SlideShare uma empresa Scribd logo

iOS and BlackBerry Forensics Guide

A
Andrey Belenko
Tecnologia
1 de 47
Baixar para ler offline
iOS and BlackBerry Forensics Andrey Belenko Elcomsoft Co. Ltd. 1
Agenda • Basics • iOS Forensics – iOS Security before iOS 4 – iOS 4 Data Protection – iOS 5 Data Protection Changes • BlackBerry Forensics • Summary 2
Forensics 101 Acquisition ➜ Analysis ➜ Reporting GOALS: 1.  Assuming  physical  access  to  the  device  extract  as  much   informa>on  as  prac>cal 2.  Leave  as  li@le  traces/ar>facts  as  prac>cal 3
4
iOS: Why Even Bother? • Almost 5 years on the market • 250+ million iOS devices sold worldwide • 6 iPhones, 4 iPods, 2 iPads • “Smart devices” – they do carry a lot of sensitive data • Corporate deployments are increasing There was, is, and will be a real need in iPhone Forensics 5
iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 6
iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 7
Acquisition Options • Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information • Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices) • Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 8
What is Jailbreak? • Jailbreak – circumventing iOS security in order to run custom code • Boot-level or application-level • Tethered or untethered 9
Types of Jailbreaks • App-level JB gets kernel code execution by exploiting apps –e.g. JailbreakMe –Can be fixed by new firmware • Boot-level JB breaks loads custom kernel by breaking chain of trust –e.g. limera1n –Can’t be fixed if exploits vulnerability in BootROM 10
Jailbreak and Forensics • Tethered JB –Host connection is required to boot into JB state –Exploit(s) are sent by the host –May leave minimal traces on the device • Untethered JB –Device is modified so that it can boot in jailbroken state by itself –Leaves permanent traces 11
Acquisition Options • Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information • Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices) • Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 12
Acquisition Options • Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information • Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices) • Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 13
Unlocking the Device • Passcode • iTunes pairing –if iTunes have seen the device before, it can unlock it –iOS 4: always –iOS 5: if passcode has been entered on device after power-on –don’t switch off iOS 5 device after seizure (if there is a chance that you’ll have PC/Mac it is paired with) 14
iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 15
iOS < 4.0 Passcode • Lockscreen (i.e. UI) is the only protection • Passcode is stored in the keychain –Passcode itself, not its hash • Can be recovered or removed instantly –Remove record from the keychain –And/or remove setting telling UI to ask for the passcode 16
iOS 4/5 Passcode • Passcode is used to compute encryption key –Computation tied to hardware key –Same passcode will yield different passcode keys on different devices! • Passcode key is required to unlock some of the content protection keys –most files don’t require a passcode for decryption –most keychain items do require a passcode for decryption 17
iOS 4/5 Passcode • Passcode-to-Key transformation is slow • Offline bruteforce currently is not possible –Requires extracting hardware key • On-device bruteforce is slow –2 p/s on iPhone 3G, 7 p/s on iPad • We have hint on password complexity 18
iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) 19
iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) • 1 – digits only, length != 4 20
iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) • 1 – digits only, length != 4 • 2 – contains non-digits, any length 21
iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) • 1 – digits only, length != 4 • 2 – contains non-digits, any length Can at least identify weak passcodes 22
iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 23
iOS < 4.0 Keychain • SQLite3 DB, only passwords are encrypted • All items are encrypted with the device key and random IV • Key can be extracted (computed) for offline use • All past and future keychain items from the device can be decrypted using that key Encrypted  with  Key  0x835 IV Data SHA-­‐1  (Data) 0 16 24
iOS 4 Keychain • SQLite3 DB, only passwords are encrypted • Random key for each item, AES-CBC • Item key is protected with corresponding protection class master key • Some keychain items are included in the iTunes backup • In encrypted iTunes backup keychain items are encrypted using backup password 0 Class Wrapped  Item  Key Encrypted  Item 0 4 8 48 25
iOS 5 Keychain • Based on iOS 4 encryption • All attributes are now encrypted (not only password) • AES-GCM is used instead of AES-CBC • Enables integrity verification 2 Class Wrapped  Key  Length Wrapped  Key Encrypted  Data  (+Integrity  Tag) 0 4 8 12 26
iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 27
iOS < 4.0 Disk Encryption • No encryption 28
iOS 4 Disk Encryption • Only User partition is encrypted • Available protection classes: – NSProtectionNone (can decrypt without passcode) – NSProtectionComplete (can’t decrypt without passcode) • Filesystem metadata encrypted transparently • Files are encrypted using per-file random key –Reliable recovery of deleted files is not currently possible 29
iOS 5 Disk Encryption • New partition scheme – “LwVM” – Lightweight Volume Manager • Any partition can be encrypted • New protection classes – NSFileProtectionCompleteUntilFirstUserAuthentication – NSFileProtectionCompleteUnlessOpen • IV for file encryption is computed differently 30
iOS Forensics • Acquiring disk image is not enough for iOS 4+ – Content protection keys must also be extracted from the device during acquisition • Passcode or escrow keybag is needed for a complete set of content protection keys • In real world it might be a good idea to extract source data and compute protection keys offline 31
iOS Forensics Must be done on the device Passcode Required to decrypt files/keychain Sufficient for offline key reconstruction UID Key KDF FS Key Decrypt Key 89B Key 835 Passcode Key Effaceable Storage ‘EMF!’ / ‘LwVM’ System Keybag (locked) ‘Dkey’ Class A Key (#1) ‘BAG1’ Unlock Class B Key (#2) Class C Key (#3) Class D Key (#4) Class Key #5 systembag.kb Decrypt System Keybag … (unlocked) Class Key #11 32
Useful Tools • Logical: iPhone Backup –iTunes (acquire) –Oxygen Forensics Suite, iBackupBot (view) –Elcomsoft Phone Password Breaker (recover password, view backup keychain, decrypt backup) • Read files directly (AFP) –iExplorer • Physical: filesystem acquisition –Elcomsoft iOS Forensic Toolkit, AccessData MPE+, Cellebrite UFED, XRY, etc –iphone-dataprotection (at Google Code) 33
iOS Forensic Toolkit iPhone 3GS iPhone iPhone 3G iPhone 4 iPhone 4S iPod Touch 3 iPod Touch 1 iPod Touch 2 iPod Touch 4 iPad 2 iPad 1 iOS version 3.1.3 4.2.1 3.1.3 5.1.1 5.1.1 5.0, 5.01 (JB) Physical + + + + + acquisition Passcode instant + instant + + recovery Keychain + + + + + decryption Disk decryption not encrypted + + 34
Conclusions • iPhone physical analysis is possible • Physical acquisition requires boot-time exploit • Passcode is usually not a problem – Due to technology before iOS 4 – Due to human factor with iOS 4/5 • Both proprietary and open-source tools for iOS 4/5 acquisition are available 35
iCloud Backups • It is now possible to download iOS backups from the iCloud • Backups in iCloud are NOT encrypted –Even if backup encryption is ON • Apple ID and password are required – Can be found on PC/Mac/iOS devices 36
37
BlackBerry Forensics 101 • Acquisition –Need to get data off the device • Device password –Prevents unauthorized access to the device • File encryption –i.e. *.rem files on SD Card 38
Acquisition Options • Logical: BlackBerry backup –Must know device password –Backup encryption is NOT enforced –Limited amount of information • Physical –Must know device password –Can get all information from the device • Chip-off –Don’t need device password –Destructive process 39
Acquisition Options • Logical: BlackBerry backup –Must know device password –Backup encryption is NOT enforced –Limited amount of information • Physical –Must know device password –Can get all information from the device • Chip-off –Don’t need device password –Destructive process 40
Device Password • No reliable ways to recover • Can be recovered in one special case: –Files on SD card are encrypted –Encryption is set to “Security password” or “Device password” • Can be recovered for “Device password & Device Key” if device dump is available 41
BlackBerry Forensics 101 • Acquisition –Need to get data off the device • Device password –Prevents unauthorized access to the device • File encryption –i.e. *.rem files on SD Card 42
File Encryption • Encryption options: –Device Key –Device Password –Device Password & Device Key • Device Key is per-card and stored in NVRAM • Some files are encrypted using different key (?) –E.g. WhatsApp database on SD card –Not clear why, maybe an implementation of PersistentStore 43
File Decryption • Files can be decrypted provided –Device dump (for Device Key option) –Device password (for Device Password option) –Both (for Device Password & Device Key option) • ‘PersistentStore’ files (e.g. WhatsApp database) can be decrypted provided device dump –Tool for this is available free of charge for law enforcement 44
Useful Tools • Logical: BlackBerry backup –BlackBerry Desktop Manager (acquire) –Elcomsoft BlackBerry Backup Explorer (view) –Elcomsoft Phone Password Breaker (recover backup password, decrypt backup; recover BlackBerry PasswordKeeper and Wallet passwords) • Physical –Cellebrite • Other –Elcomsoft Phone Password Breaker (recover device password, decrypt SD card files) 45
Thank You! a.belenko@elcomsoft.com http://ru.linkedin.com/in/belenko @andreybelenko 46
iOS and BlackBerry Forensics Andrey Belenko Elcomsoft Co. Ltd. 47

Recomendados

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 

Recomendados

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collectionFakrul Alam
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail InvestigationDr Raghu Khimani
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Encryption & Decryption
Encryption & DecryptionEncryption & Decryption
Encryption & DecryptionJayantBhatt6
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Email recovery
Email recoveryEmail recovery
Email recoveryPalash Mehar
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 
Data recovery
Data recoveryData recovery
Data recoverySuresh Hirpara
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensicsKabul Education University
 
Iphone 5c schematics
Iphone 5c schematicsIphone 5c schematics
Iphone 5c schematicsAnatol Alizar
 
Samsung Mobile Phone Codes
Samsung Mobile Phone CodesSamsung Mobile Phone Codes
Samsung Mobile Phone CodesLenny Henningham
 

Mais conteúdo relacionado

Mais procurados

Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Encryption & Decryption
Encryption & DecryptionEncryption & Decryption
Encryption & DecryptionJayantBhatt6
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 

Mais procurados (20)

Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Encryption & Decryption
Encryption & DecryptionEncryption & Decryption
Encryption & Decryption
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Email recovery
Email recoveryEmail recovery
Email recovery
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
Data recovery
Data recoveryData recovery
Data recovery
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 

Destaque

Iphone 5c schematics
Iphone 5c schematicsIphone 5c schematics
Iphone 5c schematicsAnatol Alizar
 
Samsung Mobile Phone Codes
Samsung Mobile Phone CodesSamsung Mobile Phone Codes
Samsung Mobile Phone CodesLenny Henningham
 
Mobile Phone Memory Card Recovery
Mobile Phone Memory Card RecoveryMobile Phone Memory Card Recovery
Mobile Phone Memory Card Recoverymobilecardrecovery
 
Password Recovery Tools
Password Recovery ToolsPassword Recovery Tools
Password Recovery ToolsAndrey Belenko
 
All nokia master codes
All nokia master codesAll nokia master codes
All nokia master codesMuhammad Sadiq
 
File system in iOS
File system in iOSFile system in iOS
File system in iOSPurvik Rana
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]Telefónica
 
Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...
Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...
Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...Telefónica
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 

Destaque (14)

Iphone 5c schematics
Iphone 5c schematicsIphone 5c schematics
Iphone 5c schematics
 
Samsung Mobile Phone Codes
Samsung Mobile Phone CodesSamsung Mobile Phone Codes
Samsung Mobile Phone Codes
 
Mobile Phone Memory Card Recovery
Mobile Phone Memory Card RecoveryMobile Phone Memory Card Recovery
Mobile Phone Memory Card Recovery
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
 
Password Recovery Tools
Password Recovery ToolsPassword Recovery Tools
Password Recovery Tools
 
All nokia master codes
All nokia master codesAll nokia master codes
All nokia master codes
 
Secret Codes
Secret CodesSecret Codes
Secret Codes
 
Ios forensics
Ios forensicsIos forensics
Ios forensics
 
File system in iOS
File system in iOSFile system in iOS
File system in iOS
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Password hacking
Password hackingPassword hacking
Password hacking
 
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]Hacking iOS: iPhone & iPad (2º Edición) [Índice]
Hacking iOS: iPhone & iPad (2º Edición) [Índice]
 
Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...
Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...
Índice del libro "Infraestructuras Críticas y Sistemas Industriales: Auditor...
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 

Semelhante a iOS and BlackBerry Forensics Guide

Belenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityBelenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityDefconRussia
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Synapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloudSynapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloudSynapseIndiaiPhoneApps
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)Sam Bowne
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in DepthSeguridad Apple
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSSam Bowne
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatEric Monti
 

Semelhante a iOS and BlackBerry Forensics Guide (20)

Belenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityBelenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)security
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data Protection
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Synapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloudSynapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloud
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in Depth
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
128-ch3.pptx
128-ch3.pptx128-ch3.pptx
128-ch3.pptx
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOS
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
SyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in FailSyScan 2015 - iOS 678 Security - A Study in Fail
SyScan 2015 - iOS 678 Security - A Study in Fail
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

iOS and BlackBerry Forensics Guide

  • 1. iOS and BlackBerry Forensics Andrey Belenko Elcomsoft Co. Ltd. 1
  • 2. Agenda • Basics • iOS Forensics – iOS Security before iOS 4 – iOS 4 Data Protection – iOS 5 Data Protection Changes • BlackBerry Forensics • Summary 2
  • 3. Forensics 101 Acquisition ➜ Analysis ➜ Reporting GOALS: 1.  Assuming  physical  access  to  the  device  extract  as  much   informa>on  as  prac>cal 2.  Leave  as  li@le  traces/ar>facts  as  prac>cal 3
  • 4. 4
  • 5. iOS: Why Even Bother? • Almost 5 years on the market • 250+ million iOS devices sold worldwide • 6 iPhones, 4 iPods, 2 iPads • “Smart devices” – they do carry a lot of sensitive data • Corporate deployments are increasing There was, is, and will be a real need in iPhone Forensics 5
  • 6. iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 6
  • 7. iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 7
  • 8. Acquisition Options • Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information • Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices) • Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 8
  • 9. What is Jailbreak? • Jailbreak – circumventing iOS security in order to run custom code • Boot-level or application-level • Tethered or untethered 9
  • 10. Types of Jailbreaks • App-level JB gets kernel code execution by exploiting apps –e.g. JailbreakMe –Can be fixed by new firmware • Boot-level JB breaks loads custom kernel by breaking chain of trust –e.g. limera1n –Can’t be fixed if exploits vulnerability in BootROM 10
  • 11. Jailbreak and Forensics • Tethered JB –Host connection is required to boot into JB state –Exploit(s) are sent by the host –May leave minimal traces on the device • Untethered JB –Device is modified so that it can boot in jailbroken state by itself –Leaves permanent traces 11
  • 12. Acquisition Options • Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information • Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices) • Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 12
  • 13. Acquisition Options • Logical: iPhone Backup –Device must be unlocked –Device may produce encrypted backup –Limited amount of information • Read files directly (AFP) –Device must be unlocked –Limited access (non-jailbroken devices) • Physical: filesystem acquisition –Boot-time exploit to run unsigned code –Device lock state isn’t relevant –Can get all information from the device 13
  • 14. Unlocking the Device • Passcode • iTunes pairing –if iTunes have seen the device before, it can unlock it –iOS 4: always –iOS 5: if passcode has been entered on device after power-on –don’t switch off iOS 5 device after seizure (if there is a chance that you’ll have PC/Mac it is paired with) 14
  • 15. iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 15
  • 16. iOS < 4.0 Passcode • Lockscreen (i.e. UI) is the only protection • Passcode is stored in the keychain –Passcode itself, not its hash • Can be recovered or removed instantly –Remove record from the keychain –And/or remove setting telling UI to ask for the passcode 16
  • 17. iOS 4/5 Passcode • Passcode is used to compute encryption key –Computation tied to hardware key –Same passcode will yield different passcode keys on different devices! • Passcode key is required to unlock some of the content protection keys –most files don’t require a passcode for decryption –most keychain items do require a passcode for decryption 17
  • 18. iOS 4/5 Passcode • Passcode-to-Key transformation is slow • Offline bruteforce currently is not possible –Requires extracting hardware key • On-device bruteforce is slow –2 p/s on iPhone 3G, 7 p/s on iPad • We have hint on password complexity 18
  • 19. iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) 19
  • 20. iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) • 1 – digits only, length != 4 20
  • 21. iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) • 1 – digits only, length != 4 • 2 – contains non-digits, any length 21
  • 22. iOS 4/5 Passcode • 0 – digits only, length = 4 (simple passcode) • 1 – digits only, length != 4 • 2 – contains non-digits, any length Can at least identify weak passcodes 22
  • 23. iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 23
  • 24. iOS < 4.0 Keychain • SQLite3 DB, only passwords are encrypted • All items are encrypted with the device key and random IV • Key can be extracted (computed) for offline use • All past and future keychain items from the device can be decrypted using that key Encrypted  with  Key  0x835 IV Data SHA-­‐1  (Data) 0 16 24
  • 25. iOS 4 Keychain • SQLite3 DB, only passwords are encrypted • Random key for each item, AES-CBC • Item key is protected with corresponding protection class master key • Some keychain items are included in the iTunes backup • In encrypted iTunes backup keychain items are encrypted using backup password 0 Class Wrapped  Item  Key Encrypted  Item 0 4 8 48 25
  • 26. iOS 5 Keychain • Based on iOS 4 encryption • All attributes are now encrypted (not only password) • AES-GCM is used instead of AES-CBC • Enables integrity verification 2 Class Wrapped  Key  Length Wrapped  Key Encrypted  Data  (+Integrity  Tag) 0 4 8 12 26
  • 27. iPhone Forensics 101 • Acquisition –Need to get data off the device • Passcode –Prevents unauthorized access to the device –Bypassing passcode is usually enough • Keychain –Central storage for sensitive data (passwords, keys) –Encrypted • Storage (disk) encryption 27
  • 28. iOS < 4.0 Disk Encryption • No encryption 28
  • 29. iOS 4 Disk Encryption • Only User partition is encrypted • Available protection classes: – NSProtectionNone (can decrypt without passcode) – NSProtectionComplete (can’t decrypt without passcode) • Filesystem metadata encrypted transparently • Files are encrypted using per-file random key –Reliable recovery of deleted files is not currently possible 29
  • 30. iOS 5 Disk Encryption • New partition scheme – “LwVM” – Lightweight Volume Manager • Any partition can be encrypted • New protection classes – NSFileProtectionCompleteUntilFirstUserAuthentication – NSFileProtectionCompleteUnlessOpen • IV for file encryption is computed differently 30
  • 31. iOS Forensics • Acquiring disk image is not enough for iOS 4+ – Content protection keys must also be extracted from the device during acquisition • Passcode or escrow keybag is needed for a complete set of content protection keys • In real world it might be a good idea to extract source data and compute protection keys offline 31
  • 32. iOS Forensics Must be done on the device Passcode Required to decrypt files/keychain Sufficient for offline key reconstruction UID Key KDF FS Key Decrypt Key 89B Key 835 Passcode Key Effaceable Storage ‘EMF!’ / ‘LwVM’ System Keybag (locked) ‘Dkey’ Class A Key (#1) ‘BAG1’ Unlock Class B Key (#2) Class C Key (#3) Class D Key (#4) Class Key #5 systembag.kb Decrypt System Keybag … (unlocked) Class Key #11 32
  • 33. Useful Tools • Logical: iPhone Backup –iTunes (acquire) –Oxygen Forensics Suite, iBackupBot (view) –Elcomsoft Phone Password Breaker (recover password, view backup keychain, decrypt backup) • Read files directly (AFP) –iExplorer • Physical: filesystem acquisition –Elcomsoft iOS Forensic Toolkit, AccessData MPE+, Cellebrite UFED, XRY, etc –iphone-dataprotection (at Google Code) 33
  • 34. iOS Forensic Toolkit iPhone 3GS iPhone iPhone 3G iPhone 4 iPhone 4S iPod Touch 3 iPod Touch 1 iPod Touch 2 iPod Touch 4 iPad 2 iPad 1 iOS version 3.1.3 4.2.1 3.1.3 5.1.1 5.1.1 5.0, 5.01 (JB) Physical + + + + + acquisition Passcode instant + instant + + recovery Keychain + + + + + decryption Disk decryption not encrypted + + 34
  • 35. Conclusions • iPhone physical analysis is possible • Physical acquisition requires boot-time exploit • Passcode is usually not a problem – Due to technology before iOS 4 – Due to human factor with iOS 4/5 • Both proprietary and open-source tools for iOS 4/5 acquisition are available 35
  • 36. iCloud Backups • It is now possible to download iOS backups from the iCloud • Backups in iCloud are NOT encrypted –Even if backup encryption is ON • Apple ID and password are required – Can be found on PC/Mac/iOS devices 36
  • 37. 37
  • 38. BlackBerry Forensics 101 • Acquisition –Need to get data off the device • Device password –Prevents unauthorized access to the device • File encryption –i.e. *.rem files on SD Card 38
  • 39. Acquisition Options • Logical: BlackBerry backup –Must know device password –Backup encryption is NOT enforced –Limited amount of information • Physical –Must know device password –Can get all information from the device • Chip-off –Don’t need device password –Destructive process 39
  • 40. Acquisition Options • Logical: BlackBerry backup –Must know device password –Backup encryption is NOT enforced –Limited amount of information • Physical –Must know device password –Can get all information from the device • Chip-off –Don’t need device password –Destructive process 40
  • 41. Device Password • No reliable ways to recover • Can be recovered in one special case: –Files on SD card are encrypted –Encryption is set to “Security password” or “Device password” • Can be recovered for “Device password & Device Key” if device dump is available 41
  • 42. BlackBerry Forensics 101 • Acquisition –Need to get data off the device • Device password –Prevents unauthorized access to the device • File encryption –i.e. *.rem files on SD Card 42
  • 43. File Encryption • Encryption options: –Device Key –Device Password –Device Password & Device Key • Device Key is per-card and stored in NVRAM • Some files are encrypted using different key (?) –E.g. WhatsApp database on SD card –Not clear why, maybe an implementation of PersistentStore 43
  • 44. File Decryption • Files can be decrypted provided –Device dump (for Device Key option) –Device password (for Device Password option) –Both (for Device Password & Device Key option) • ‘PersistentStore’ files (e.g. WhatsApp database) can be decrypted provided device dump –Tool for this is available free of charge for law enforcement 44
  • 45. Useful Tools • Logical: BlackBerry backup –BlackBerry Desktop Manager (acquire) –Elcomsoft BlackBerry Backup Explorer (view) –Elcomsoft Phone Password Breaker (recover backup password, decrypt backup; recover BlackBerry PasswordKeeper and Wallet passwords) • Physical –Cellebrite • Other –Elcomsoft Phone Password Breaker (recover device password, decrypt SD card files) 45
  • 47. iOS and BlackBerry Forensics Andrey Belenko Elcomsoft Co. Ltd. 47