KEMBAR78
iOS Forensic Toolkit | PDF | Ios | Computer File
100% found this document useful (3 votes)
2K views21 pages

iOS Forensic Toolkit

iOS Forensic Toolkit

Uploaded by

mourad ba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (3 votes)
2K views21 pages

iOS Forensic Toolkit

iOS Forensic Toolkit

Uploaded by

mourad ba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Elcomsoft iOS Forensic Toolkit

This document contains information about the use of Elcomsoft iOS Forensic Toolkit for
Microsoft Windows and macOS, and includes technical information required to understand
the internal working of the Toolkit.

Table of Contents

1. Requirements 2
2. General Description 2
3. Usage 2
3.1. Compatibility 2
3.2. Preparing for Acquisition 3
3.3. Main Menu 3
3.4. ‘I’ – Getting Device Information 5
3.5. ‘R’ – Get info on device in Recovery or DFU mode 6
3.6. Logical Acquisition 7
3.6.1. ‘B’ - Capture backup 7
3.6.2. ‘M’ – Copy media files 9
3.6.3. ‘S’ – Copy shared files 9
3.6.4. ‘L’ - Copy crash logs 10
3.7. Physical acquisition (full file system and keychain extraction) with jailbreak 10
3.7.1. Configuring iOS device 11
3.7.2. Installing a Jailbreak 11
3.7.3. Acquisition steps 12
3.7.4. Installing OpenSSH 12
3.7.5. Disabling screen lock 12
3.7.6. Acquiring the keychain 13
3.7.7. Acquire users’ files from iOS device as a tarball 13
3.7.8. Keychain acquisition 14
3.8. Acquisition agent 14
3.8.1. General information and requirements 14
3.8.2. Acquisition 15
3.8.3. Removing the Agent 15
3.9. Analysing tarball 15
Appendix A. Supported devices 17
Appendix B. Obtaining and installing a jailbreak 18
Appendix C. Troubleshooting 21

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
1. Requirements
Elcomsoft iOS Forensic Toolkit requires a computer running Windows 7 through 10, or
macOS from 10.12 (Sierra) to 10.15 (Catalina). On Windows, the latest version of iTunes
should be installed.

Note: Elcomsoft iOS Forensic Toolkit 4.0 and newer support 64-bit Apple devices only
(iPhone 5s through iPhone 11, iPad Mini 2+, iPad Pro, iPad Air etc.) Users who require
support for legacy (iPhone 4 and older) and 32-bit (iPhone 4s, 5, 5c) devices must use
Elcomsoft iOS Forensic Toolkit 3.0 instead.

2. General Description
Elcomsoft iOS Forensic Toolkit is a set of tools for physical and logical acquisition of iOS
devices. For 64-bit devices (iPhone 5S and later, iPad Mini 2+, iPad Air, iPad Pro),
physical acquisition is performed as full file system imaging (TAR) and keychain decryption
if a jailbreak is available or if the combination of hardware and the version of iOS is
supported by the acquisition agent (Appendix A. Supported devices). Logical acquisition
is available for all device models and iOS versions with or without a jailbreak. For devices
with a valid lockdown file (iTunes pairing record), logical acquisition may be possible even
without a passcode.

3. Usage
The Toolkit ships with a USB protection dongle. Keep this dongle connected to the PC at
all times while using the Toolkit.

Please read this document carefully before attempting to extract an iOS device. You are
advised to carefully read the output produced by the script driver.

iOS Forensic Toolkit is launched by running a command-line script (Toolkit.cmd on


Windows or Toolkit.command on macOS).

3.1. Compatibility

The physical acquisition technique allows extracting significantly more information


compared to other acquisition techniques (logical and over-the-air). However, physical
acquisition has limited applicability. Newer Apple devices have stronger security, which
limits physical acquisition to jailbroken devices. 64-bit hardware introduced in iPhone 5s
adds Secure Enclave, which in turn limits the scope of physical acquisition to jailbroken
devices with a known or empty passcode. Alternatively, agent-based extraction is available
for certain device/iOS combinations without a jailbreak. For information on device
compatibility, please refer to Appendix A. Supported devices
Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
3.2. Preparing for Acquisition

Before you begin, you must realize the differences in acquisition process between
generations of Apple hardware and versions of iOS. For many current devices, you will
need to jailbreak the device in order to perform physical acquisition. The alternative agent-
based acquisition workflow is available for a limited range of devices (see compatibility
matrix for details).

Note: Make sure to switch the device being acquired to Airplane mode during the
acquisition, to prevent remote lock/wipe and data syncing. On the computer you use
to acquire the data, Internet connection is required though (but for Agent installation
only).

Pre-requisites: You will need a fully functional and charged iOS device, a compatible
Lightning cable to connect it to your computer, and a copy of Elcomsoft iOS Forensic
Toolkit (requires a USB dongle to operate).

Please note:

● For certain devices (Appendix A. Supported devices), agent-based acquisition


workflow is available. Agent-based acquisition does NOT require a jailbreak. For all
other devices, a jailbreak is required as noted below.
● If agent-based acquisition workflow is not available for a given combination of
hardware and iOS version, you must install a jailbreak and OpenSSH or Dropbear
SSH in order to acquire iPhone 5S and newer devices. Note that some jailbreaks
already include an SSH client; however, in many cases (e.g. the unc0ver jailbreak)
you must manually enable SSH in jailbreak settings at the time of installing the
jailbreak.
● Physical acquisition for Apple’s 64-bit devices is limited to copying the file system
and the keychain instead of imaging the whole disk. The passcode cannot be
recovered, so you can only work with the device if the passcode is either empty (not
set) or is known.

3.3. Main Menu

Elcomsoft iOS Forensic Toolkit makes use of the Terminal (macOS) or the command line
(Windows). Selection-based text interface is available to streamline the process.

You will start iOS Forensic Toolkit by launching the command-line tool:

Toolkit.cmd (Windows) or Toolkit.command (macOS)

The respective files are located in the directory where you have unpacked or copied
Toolkit files. This should open console/terminal window with a text-based menu:

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
The menu is broken into three distinct parts: Logical acquisition, Physical acquisition and
Acquisition agent. Logical acquisition can be performed on non-jailbroken devices if a trust
relationship is established with the computer or can be established, or if you have access
to a non-expired lockdown file from the user’s computer.

Acquisition using the agent is supported for a limited number of devices. The list of
compatible devices is available in Appendix A. Supported devices. Agent-based
extraction is comparable to jailbreak-based acquisition with full file system acquisition and
keychain decryption. However, agent-based extraction is safer, more reliable and leaves
less traces compared to installing a jailbreak.

Logical acquisition

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
I DEVICE INFO - Get basic device information
R RECOVERY INFO - Get information on device in DFU/Recovery mode
B BACKUP - Create iTunes-style backup of the device
M MEDIA - Copy media files from the device
S SHARED - Copy shared files of the installed applications
L LOGS - Copy crash logs

Physical acquisition (for jailbroken devices)

D DISABLE LOCK - Disable screen lock (until reboot)


K KEYCHAIN - Decrypt device keychain
F FILE SYSTEM - Acquire device file system (as TAR archive)

Acquisition agent (limited compatibility)

1 DISABLE LOCK - Install agent


2 KEYCHAIN - Decrypt device keychain
3 FILE SYSTEM - Acquire device file system (as TAR archive)
4 UNINSTALL - Uninstall agent

X EXIT

The Toolkit logs all related activity to a text file. Each time Toolkit is started, a new log file
is created in the current directory, and output of all invoked commands as well as user
choices is written to that file. File name is created based on current universal coordinated
time and date and is of the following form: YYYYMMDD_hhmmssZ.log.

3.4. ‘I’ – Getting Device Information

This command will extract information about the iOS device. Information will be saved into
a file ideviceinfo.plist (XML).

macOS users: the file will be saved in your Home folder (Finder | Go | Home).

The command is compatible with all iOS devices regardless of hardware generation,
version of iOS, lock and jailbreak status. However, you will be able to obtain more detailed
data when querying unlocked or jailbroken devices.

iOS devices without a jailbreak available impose severe restrictions on what can be
extracted. Unlocking the device (with a passcode or using Touch ID) or using a lockdown
record (pairing record) opens the door to more information compared to acquiring a device
that is completely locked.

The tool will extract more details if you are able to unlock the iOS device using Touch ID or
passcode; for iOS 11+ devices, you may have to use the passcode. Alternatively, you may
use iTunes pairing records (the “lockdown” file).

Note: lockdown records may expire depending on the version of iOS the device is
running. Versions of iOS earlier than iOS 11 do not appear to have a set expiry for
lockdown files, while in iOS 11/12/13 lockdown files do expire after some period of

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
inactivity, typically 30 days. In addition, even valid lockdown files cannot be used if
the device has not been unlocked at least once after rebooting. Changing the
passcode does not invalidate the old pairing record.

The “Info” command will return a meaningful result even without a lockdown record, but
the resulting file will contain a very limited set of data including the device name, model,
iOS version, Mac address of Wi-Fi adapters etc.

If a valid, non-expired lockdown record is provided, more data is available, including the
phone number, Mac address of the Bluetooth adapter, ICCI/IMEI/IMSI, device time zone,
as well as the flag whether iTunes backup password is set or not and whether iCloud
backups are enabled; date/time the last iTunes and iCloud backups were created; total
and free space on the devices; device time zone and locale information.

In a case the device has been unlocked at least once after the last reboot (After First
Unlock, AFU), you will be also able to acquire a device backup using the same lockdown
file (see below). In addition, a pair of files will be created (applications.txt and
applications.xml). applications.txt contains the list of all applications installed on the
devices including version numbers. applications.xml includes more details on every
application.

3.5. ‘R’ – Get info on device in Recovery or DFU mode

The ‘R’ command returns a limited set of data about the device that is in the DFU (Device
Firmware Upgrade) or Recovery mode. Connect the device and select ‘R’; all available
information including the model name, ECID, serial number, IMEI, and UDID is displayed.
Please note that some of this data may not be available depending on the device model
and mode:

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
3.6. Logical Acquisition

iOS Forensic Toolkit offers an option to perform logical acquisition of iOS devices by
creating an iTunes-style backup, plus some additional data. Creating a device backup
before continuing with physical acquisition is highly recommended. A device backup can
be used for logical acquisition.

3.6.1. ‘B’ - Capture backup

The tool requires Apple iTunes to be installed in order to make a backup, or at least “Apple
Mobile Device Support” (the driver set from iTunes package). If an iOS device being
acquired is configured to produce backups without a password, the tool will automatically
set a temporary backup password in iTunes prior to acquisition. The temporary backup
password is “123”; you’ll have to enter it when accessing the backup in order to view
information.

Logical acquisition works with all devices running all versions of iOS up to and including
iOS 13 regardless or hardware generation and jailbreak status. However, the device must
be unlocked at least once after restarting or powering on.

Note: in order to use logical acquisition, make sure the iOS device was unlocked at
least once after cold boot. Otherwise, the local backup service
(com.apple.mobilebackup2) will not be started.
Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
In order to create the backup, use the “B” command from the main menu.

Note: In order to decrypt password-protected backups, a non-empty backup


password must be set. If, at the time of logical acquisition, iOS Forensic Toolkit finds
that the backup password is empty, it will temporarily set the backup password to
“123” (the backup password will be reset after the acquisition to its original state). If
the backup password is set and is not known, you will have to perform an attack
(brute-force, dictionary, or combination) in order to recover the password.

iOS 13 prompts for the device screen lock passcode in order to change the backup
password. If you do not have the screen lock passcode while acquiring the data
using a lockdown record, then backup can only be created “as is”, with or without a
password according to the device settings.

Analyzing password-protected Apple backups enables access to items from the


keychain. Offline backups created without a password are unencrypted for the most
part; however, the keychain is encrypted with a hardware key, meaning no keychain
data will be available.

An iOS device must be unlocked before you can produce a backup. You can use Touch
ID, passcode or iTunes pairing record (the “lockdown” file) to unlock the device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device
was unlocked with a passcode at least once after booting (After First Unlock, AFU).
For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it
off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do
not allow it to power off or completely discharge by connecting it to a charger (a
portable power pack inside a Faraday bag works great until you transfer the device
to a lab). This will give you time to searching user’s computers for a lockdown
record.

If you don’t know the passcode and cannot use Touch ID or Face ID to unlock the device,
the only remaining option for making a data backup will be attempting to unlock with a
lockdown file. The lockdown file is a pairing record created by Apple iTunes on computers
that sync with a given iOS device. Lockdown files are created to relieve users from
manually unlocking their iOS devices every time they sync with iTunes.

You must extract the correct lockdown record from the user’s computer in order to use it
with Elcomsoft iOS Forensic Toolkit for logical acquisition. Lockdown records are stored at
the following locations:

Windows Vista, Windows 7, 8, 10: %ProgramData%\Apple\Lockdown

Sample path:
C:\ProgramData\Apple\Lockdown\6f3a363e89aaf8e8bd293ee839485730344edba1.plist

Windows XP: %AllUsersProfile%\Application Data\Apple\Lockdown

Sample path:
C:\Documents and Settings\All Users\Application
Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
Data\Apple\Lockdown\6f3a363e89aaf8e8bd293ee839485730344edba1.plist

macOS: /private/var/db/lockdown

On systems running macOS Sierra (10.12) or higher, you must grant access to the
lockdown folder for the current user, e.g:

sudo chmod 755 /private/var/db/lockdown

On macOS Catalina, lockdown is not accessible even with admin privileges with sudo
command. You can, however, temporary disable SIP (System Integrity Protection), or get
extract lockdown files from forensic disk image.

Note: Once established, pairing relationships are maintained through reboots and
remain valid even after passcode change. However, the iPhone must be unlocked
with a passcode at least once after the reboot. Pairing relationships survive
passcode changes; however, since iOS 8 all existing pairing relationships will be lost
upon factory reset. In iOS 8, lockdown records do not expire unless explicitly
revoked by the user. iOS 11 established lockdown record expiration rules; in iOS 9, if
a pairing record hasn’t been used for more than six months, it expires. This
timeframe is shortened to 30 days in iOS 11 or later.

Information about lockdown files and their location is available at


https://support.apple.com/en-us/HT203887

The backup produced by Elcomsoft iOS Forensic Toolkit can be analyzed with one of the
many forensic tools such as Elcomsoft Phone Viewer. The format is compatible with third-
party forensic tools.

Tip: After extracting the lockdown file, you may give the file a shorter name for
convenience. You’ll have to type in the path to the newly extracted record in iOS
Forensic Toolkit.

3.6.2. ‘M’ – Copy media files

Media files acquisition is available under the same conditions as for the logical acquisition
(i.e. if the device is unlocked or you have a valid lockdown record). In this mode, you can
extract media files including images and videos, editing information, some other files such
as music downloaded to the device. This works even if backup is protected with the
password.

The Media command extracts the complete Camera Roll of the device as well as the
database that contains information about media file edits. In most cases, the photos will
contain EXIF tags specifying the user’s location at the time the picture was captured.

If the device is not paired, you will be prompted for a lockdown record; the folder where to
write the files to; by default (if you skip this step), the “AFC” directory is created under the
current folder on Windows, or in the user’s home folder on macOS.

3.6.3. ‘S’ – Copy shared files


Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
Shared files acquisition works similar to logical acquisition and media files extraction (i.e.
device is unlocked or valid lockdown record is available; backup password does not
matter). In this mode, shared application files (see HT201301) can be copied. By default,
the “Shared” folder is created (in the current folder on Windows or in the user’s home
folder on macOS). Empty application folders are not copied.

On older iOS versions (up to iOS 8.3), all application data is being copied, regardless of
the sharing attributes.

3.6.4. ‘L’ - Copy crash logs

Crash (and diagnostic) logs are an important part of the evidence that are not included into
a local backup but may be extractable from the device with logical acquisition methods. In
order to extract crash logs, use the “L”: Copy crash logs command.

From a forensic point of view, some useful information may include:

- List of installed applications (PowerLog, Security, OnDemand)


- iTunes username (itunesstored.2.log, not always with a value)
- File name of email attachments (MobileMail logs)
- List of Wi-Fi networks and history of latest connections (Wi-Fi logs)
- Uninstalled apps (one can discover a crash log created by some uninstalled apps and
assume that the app was installed on the device at least up to a specific date and time)

Moreover, one can build a timeline of usage of the device based on all the timestamps
discovered in crash logs.

While a local backup will contain significantly more data, some of this information could not
be available in a backup (for example, uninstalled apps or Wi-Fi connection logs).

The crash logs are accessible if you have a paired device (or a valid lockdown file). The
device must be unlocked with a passcode at least once after the reboot.

3.7. Physical acquisition (full file system and keychain extraction) with
jailbreak

Elcomsoft iOS Forensic Toolkit allows limited physical acquisition of Apple’s 64-bit
devices.

IMPORTANT: This chapter discusses jailbreak-based acquisition. If your device falls into
the category of devices supported for agent-based acquisition (Appendix A. Supported
devices), we strongly recommend using the extraction agent instead.

The 64-bit acquisition process differs significantly from the old methods that were used to
extract data from 32-bit devices. The new method extracts the image of the file system,
saving the content of the device into a single TAR archive (the tarball).

In our lab, we were able to reach acquisition speeds of about 15-20 MB/s using the
“jailbreak” method. The “agent” method delivers the maximum speed supported by the

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
device without the overhead (25+ MB/s).

For technical notes on acquiring jailbroken devices, please refer to Appendix B. For
troubleshooting, please read Appendix C.

3.7.1. Configuring iOS device

Please make sure to perform all of the following steps to prepare the iOS device for
physical acquisition.

1. Ensure that the device is jailbroken. Physical acquisition for 64-bit devices is
exclusive to jailbroken iPhones, iPads and iPods. If it is not jailbroken, proceed to the
next chapter.
2. If an SSH server is not installed, install OpenSSH from Cydia or by following these
instructions
3. Unlock the device by supplying the correct passcode
4. Switch device to Airplane mode, and disable all internet conection (wireless and
wired) on the desktop

For devices with checkra1n jailbreak installed, partial file system acquisition is possible.

3.7.2. Installing a Jailbreak

You can only perform physical acquisition of newer iOS devices (iPhone 5S and all newer
64-bit models up to iPhone Xr/Xs) if they are jailbroken. Since the number of jailbroken
iOS devices in the wild is extremely low, in most cases you will have to attempt a jailbreak
in the lab.

Important: in order to jailbreak devices running iOS 8+ and newer, you will need to
provide the correct passcode (for all but checkra1n jailbreak). In addition, you may need to
establish a new Apple ID account in order to sign the jailbreak IPA and sideload it onto the
device. Some jailbreaks require disabling Find My Phone, while the other jailbreaks work
even if Find My Phone is active. Using a developer’s certificate is recommended (to avoid
certificate validation that requires an active internet connection).

Jailbreaking is highly dependent on the version of iOS the device is running. In general,
the majority of Apple devices are using the current version of iOS. Jailbreak may not be
available for the most recent version of iOS, in which case your acquisition options will be
severely limited. However, you may encounter devices running a slightly older iOS version.

Elcomsoft iOS Forensic Toolkit supports several types of jailbreak, see Appeindix B for
details.

Jailbreaking iOS 8+ is a cumbersome process with no guaranteed outcome. Depending on


the version of iOS, you may need to follow different steps. Installing and troubleshooting
jailbreak is not part of this guide.

In order to jailbreak an iOS device, you’ll need to disable several protection layers. In order
to do that, you may need specifying the correct Apple ID password and entering the
correct passcode (if either or both protection layers are enabled).

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
Please note that some jailbreaks are for iOS 9+ semi-untethered (or semi-tethered). If the
device is rebooted, you will have to launch the jailbreak tool on the iOS device again.
Jailbreaking process is different from one jailbreak to another; refer to jailbreal
documentation for details.

3.7.3. Acquisition steps

1. Launch the Toolkit. You will be prompted for the port number; it is 22 by default (just
press ENTER to use it), but 2222 for old versions of Meridian jailbreak, and 44 for
some versions of checkra1n jailbreak.
2. In order to acquire as much information as possible, the device must remain
unlocked throughout the entire acquisition process. To ensure that the device does
not automatically lock, use the ‘D’ - Disable screen lock command before you
proceed.
3. Use the “F” File system command from the main menu. This will return a UNIX-style
TAR archive of the file system complete with all application data. The keychain
database will also be extracted; however, it won’t be decrypted as keychain
decryption keys are not accessible on 64-bit devices.
4. Specify file name to store the resulting tarball. The path is relative to the home
directory.
5. Wait while the file system is being extracted. This can be a lengthy process,
especially when acquiring devices with large amount of data (up to several hours for
devices that contain a lot of data).
6. When the process is finished, disconnect the device and proceed to analyzing the
data.

By default, the tarball archive is saved into the file that has {UDID}_timestamp.rar file
name.

3.7.4. Installing OpenSSH

OpenSSH is required when performing physical acquisition unless the jailbreak comes
with an SSH daemon of its own. Some jailbreaks bundle Dropbear SSH, which is usually
listening on port 22.

If the jailbreak does not feature a built-in SSH server, you can install OpenSSH from Cydia
repository https://cydia.saurik.com/openssh.html or by following these instructions:
http://www.cydiaos.com/install-openssh-on-iphone-ipod-without-cydia/

3.7.5. Disabling screen lock

The success of your acquisition attempt will depend on whether you are able to keep the
device unlocked during the entire acquisition process since some items are protected to be
only accessible while the device screen is unlocked. While this can be achieved by
manually configuring the ‘lock after’ setting to ‘Never’ in iOS settings, some device
management policies are known to disable the ‘Never’ setting. We developed an
automated process that will disable automatic screen lock until next reboot.

To ensure that the device does not automatically lock, use the ‘D’ - Disable screen lock
command before you proceed.

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
In order to disable screen lock on the iOS device, EIFT sideloads a small tool onto the
device. The entire process is completely automated; the tool is sideloaded, launched, and
automatically deleted once it is done.

In some rare cases, the tool may not be automatically removed from the device.

Note: if the device is in Low Power Mode, disabling screen lock will not work. You will have
to manually disable Low Power Mode and use the “D” – Disable screen lock command
again. To turn Low Power Mode off, go to Settings > Battery on the device and toggle the
Low Power Mode switch.

Note: this step is NOT needed if you perform BFU (Before First Unlock) acquisition
while the passcode is not known.

3.7.6. Acquiring the keychain

Some of the most valuable information stored in the iPhone, iPod Touch or iPad is kept in
the system’s protected storage called the keychain. Secured information is protected with
strong passcode-dependent encryption keys (that’s why you require the passcode in order
to obtain those keys and decrypt the keychain). With every iOS release, Apple moves
more data to keychain storage. Depending on iOS version, protected information may
include email account passwords, messages, Wi-Fi passwords, passwords entered into
websites and certain third-party apps, financial information, documents etc.

Keychain acquisition is reasonably fast. To extract the keychain, enter “K” on the tools’
main screen. That also works with checkra1n jailbreak, when the passcode is not known,
although only a very limited number of keychain records will be extracted.

The keychain will be saved into keychain_{UDID}_timestamp.xml in the current folder


(Windows) or to your local Home folder (macOS). We recommend using Elcomsoft Phone
Breaker to view the content of the keychain.

In order to extract the keychain, you must have iTunes installed; the device must be paired
with the computer (or a valid lockdown record must be used).

In order to extract and decrypt the keychain, EIFT sideloads a small tool onto the device.
The entire process is completely automated; the tool is sideloaded, launched, and
automatically deleted once it is done.

IMPORTANT: Keeping the device unlocked during the acquisition is extremely


important. During the acquisition process, you might be prompted to unlock the device.
While the keychain acquisition tool attempts to detect such prompts and should pause
execution until the device is unlocked, in rare cases the detection may fail. In this case,
simply unlock the device (with passcode or Touch ID/Face ID) and continue.

3.7.7. Acquire users’ files from iOS device as a tarball

Note: Make sure to switch the device being acquired to Airplane mode. If there are
other iOS devices around, we recommend disabling Wi-Fi on those devices.

The “tarball” acquisition process only acquires the file system (files and folders) as
Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
opposed to imaging the entire disk.

You will be prompted for file name to save the image; be default it is
{UDID}_timestamp.tar. If you do not provide full path, the file will be stored in current
directory (Windows), or in current user’s home directory (macOS).

The 4GB file size restrictions: when using an external storage device such as a
USB pen drive, please make sure that the device is formatted with a file system that
can accept files larger than 4 GB. FAT32 cannot store files larger than 4 GB, while
exFAT, NTFS, APFS and HFS+ can.

After you specify the file name, the imaging process starts. It can take a while depending
on the device model and the amount of data stored on the device. During the process, you
will be presented some basic progress information.

If you perform BFU (Before First Unlock) acquisition with checkra1n jailbreak on the device
with unknown passcode, only limited amount of data is being extracted.

3.7.8. Keychain acquisition

Elcomsoft iOS Forensic Toolkit allows extracting and decrypting the device keychain,
extracting all the records including those with “this device only” attributes. Use the ‘K’
Keychain command to extract and decrypt the keychain.

Please note that keychain extraction requires entering the passcode on the device
(biometric authentication with Touch ID or Face ID also works).

3.8. Acquisition agent

Elcomsoft iOS Forensic Toolkit allows the full file system extraction and keychain
decryption on a limited range of Apple devices listed in the Appendix A. Supported
devices.

IMPORTANT: This chapter discusses jailbreak-free, agent-based acquisition


available for a limited range of devices without a jailbreak. If your device falls into this
category, you are reading the right chapter as agent-based acquisition is the safer,
more robust and more forensically sound acquisition method.

The agent-based acquisition process differs from jailbreak-based acquisition methods in


that it does not require searching for, obtaining and installing a third-party jailbreak. The
downside of this method is the limited range of supported devices (Appendix A.
Supported devices) and the need to use an Apple ID enrolled in Apple’s Developer
Program when signing the acquisition agent.

In our lab, we were able to reach acquisition speeds of over 1 GB/min. The acquisition
speed can be significantly higher and is only limited by the iOS device being acquired.

3.8.1. General information and requirements

Agent-based acquisition is similar in nature to the acquisition of jailbroken devices with a

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
notable difference of no jailbreak required on the target devices. For compatibility
information, see Appendix A. Supported devices. This method makes almost no
changes to the device, and, unlike jailbreaking, is perfectly safe to use.

This acquisition method requires installing a special Agent on the device. The Agent is a
small app that obtains root privileges, reads the complete file system, obtains and decrypts
the keychain, and sends output to the expert’s computer running iOS Forensic Toolkit.

You need to have an Apple developer account (this is how to enroll) in order to sign and
install the Agent. The Apple ID connected to that account must have two-factor
authentication enabled. In addition, you will need to set up an Application-specific
password in your Apple account, and use that app-specific password instead of the regular
Apple ID password during the Agent installation.

Important: you can use your Developer Account for up to 100 devices of every type
(e.g. 100 iPhones and 100 iPads). You can remove previously enrolled devices to
make room for additional devices.

The Agent does not rely on SSH as it uses its own communication protocol with less
overhead and greater reliability.

Installation

The ‘1’ (Install agent) command installs the Agent on the device being acquired. You will
have to enter your credentials (Apple ID and the app-specific password you’ve generated).
Then type the so-called ‘Team ID’ related to your developer account. Note that a ‘normal’
Apple ID account is not sufficient to install the Agent.

After the installation, start the Agent on the device and go back to the desktop to continue.

3.8.2. Acquisition

Acquisition steps are basically the same as for jailbroken devices except that there is no
need to use the ‘D’ (Disable lock) command. Just leave the Agent (iOS app) working in the
foreground. Note that you’ll be using the ‘2’ through ‘3’ commands to perform agent-based
extraction instead of the ‘K’ and ‘F’. Note that keychain acquisition is currently not available
for some versions iOS (13.3.1-13.4.1), so you can only obtain the file system copy there.

3.8.3. Removing the Agent

Make sure to remove the acquisition agent from the device after you finish the extraction.
Use the ‘4’ (Uninstall) command to remove it. This is not mandatory but leaves less traces
on the target device.

3.9. Analysing tarball

In order to analyse the tarball, use Elcomsoft Phone Viewer or an alternative forensic tool
that supports .tar images.

For manual analysis, mount or unpack the image (we recommend using a UNIX or macOS

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
system). Keychain analysis should be performed in Elcomsoft Phone Breaker.

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
Appendix A. Supported devices
The Toolkit only supports 64-bit models. Physical (file system) acquisition support for
these models has a number of limitations. For file system and keychain acquisition, the
device must be jailbroken (or can be jailbroken), and the passcode must be known. You
must be able to unlock the device and keep it unlocked during the entire file system
acquisition process. Supported devices for physical acquisition are:

• iPhone 5S, 6/Plus, 6S/Plus, 7/Plus, 8/Plus, iPhone X, iPhone Xr, iPhone Xs, iPhone
Xs Max, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, iPhone SE2 (2020)
• iPad Air, iPad Pro, iPad 6+, iPad Mini 2+
• Apple TV (from 2nd gen to 4K)

Agent-based acquisition compatibility list

Agent-based acquisition is currently limited to the following combinations of devices and


versions of iOS:

• iPhone 5s, iPhone 6, iPhone 6s Plus, iPad Mini 2 and 3, iPad Air (1st gen): iOS 10-
12.4.7
• iPhone 6s to iPhone X, iPad 5th and 6th gen, iPad Pro 1st and 2nd gen: iOS/iPadOS
10.0 - 13.4.1
• iPhone Xr, Xs, Xs Max, iPad Mini 5, iPad Air 3rd gen, iPad Pro 3rd gen, iPod Touch
7th gen: iOS/iPadOS 12.0 - 13.4.1
• iPhone 11, 11 Pro, 11 Pro Max: iOS 13.0 - 13.4.1

Notes:

• Physical acquisition (file system extraction and keychain decryption) is usually


possible for jailbroken devices only and so relies on jailbreak availability (jailbreak
installation should be performed prior to acquisition)
• Select devices also support full file system and keychain acquisition using the Agent
method
• Between the two acquisition methods (jailbreak vs. agent) always choose “agent” if
the device runs one of the supported versions of iOS
• If a jailbreak is not available and agent acquisition is not possible, only logical
acquisition is available
• Select combinations of iOS hardware and software support partial file system and
keychain acquisition in BFU (Before First Unlock) mode with unknown passcode
• For Apple TV and Apple Watch, no backup is available
• Apple Watch (1st to 3rd gen) support logical acquisition only, and require a special
IBUS adapter
• For devices running iOS 13.3.1 to 13.4.1 (all models) and some 12.x versions (on
iPhone 5s and 6), only file system can be acquired with agent, but not the keychain;
with the jailbreak, however, full acquisition (both file system and keychain) is
available

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
Appendix B. Obtaining and installing a jailbreak
Performing file system acquisition of iPhone 5s and newer devices absolutely requires a jailbreak.
It is important to note that jailbreaking is not entirely forensically sound. It may and will introduce
artifacts into the system. This may affect admissibility of the obtained evidence. Please document
all your actions extensively.

There is no way to jailbreak the device that is locked with an unknown passcode. However, if the
device is not locked or the passcode is known, it is recommended to perform logical acquisition
first, and only then attempt to install a jailbreak and acquire the complete file system.

Jailbreaks for the various iOS devices running many versions of iOS are public. However,
obtaining a jailbreak from an untrusted source poses the danger of sideloading potentially
unwanted programs onto the device being jailbroken. For this reason, we have assembled and
tested a large number of jailbreaks along with verified download links and our own notes on each
jailbreak.

In order to run file system imaging, an SSH server must be running on the device. Many jailbreaks,
particularly of the latest generation, already include a compatible SSH server (typically, Dropbear
SSH) running on port 22 or 2222. Older jailbreaks could use a different port or not include an SSH
server at all. If no SSH sever is pre-installed by the jailbreak, you can install OpenSSH package on
a jailbroken device using Cydia package manager.

Below are some of the jailbreaks we have tested, accompanied with brief installation
notes:

iOS version: 7.0 – 7.0.6


jailbreak name: evasi0n7
jailbreak link: http://www.iphonehacks.com/download-evasi0n
compatible devices: iPhone 5s
comments: untethered; OpenSSH must be installed from Cydia

iOS version: 7.1 – 7.1.2


jailbreak name: Pangu7
jailbreak link: http://www.iphonehacks.com/download-pangu-jailbreak
compatible devices: iPhone 5s
comments: untethered; OpenSSH must be installed from Cydia

iOS version: 8.0 – 8.4


jailbreak name: TaiG
jailbreak link: http://www.taig.com/en/
compatible devices: iPhone 5s, 6, 6 Plus
recommended versions: TaiG 1.2.1 for jailbreaking iOS 8.0-8.1.2; TaiG 2.4.5 for
jailbreaking 8.1.3-8.4 devices
comments: untethered; OpenSSH must be installed from Cydia

iOS version: 9.0 – 9.1


jailbreak name: Pangu
jailbreak link: http://en.9.pangu.io/
compatible devices: iPhone 5s, 6, 6s, 6/6s Plus, SE
comments: OpenSSH must be installed from Cydia

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
iOS version: 9.2 – 9.3.3
jailbreak name: Pangu64
jailbreak link: http://en.pangu.io/
compatible devices: iPhone 5s, 6, 6s, 6/6s Plus, SE
comments: OpenSSH must be installed from Cydia

iOS version: 10.0 – 10.3.3


jailbreak name: Meridian
jailbreak link: https://meridian.sparkes.zone/
compatible devices: iPhone 5s, 6, 6s, 6/6s Plus, SE, iPhone 7/Plus
comments: semi-tethered; some old versions use port 2222 for SSH

iOS version: 11.0 to 13.5


jailbreak name: unc0ver 5
jailbreak link: https://unc0ver.dev
compatible devices: iPhone 5s to iPhone 11
comments: set option to install OpenSSH in jailbreak settings

iOS version: 12.3 to 13.6


jailbreak name: checkra1n
jailbreak link: https://checkra.in/
compatible devices: iPhone 5s to iPhone X, most iPads (except iPad Pro 3 rd and 4th gen)
comments: tvOS version is also available; installation through DFU mode; BFU acquisition
is possible for devices with unknown passcode set

There are no jailbreaks for other iOS versions at the time of writing; some of the jailbreaks listed
are limited to some specific devices.

Note: jailbreak installation requires the passcode to be not set or known; some jailbreaks also
require the Find My Phone function to be disabled on the device, and iTunes backup password
not set. Refer to jailbreak documentation for more details.

Checking if SSH server is already running on the device

Start iOS Forensic Toolkit for jailbroken devices (Toolkit.command on macOS or


Toolkit.cmd on Windows). This will automatically establish a tunnel between SSH port 22 by
default (for old versions of Meridian jailbreak, you have to specify 2222 instead; some versions of
checkra1n jailbreak use port 44) on the device and port 3022 on the localhost. Now use SSH
client to connect to localhost on port 3022, e.g. using the following command:

ssh -p 3022 root@localhost

If SSH session is established, or if you are asked for a password, or if you receive a key fingerprint
mismatch error, then the SSH server is already running on the device. If connection is not
established or refused then no SSH server is running on the device and it must be installed prior to
acquisition. You can do this using the Cydia package manager installed on the device; some
jailbreaks do not include Cydia, but SSH client is already built-in.

Changing the root password

The default password for root on iOS devices is alpine. If it does not work, you may need to
change it. Using any of the tools to access iOS file system (such as iExplorer) edit file
Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
/private/etc/master.passwd file so that the line corresponding to root looks exactly as
follows:

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

Saving the modified master.passwd file back to the device will restore the default root
password which is alpine. You should now be able to establish SSH session with the device.

Using the Toolkit with non-jailbroken devices

Physical acquisition (file system extraction and keychain decryption) of non-jailbroken


iPhone 5s and newer devices is only possible using the Agent method for selected
device/iOS combinations only.

Alternatively, you may perform logical acquisition. Through logical acquisition, you may be
able to produce a fresh local backup, extract media and shared files and access crash
logs. If the device has an unknown backup password set, you can try to recover it using
Elcomsoft Phone Password Breaker (https://www.elcomsoft.com/eppb.html).

Important: in iOS 11/12/13, the backup password can be simply removed from the
devices when you reset system settings. You will require the device passcode (as well as
Restrictions or Screen Time password, if set) to reset the backup password. Please note
that settings reset also removes the passcode from the device and so may slightly affect
some user data (such as Apple Pay transactions, cached mail from Exchange accounts
etc).

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.
Appendix C. Troubleshooting

SSH and root password

If you experience issues connecting to the device, make sure that the device has
OpenSSH installed and working, and you use the correct port number. Make sure the root
password is “alpine”. If a different root password was used, enter the correct password
when prompted.

Using Wi-Fi

It is strongly recommended to turn off the Wi-Fi on the device you are working with --
before using the Toolkit. When you start the Toolkit, it quickly shows (after the license
validation) the message like "Device connected: {UDID}", and if you see more than one
device there, the Toolkit may fail or give an unexpected result.

Resolution: switch iOS device being acquired to Airplane mode.

Reliability/connection

Please make sure that your computer never goes to sleep/hibernate during the acquisition
process; even more – if you are using the Toolkit on the laptop, do NOT change from the
battery to the external source (or back) until the device is completely acquired. Otherwise,
the Toolkit may lose the connection to the device during the acquisition, and you will have
to start the process from scratch.

macOS 10.15 Catalina

On macOS Catalina, there is one extra step during software installation. Once the DMG
image (like iOS-Toolkit-{version}-Mac.dmg) is extracted from the archive, please run the
following command from the console first:

xattr -r -d com.apple.quarantine <path_to_dmg>

For example:

xattr -r -d com.apple.quarantine Desktop/iOS-Toolkit-{version}-Mac.dmg

After that, you can mount DMG image into the system and copy files to the folder of your
choice.

Elcomsoft iOS Forensic Toolkit rev. 6.20 © 2011-2020 ElcomSoft Co. Ltd.

You might also like