3. ‘Handling iOS encryption in forensic investigation’ by Jochem van Kerkwijk
    http://staff.science.uva.nl/~delaat/rp/2010-2011/p26/report.pdf
  4. iPhone Forensics by Jonathan Zdziarski
    http://shop.oreilly.com/product/9780596153595.do
  5. 25C3: Hacking the iPhone
    http://www.youtube.com/watch?v=1F7fHgj-e_o
  6. iPhone wiki

    http://theiphonewiki.com

Posted: January 7, 2012
Articles Author
Satish B.
View Profile

Satish B (@satishb3) is an Information Security Professional with 6 years of experience in penetration testing of web applications and mobile applications. He is currently a security researcher at Infosec Institute. Satish's blog is located at - http://www.securitylearn.net Email: satishb3@securitylearn.net

25 responses to “iPhone Forensics”

  1. mitch says:

    The download zip file is corrupted?

    • wayne says:

      4 share? Not likely. I’m not paying them, and I’m certainly not going to do their 20 second delay, and have to reconstruct the directory structure.
      How about just fixing the corrupted zip file (it’s the mp4 file).

    • wayne says:

      Never mind the corruption was repairable under linux with zip FF iphone-forensics.zip newzip.zip

      I didn’t check the mp4 file, but your presentation is available on youtube anyway.

  2. Peter says:

    What ends up being the condition of the phone after all of this. Will it then restart like normal with the passcode intact? Or does this remove the passcode? Is a restore of the phone necessary to return it to normal operations?

  3. satish b says:

    Once everything is completed, we have to manually restart the phone. Then the phone gets booted normally with the passcode intact.

  4. suicico says:

    Hello, thanks for the great guide .
    Will this guide work for iPhones running lower version of ios than 5 ?
    Thanks a lot again

  5. Roberto says:

    Does this method modifies the integrity of the Device??, I mean, if the results where to be presented in a court, are the valid? or the defense attorney could give us a hard time arguing about the integrity of the data acquired?

    Thanks!

  6. brooklyn says:

    It says the file is corrupt.
    What to do?

  7. Daniel Oates-Lee says:

    Fantastic article. Do you happen to have a alphanumeric python script to brute force or dictonary the password?

  8. Jack says:

    Does it works for Iphone 4S?

  9. satish b says:

    ‘@Roberto: It does not modify the integrity of the device. In simple, we are loading the OS into RAM, grab the data and flush out with restart.

    @brooklyn: Which file is corrupted ?

    @Daniel: I do not have one. But it is easy to edit the bruteforce python script.

    @Jack: It does not work for 4S. BootRom level vulnerability is required to boot with custom ramdisk. It has not identified in A5 chips yet.

    • blk says:

      This is a great article. I am really interested in getting this to work on the iPhone 4S (A5), which can now be jailbroken, although I’m new at this and won’t proceed until I completely understand how all these tools work because I only want to recover data and not physically modify the phone’s firmware (5.1.1 9B206). I am very concerned about losing data (i.e. deleted sms) by jailbreaking. I don’t understand enough about how the ‘Rocky Racoon’ exploit works to know if it can boot a ramdisk image to do what you describe in this article, or if that is even a possibility in the future. I have the phone and there is no passcode. Could you comment on whether the recent software releases could enable booting a ramdisk and if you have any plans to update this article for a 4S?

  10. Vin says:

    Hi Satish, great tutorial.
    Does this work on iphone 3g as well? Im trying it right now but having problem when i fire up redsn0w…im getting USB communication problem…im assuming its because of the version of redsn0w…is there a fix for this?
    Thanks a lot

  11. satish b says:

    I haven’t tested on 3g. But it should work for 3g as well. For 3g phone there is no disk encryption, so after booting with the custom ramdisk you can directly view data over ssh.

  12. james says:

    I had a company run forensics on my back up file for a 3gs. The data recovered was the same i had gotten without special tools. I was told in Sept 2012 that the ability to retrieve the encrypted back up files was not available at that time has that changed? I lost 100 sms but backed up the device two days after i realized to avoid rewrite and was operating with less than 1 g being used. Is the procedure described in the article doing what couldnt be done less than a year ago?

  13. satish b says:

    Yes. The techniques explained in the article were not exist a year ago. The tools here can read/recover the encrypted files as well. However, current tools does not have the capability to recover SMS.

  14. Red says:

    sorry for this comment but i have lost all my contact from iphone3gs running ios4.1 jailbreaked, i have windows 7 is there by anychance a way to retrieve those contacts “for dummies”?? (it is verry important)
    i’m far from being a genius in computer science….
    thank you in advance for your ur time… even if there is no way to, but at least i would have tried

  15. Red says:

    ps: i have tried dr fone from wondershare software and it got my cantacts wrong…. please can u help?
    thanks again

  16. murtwitnessonelive says:

    I am concerned about something here. Isn’t this an instruction manual for people to use to hack into Iphones? I am wondering if there is safeguards built into the phone to prevent hackers from using the method written here to break into people’s phones.

    MURT

  17. Arreguy says:

    Great Article Satish! Congratulations!
    At the end of four section, you says:

    “It decrypts all files in the file system image. To view the decrypted files, mount the file system with below command.”

    But doesn’t appear the command.

    Thanks

    Arreguy

  18. kris says:

    does this work on iphone messages permanently deleted via itunes sync, with no back up point?

  19. nia says:

    does this method jailbreak the iphone?redsn0w is the jailbreaking tool, right?is this method based on zdziarski’s method?

  20. Stefan says:

    Thank you very much, Satish!
    I tried that method with iPhone4,1 and iOS 7.1.2. But when coming to the kernel_patcher.py I get a “No keys found for kernel” error. The Keys.plist file does not include those keys. Any ideas how to continue?

Leave a Reply

Your email address will not be published. Required fields are marked *