Forensics extraction is the process of getting into a computer device (in this case an iOS device) and extracting all the data from it. And
Elcomsoft’s iOS Forensics Toolkit is an incredibly powerful piece of kit that enables you to hack into, and extract pretty much everything on an iPhone (passcodes, keys, files, messages, audio recordings, and so on).
Why would you want to do such a thing? Well aside from hacker curiosity the main market for forensics software is law enforcement. In court cases there is often a requirement for detailed recording and analysis of mobile phone devices (text messages, emails, phone voicemail messages, call records, photos and so on).
What piqued our interest at first was data recovery: a friend of a friend’s iPhone was showing no signs of life (the battery would not charge).
An iPhone that refuses to charge could be because of a faulty battery, but it’s often the case that it’s a firmware or iOS installation problem. In this case restoring the iPhone usually fixes the issue, but wipes the iPhone: our friend was adamant that the content on the iPhone was more important than the phone itself. And there was no backup.
All the important files are securely held inside the device itself in encrypted files, often with a passcode lock on the front of the phone. In our situation (with access to passcodes) we could use less powerful software than this; but once we’d heard of the software we asked to give it a professional test.
Elcomsoft’s iOS Forensic Toolkit is combination of software (both Mac and Windows compatible) that works alongside a USB key (which is itself a security measure to ensure that the software isn’t pirated or distributed to just anybody).
We investigated a number of different iOS forensics software options (which we’ll also look at) but this seems to us to be the most thorough and detailed on the market. It’s not the easiest to use because it’s command-line based so you’ll need to know your way around the Terminal. But there are advantages to this: for one thing it requires you to read the instructions carefully (no bad thing when you’re doing something as detailed as this).
See also: Apple publishes iOS security guide
Given how well it worked (more later), you’ll be pleased to hear that getting hold of forensics software like this isn’t that easy. In the word’s of Elcomsoft itself:
“ElcomSoft restricts the availability of the Elcomsoft iOS Forensic Toolkit for to select government entries such as law enforcement and forensic organizations and intelligence agencies; also, the toolkit is a subject to special license agreement.”
That license agreement insists that you are an approved enforcement agency, and are acting “under the color of the law when operating the product” and that you are the “legal owner or in legal possession and/or control” of the device.
And you know how most software licenses have a button that says “Click Here”? This one has a part where you sign it in ink and return to Elcomsoft before you get hold of the software and USB dongle.
So basically you have to prove that you have a genuine need for this software. Which is a good thing, because Elcomsoft iOS Forensic Toolkit is a set of tools aimed at making it possible to acquire and analyze the entire contents of an iOS device that is passcode protected.
The software side of things runs through Terminal. So you’ll need a good working knowledge of the command-line to get it up and running. There is a Guided Access Mode, which walks you through the steps, and a manual mode that enables you to perform each task with specific parameters. We found the Guided Access Mode achieved the task perfectly.
The Guided Access Mode that takes you through each of the necessary steps:
1. Enter DFU
2. Load Ramdisk
3. Image Disk
4. Tar Files
5. Get Keys
6. Get Passcode
8. Descrypt Disk
9. Decyrput Keychain
The first step is to put the iOS device into
DFU (Device Firmware Update) mode. This is done by holding down the Sleep/Wake and Home buttons, then releasing the Sleep/Wake button and keeping the Home button held down. When in DFU mode the iPhone screen should appear blank (this is different to Recovery mode – which displays an iTunes dock connector on the device screen).
Once the device is in DFU mode you load the Toolkit Ramdisk into the iPhone memory. This is the ‘hack’ part, and ensures that the rest of the software can access and extract data from the device. It’s all automated but you do need specify exactly what model of iOS device you are dealing with. It can be confusing between models such as iPhone 3 or 3GS, 4 or 4S but if you’re unsure this information can be found out using a Jailbreak program such
Redsnow (which can identify devices in DFU mode).
Once the Tookit Ramdisk is loaded you can begin the process of forensics extraction (note that if you stop the process you’ll need to load the Toolkit Ramdisk again, it isn’t stored on the device).
The next step is to copy the image disks from the iOS devices memory to your hard drive. There are two disks to copy:
The System disk contains the iOS installation itself, and is unencrypted. This User disk is the part that contains all the iOS device owner’s information (emails, messages, and so forth) and is – understandably – encrypted.
Copying the System disk takes about 10 minutes, but copying the User disk can take anywhere from half an hour to several hours depending on the size of the disk. Our test unit took just under an hour to copy a 32GB iPhone disk. By default it copies the disks to your Home directory as .DMG files, although you can specify another location.
You can also download the user’s files as a
tarball (the TAR file format combines multiple files into a single file). This is faster than copying the Image Disk as it copies just the files and not the unused space. As with copying the User file as an Image Disk this takes considerable time, but is faster than copying the entire Image file. We imagine detailed forensics will require the more thorough approach.
Once you’ve got the files you still can’t access them. Instead you have to go through the process of getting the keys (which are the internal codes used to access the User data) and the passcode (the pin number you use to access the device). Getting the keys is a matter of seconds, but requires you to either have the passcode or the Escrow file (which is stored on a Mac that is synced with the device). Escrow only works with iOS 4 or earlier and is located in / var/db/lockdown (it is the UDID number of the device followed by .plist).
It’s typically easier to the get the passcode before getting the keys, although we found it odd that Get Keys was step 4 and Get Passcode was Step 5.
Obtaining the passcode uses a brute force attack (continuously entering four digit combinations until it finds the right one – this is done at a system level so it isn’t susceptible to the 10 entry restriction that users have when physically tapping numbers into the device). It reported entering 3.2 or 3.3 p/s (which we assume means passwords per second) so can take quite a while (it took about 15 minutes to get the passcode – this is saved in a separate text file).
Finally you can reboot the device, and use the device keys to decrypt the Disk and Keychain (to access the keys). You no longer need the iOS device to be connected at this point, this enables you to access the files you have stored to your computer. This saves a separate user file (typically called User-Decrypted.DMG that you can browse.) If you are using a Jailbroken phone you might not have to decrypt the original User.dmg file (so it’s worth checking).
In all it’s by no means a simple process, but not one that is beyond somebody with a reasonable amount of computer knowledge and an ability to carefully read the instructions. There is a manual mode that enables you to do each step with a wide range of options and features, but we found the Guided Access Mode walked us fairly effortlessly through the whole process.
Once you’ve got everything off of the phone you end up with a viewable DMG user file that you can open and browse on a Mac like any other volume. Most files are found within the Mobile folder, which contains Applications, Library, and Media.
Here you’ll find everything from music, to SMS messages, Address Book Contacts, and even recorded Voice Mail messages (assuming they’re using Visual Voicemail).
A lot of the files (like the Address Book) are stored as SQL database files, so you’ll need an SQL browser to make sense of them. There’s a pretty good one for the Firefox web browser called
SQLite Manger and an open source option called SQLite Database Browser . The User.dmg of an iPhone isn’t exactly a user-friendly environment (it’s not designed to be) so don’t expect to be able to find everything at once, but it’s all in there. Incidentally you can take a look at the contents of your user director from a backup using a program like
iPhone / iPod Touch Backup Extractor.
We had a lot of success with our dead iPhone. In our case we found that we had to Jailbreak the device first, which managed to fix the battery problem and enable us to enter DFU mode to recover all the data. We could have just done an iTunes backup at this point, but then we wouldn’t have figured out how to extract all data from an iPhone with forensics software. And we wanted to make sure we had it all safe and sound. After we had a decent backup of everything we did a Software Update to remove the Jailbreak and re-installed everything from the iTunes backup.
There are easier options available to you for data extraction that Elcomsoft’s iOS Forensic Toolkit, and if you’re just looking to backup and extract data you might want to investigate
Ecamm’s PhoneView, which has a user-friendly interface and enables you to back up images, messages, emails, music and other content from an iOS device. Although PhoneView doesn’t enable you to extract the passcode from the device, and only works if you have either the passcode or have synced the device with your computer. So it’s okay for personal use but far less interesting to serious investigators.