With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release. In this article we’ll cover what you can and what you cannot do with an iOS11 device as a forensic expert. We’ll talk about which acquisition methods still works and which don’t, what you can and cannot extract compared to iOS10, and what you need to know in order to make the job don’t.
Physical Acquisition
With no jailbreak on the horizon, physical acquisition remains unavailable. Even when an iOS11 jailbreak appears, you still have to wait for us to update Elcomsoft iOS Forensic Toolkit.
What you need to perform physical acquisition of an iOS11 device?
1. A working jailbreak
2. Device passcode
3. iOS Forensic Toolkit
5. Passcode (again)
Logical Acquisition
There are 2 steps in logical acquisition: acquiring a local backup from the iOS device and accessing information stored in that backup. While in previous versions of iOS logical acquisition was possible once you unlocked the device with whatever methods, iOS11 requires you to enter device passcode in order to pair it with a computer.
To perform logical acquisition, you need:
1. Device passcode OR valid pairing record (lockdown file)
2. iOS Forensic Toolkit
If the user specified a backup password, you need to recover that password first in order to decrypt the content of the backup. The recovery is only possible by running a brute-force or dictionary attack; there are no known weaknesses in iOS11 backups that would allow to bypass the password. Note that password attacks are extremely slow for iOS11 backups. Elcomsoft Phone Breaker supports backups produced by iOS11 devices:
1. You need Elcomsoft Phone Breaker to attack backup passwords and/or decrypt the backup
2. Elcomsoft Phone Viewer 4.0 will be soon updated to support iOS11 backups, you need this version or newer to view and analyze iOS11 backups
Keychain Acquisition
There are still 2 possible methods allowing experts to obtain information stored in iOS11 Keychain:
1. Logical acquisition > Password-protected backup > decrypted keychain
2. iCloud Keychain
In order to access the keychain via logical acquisition, do the following:
1. In Elcomsoft iOS Forensic Toolkit, use option “B” (Backup)
2. If backup password is empty, EIFT will temporarily use “123” as a password
3. If backup password is present and it is not known, use Elcomsoft Phone Breaker to recover that password
4. Open the backup in Elcomsoft Phone Breaker
5. In EPB, select “Keychain Explorer” and provide path to the location of the backup
6. Enter backup password to allow the tool to decrypt the backup
7. Now you are able to view, analyze or export keychain items
Cloud Acquisition
iOS11 continues supporting cloud backups. They are still stored in iCloud Drive and are still not accessible without specialized tools such as Elcomsoft Phone Breaker. While internally iOS11 made a number of changes to iCloud backups, the acquisition process still looks familiar except for one thing: Two-Step Verification is no longer supported. All Apple ID accounts that used Two-Step Verification before will be automatically migrated to the much stronger Two-Factor Authentication once the user updates at least one of their devices to iOS11 or macOS High Sierra. Therefore, the acquisition process will look as follows.
No Two-Factor Authentication
1. Apple ID and password or valid iCloud authentication token
2. Elcomsoft Phone Breaker
Two-Factor Authentication
1. Apple ID and password or valid iCloud authentication token
2. If using Apple ID and password: access to trusted device
3. Elcomsoft Phone Breaker
No Notifications in Backups
In iOS11, notifications are no longer part of any backups, local or iCloud. With no iOS11 jailbreak, we have no way to verify whether notifications older than 7 days are still stored on the device or not.
Synced Data
Little has changed in regards to synced data. You still have access to everything you could access in iOS10, and there are no new bits of data added to the synced set. You can still fetch synced call logs, Safari browsing history and bookmarks from iCloud accounts. Contacts, calendars, notes, reminders and mail remain accessible.
In order to obtain synced data from the user’s Apple Account, you need the following:
1. Elcomsoft Phone Breaker
2. Apple ID and password or iCloud authentication token
3. If Apple ID/password are used and Two-Factor Authentication enabled: access to a trusted device is required
No Comments Found