iOS and BlackBerry Forensics
Andrey Belenko
Elcomsoft Co. Ltd.
1
Agenda
• Basics• iOS Forensics– iOS Security before iOS 4– iOS 4 Data Protection– iOS 5 Data Protection Changes
• BlackBerry Forensics• Summary
2
Forensics 101
Acquisition ➜ Analysis ➜ Reporting
GOALS:
1. Assuming physical access to the device extract as much informa>on as prac>cal
2. Leave as li@le traces/ar>facts as prac>cal
3
4
iOS: Why Even Bother?
• Almost 5 years on the market• 250+ million iOS devices sold worldwide• 6 iPhones, 4 iPods, 2 iPads
• “Smart devices” – they do carry a lot of sensitive data• Corporate deployments are increasing
There was, is, and will be a real need in iPhone Forensics
5
iPhone Forensics 101
• Acquisition–Need to get data off the device
• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough
• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted
• Storage (disk) encryption
6
iPhone Forensics 101
• Acquisition–Need to get data off the device
• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough
• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted
• Storage (disk) encryption
7
Acquisition Options
• Logical: iPhone Backup–Device must be unlocked–Device may produce encrypted backup–Limited amount of information
• Read files directly (AFP)–Device must be unlocked–Limited access (non-jailbroken devices)
• Physical: filesystem acquisition–Boot-time exploit to run unsigned code–Device lock state isn’t relevant–Can get all information from the device
8
What is Jailbreak?
• Jailbreak – circumventing iOS security in order to run custom code• Boot-level or application-level• Tethered or untethered
9
Types of Jailbreaks
• App-level JB gets kernel code execution by exploiting apps–e.g. JailbreakMe–Can be fixed by new firmware
• Boot-level JB breaks loads custom kernel by breaking chain of trust–e.g. limera1n–Can’t be fixed if exploits vulnerability in BootROM
10
Jailbreak and Forensics
• Tethered JB–Host connection is required to boot into JB state–Exploit(s) are sent by the host–May leave minimal traces on the device
• Untethered JB–Device is modified so that it can boot in jailbroken state
by itself–Leaves permanent traces
11
Acquisition Options
• Logical: iPhone Backup–Device must be unlocked–Device may produce encrypted backup–Limited amount of information
• Read files directly (AFP)–Device must be unlocked–Limited access (non-jailbroken devices)
• Physical: filesystem acquisition–Boot-time exploit to run unsigned code–Device lock state isn’t relevant–Can get all information from the device
12
Acquisition Options
• Logical: iPhone Backup–Device must be unlocked–Device may produce encrypted backup–Limited amount of information
• Read files directly (AFP)–Device must be unlocked–Limited access (non-jailbroken devices)
• Physical: filesystem acquisition–Boot-time exploit to run unsigned code–Device lock state isn’t relevant–Can get all information from the device
13
Unlocking the Device
• Passcode• iTunes pairing
–if iTunes have seen the device before, it can unlock it–iOS 4: always–iOS 5: if passcode has been entered on device after
power-on–don’t switch off iOS 5 device after seizure (if there is a
chance that you’ll have PC/Mac it is paired with)
14
iPhone Forensics 101
• Acquisition–Need to get data off the device
• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough
• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted
• Storage (disk) encryption
15
iOS < 4.0 Passcode
• Lockscreen (i.e. UI) is the only protection• Passcode is stored in the keychain–Passcode itself, not its hash
• Can be recovered or removed instantly–Remove record from the keychain–And/or remove setting telling UI to ask for the
passcode
16
iOS 4/5 Passcode
• Passcode is used to compute encryption key–Computation tied to hardware key–Same passcode will yield different passcode keys on
different devices!• Passcode key is required to unlock some of the
content protection keys–most files don’t require a passcode for decryption–most keychain items do require a passcode for
decryption
17
iOS 4/5 Passcode
• Passcode-to-Key transformation is slow• Offline bruteforce currently is not possible–Requires extracting hardware key
• On-device bruteforce is slow–2 p/s on iPhone 3G, 7 p/s on iPad
• We have hint on password complexity
18
iOS 4/5 Passcode
• 0 – digits only, length = 4 (simple passcode)
19
iOS 4/5 Passcode
• 0 – digits only, length = 4 (simple passcode)
• 1 – digits only, length != 4
20
iOS 4/5 Passcode
• 0 – digits only, length = 4 (simple passcode)
• 1 – digits only, length != 4
• 2 – contains non-digits, any length
21
iOS 4/5 Passcode
• 0 – digits only, length = 4 (simple passcode)
• 1 – digits only, length != 4
• 2 – contains non-digits, any length
Can at least identify weak passcodes
22
iPhone Forensics 101
• Acquisition–Need to get data off the device
• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough
• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted
• Storage (disk) encryption
23
iOS < 4.0 Keychain
• SQLite3 DB, only passwords are encrypted• All items are encrypted with the device key and
random IV• Key can be extracted (computed) for offline use• All past and future keychain items from the device
can be decrypted using that key
IV Data
016
SHA-‐1 (Data)
Encrypted with Key 0x835
24
iOS 4 Keychain
• SQLite3 DB, only passwords are encrypted• Random key for each item, AES-CBC• Item key is protected with corresponding
protection class master key• Some keychain items are included in the iTunes
backup• In encrypted iTunes backup keychain items are
encrypted using backup password
0 Class Wrapped Item Key Encrypted Item
0 4 8 48
25
iOS 5 Keychain
• Based on iOS 4 encryption
• All attributes are now encrypted (not only password)
• AES-GCM is used instead of AES-CBC• Enables integrity verification
2 Class Wrapped Key Encrypted Data (+Integrity Tag)
0 4 8
Wrapped Key Length
12
26
iPhone Forensics 101
• Acquisition–Need to get data off the device
• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough
• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted
• Storage (disk) encryption
27
iOS < 4.0 Disk Encryption
• No encryption
28
iOS 4 Disk Encryption
• Only User partition is encrypted• Available protection classes:– NSProtectionNone (can decrypt without passcode)– NSProtectionComplete (can’t decrypt without passcode)
• Filesystem metadata encrypted transparently• Files are encrypted using per-file random key–Reliable recovery of deleted files is not currently
possible
29
•New partition scheme– “LwVM” – Lightweight Volume Manager
• Any partition can be encrypted•New protection classes– NSFileProtectionCompleteUntilFirstUserAuthentication– NSFileProtectionCompleteUnlessOpen
• IV for file encryption is computed differently
iOS 5 Disk Encryption
30
iOS Forensics
• Acquiring disk image is not enough for iOS 4+– Content protection keys must also be extracted from
the device during acquisition
• Passcode or escrow keybag is needed for a complete set of content protection keys• In real world it might be a good idea to extract
source data and compute protection keys offline
31
UID Key
Key 835Key 89B
Passcode
Passcode Key
systembag.kb Decrypt
KDF
‘EMF!’ / ‘LwVM’‘Dkey’‘BAG1’
Effaceable Storage
Class A Key (#1)
System Keybag (locked)
Class B Key (#2)Class C Key (#3)Class D Key (#4)
Class Key #5
…Class Key #11
DecryptFS Key
Unlock
System Keybag(unlocked)
Must be done on the device
Required to decrypt files/keychain
Sufficient for offline key reconstruction
iOS Forensics
32
Useful Tools
• Logical: iPhone Backup–iTunes (acquire)–Oxygen Forensics Suite, iBackupBot (view)–Elcomsoft Phone Password Breaker (recover password,
view backup keychain, decrypt backup)
• Read files directly (AFP)–iExplorer
• Physical: filesystem acquisition–Elcomsoft iOS Forensic Toolkit, AccessData MPE+,
Cellebrite UFED, XRY, etc–iphone-dataprotection (at Google Code)
33
iOS Forensic Toolkit
iPhoneiPod Touch 1
iPhone 3GiPod Touch 2iPhone 3G
iPod Touch 2
iPhone 3GSiPod Touch 3
iPad 1
iPhone 3GSiPod Touch 3
iPad 1
iPhone 4iPod Touch 4
iPhone 4SiPad 2
iOS version 3.1.33.1.3 4.2.1 3.1.3 5.1.1 5.1.1 5.0, 5.01 (JB)
Physical acquisition ++ + + ++ +
Passcode recovery instantinstant + instant ++ +
Keychain decryption ++ + + ++ +
Disk decryption not encryptednot encryptednot encryptednot encrypted ++ +
34
Conclusions
• iPhone physical analysis is possible• Physical acquisition requires boot-time exploit• Passcode is usually not a problem– Due to technology before iOS 4– Due to human factor with iOS 4/5
• Both proprietary and open-source tools for iOS 4/5 acquisition are available
35
iCloud Backups
• It is now possible to download iOS backups from the iCloud• Backups in iCloud are NOT encrypted–Even if backup encryption is ON
• Apple ID and password are required– Can be found on PC/Mac/iOS devices
36
37
BlackBerry Forensics 101
• Acquisition–Need to get data off the device
• Device password–Prevents unauthorized access to the device
• File encryption–i.e. *.rem files on SD Card
38
Acquisition Options
• Logical: BlackBerry backup–Must know device password–Backup encryption is NOT enforced–Limited amount of information
• Physical–Must know device password–Can get all information from the device
• Chip-off–Don’t need device password–Destructive process
39
Acquisition Options
• Logical: BlackBerry backup–Must know device password–Backup encryption is NOT enforced–Limited amount of information
• Physical–Must know device password–Can get all information from the device
• Chip-off–Don’t need device password–Destructive process
40
Device Password
• No reliable ways to recover• Can be recovered in one special case:
–Files on SD card are encrypted–Encryption is set to “Security
password” or “Device password”• Can be recovered for “Device
password & Device Key” if device dump is available
41
BlackBerry Forensics 101
• Acquisition–Need to get data off the device
• Device password–Prevents unauthorized access to the device
• File encryption–i.e. *.rem files on SD Card
42
File Encryption
• Encryption options:–Device Key–Device Password–Device Password & Device Key
• Device Key is per-card and stored in NVRAM• Some files are encrypted using different key (?)–E.g. WhatsApp database on SD card–Not clear why, maybe an implementation of
PersistentStore
43
File Decryption
• Files can be decrypted provided–Device dump (for Device Key option)–Device password (for Device Password option)–Both (for Device Password & Device Key option)
• ‘PersistentStore’ files (e.g. WhatsApp database) can be decrypted provided device dump–Tool for this is available free of charge for law
enforcement
44
Useful Tools
• Logical: BlackBerry backup–BlackBerry Desktop Manager (acquire)–Elcomsoft BlackBerry Backup Explorer (view)–Elcomsoft Phone Password Breaker (recover backup
password, decrypt backup; recover BlackBerry PasswordKeeper and Wallet passwords)
• Physical–Cellebrite
• Other–Elcomsoft Phone Password Breaker (recover device
password, decrypt SD card files)
45
Thank You!
http://ru.linkedin.com/in/belenko
@andreybelenko
46
iOS and BlackBerry Forensics
Andrey Belenko
Elcomsoft Co. Ltd.
47
Top Related