ElcomSoft blog

The Four Ways to Deal with iPhone Backup Passwords

Thu, 30 Jul 2020 16:17:56 GMT

We have published multiple articles on iPhone backup passwords already, covering the different aspects of the backup protection. In this publication, we have collected the most important information about the things you can do under different circumstances, some software recommendations, and some other practical tips and tricks, in a brief and simple form.

The possible scenarios

There are two typical scenarios when you may be affected by iTunes backup passwords.

If you are a forensic expert, you may encounter the situation when the suspect’s iPhone is unlocked (the passcode is not set or is known), but the backup password is enabled, and your favorite forensic tool (whatever it is) prompts you for that password, offers you to crack it (do not do that just yet, until you’ve read the whole article), or warns that only a limited amount of data will be extracted.

If you are an iPhone user, you may need to transfer the data from one iPhone to another, e.g. when upgrading your device. And if you have set the password a long time ago and have successfully forgotten it, then you will not be able to restore from the backup. Your other option would be the cloud backup, but this option is not the best due to multiple reasons that are outside the scope of this article.

We recommend that you start reading from the About encrypted backups on your iPhone, iPad, or iPod touch article, and we can also recommend The Most Unusual Things about iPhone Backups with some deep inside information, but if you need a more practical manual, here we go.

Extract it

Nothing could be better than the original password, right? The good news are that if you are a Mac user (or working as an expert, have access not just to the iPhone but also to the Mac), there is a very good chance that backup password is stored in the macOS keychain. All you need is the password to that Mac, that’s it. Windows? No way, sorry.

Software required: Keychain Acccess (free; built-in macOS utility)

Break it

Password cracking is one the topics where we have a very good experience with, and sometimes the backup password can be broken. This was relatively simple to do in iOS 9 and below; in iOS 10.2 and above, however, the cracking is effective only if the password is very short or very simple, or if you know (remember) a part of the password or its pattern, or have a very good wordlist. Otherwise, it may take years to crack the password, even on a supercomputer.

Software required: hashcat (free) or Elcomsoft Phone Breaker

Reset it

iOS 11 introduced the ability to simply reset backup password. This option is still available in iOS 13 and the current betas of iOS 14, so it’s likely it is there to stay. The steps are quite simple (as described in Apple’s HT205220 mentioned above):

On the iPhone, go to [Settings] | [General] | [Reset]
Press [Reset All Settings];
Follow the steps (you will be prompted for device passcode)

Some settings will be reset, and the backup password will be removed. You can now connect the device to the computer and create a new unencrypted backup, or (recommended) set a new password without entering the old one.

The devil is in the details. The main problem is that the device passcode is also removed, and that may be fatal, especially if you are working not with your own data but investigating an incident as a forensic expert. More information in iOS 11 Horror Story: the Rise and Fall of iOS Security and Protecting Your Data and Apple Account If They Know Your iPhone Passcode. In short, do not do it until it remains the only option and you are out of other solutions.

Software required: none

Ignore it

Yes, sometimes you do not actually need to recover, reset or break the backup password, as surprising as it may sound.

First, if you only need to get access to the media files (photos and videos) from the iPhone, then the backup password does not really matter. You can extract the pictures and videos whether the password is set or not. We often receive requests from home users (and even from friends) looking for help to extract just the family photos; quite often the photos (with geolocation data) are also all that is needed for forensic experts, especially when they are very short in time and will not bother with password reset or recovery.

Second, for selected iPhone models and iOS versions (currently, up to iOS 13.5 on iPhone Xr/Xs/11, and for all iOS versions on older models), you can get significantly more data than included in backups, and no backup password is required for that. The data is extracted as a file system image (not in the standard backup format), and it cannot be used to restore another device . But who cares if the data is all you are after? As the Russian proverb says, “do you need a license or a ride?”

Last but not least, sometimes (basically, at the same conditions as above, while there are some notable nuances) you can also extract the original backup password from the device itself (from its keychain), in addition to the file system image. It’s hard to say whether it adds some value to file system extraction (as it is more complete than a backup), but sometimes you can use this password to extract the data from an older backup that may contain some deleted files.

Software required: Elcomsoft iOS Forensic Toolkit

Conclusion

As you can see, several options exist, and it is very rare when none of them are available. However, you should carefully review the possibilities, understand their consequences, and weigh the risks to select the safest and most effective method for your particular case.

Live System Analysis: Discovering Encrypted Disk Volumes

Tue, 28 Jul 2020 05:55:54 GMT

The wide spread of full-disk encryption makes live system analysis during incident response a challenge, but also an opportunity. A timely detection of full-disk encryption or a mounted crypto container allows experts take extra steps to secure access to encrypted evidence before pulling the plug. What steps are required and how to tell if the system is using full-disk encryption? “We have a tool for that”.

The Challenge

Full-disk encryption is an ongoing challenge for forensic experts. Accessing evidence stored on encrypted disk volumes may not be possible without breaking the encryption first. The classic workflow had always involved pulling the plug, taking the disks out, write-blocked imaging and subsequent analysis of the image files.

The classic workflow is flawed. Not only does it lock experts out of evidence stored on encrypted volumes that have been mounted during the acquisition, but depending on the type of protector used to secure the volume the evidence may become completely inaccessible once the disk is removed from the original computer.

We are suggesting a way for securing access to evidence during incident response by analyzing the live system for signs of full-disk encryption. If one or more encrypted volumes are detected, or if there a signs that full-disk encryption might have been used on the system, additional steps must be taken to further investigate the live system in order to secure and preserve evidence that could be lost if the computer was powered off.

Detecting Full-Disk Encryption

In order to detect the presence of full-disk encryption, we suggest using Elcomsoft Encrypted Disk Hunter.

Elcomsoft Encrypted Disk Hunter is a free portable command-line tool to help experts quickly discover the presence of encrypted volumes when performing live system analysis. The tool can detect TrueCrypt/VeraCrypt, BitLocker, PGP WDE, FileVault2, and LUKS. While FIleVault2 and LUKS-encrypted disks that are connected to a Windows computer are rarely encountered in the wild, we have them covered just for those rare cases when you might need them. If the computer is normally running macOS or Linux, you may want to boot from a flash drive using Elcomsoft System Recovery.

Speaking of LUKS encryption, there are two versions: LUKS1 (the common one) and LUKS2 (newer but still rarely used). Elcomsoft Encrypted Disk Hunter only supports the first version for the time being; we are working on adding support for the second.

How does it work?

First and foremost, it requires administrative privileges on the system you are analyzing. Without administrative privileges there is no low-level access to the disks, the computer’s volatile memory and the driver chain.

Once you launch Elcomsoft Encrypted Disk Hunter (which you can do from a portable flash drive), the tool checks the system’s attached storage devices for TrueCrypt/VeraCrypt, BitLocker, PGP WDE, FileVault2, and LUKS1 encryption by looking for characteristic signatures in the drives’ MBR. If one or more encrypted volume is detected, the tool lists the encrypted disks.

After that, the tool checks if any of the encrypted volumes are currently mounted. If no obvious signs of disk encryption are found, Encrypted Disk Hunter checks the system driver chain for TrueCrypt, VeraCrypt and PGP WDE drivers. If a full-disk encryption driver is recognized (we’re looking for truecrypt.sys, veracrypt.sys, PGPdisk.SYS, Pgpwdefs.sys, and PGPwded.sys), the tool will report that an encrypted volume might have been used in the system, even if not currently mounted or attached. This might be your best bet, as certain tools (PGP WDE) routinely block access to disk volumes that are not currently mounted.

What Next?

Depending on the result and after performing the risk assessment, you may want to pursue one of the following routes.

If no signs of full-disk encryption are found: optionally capture the memory dump; pull the plug and follow the classic routine.
Image 1: No signs of full-disk encryption found
If signs of full-disk encryption are found: capture the memory dump; investigate live system further.
Image 2: While no encrypted volumes are discovered, an active full-disk encryption process is detected. Further investigation required. Do not pull the plug!
If encrypted volumes are mounted: capture the memory dump; attempt to export recovery keys/escrow keys; time permitting, attempt to extract evidence from encrypted volumes.
Image 3: A TrueCrypt/VeraCrypt volume is currently mounted. Further analysis mandatory. Do not pull the plug!
Image 4: A BitLocker volume is detected. Further investigation required. Do not pull the plug!

If at least one encrypted disk partition is mounted, that means that you are either at risk, or you are lucky, depending on which side you are on: protecting your privacy or collecting critical evidence. In the first case, check out our article Introduction to BitLocker: Protecting Your System Disk to avoid common mistakes when protecting your data, and keep in mind that leaving encrypted disks mounted while leaving your computer unattended is a huge risk.

If you are an expert doing the extraction work, read the Unlocking BitLocker Volumes by Booting from a USB Drive article to find out why attacking the password might be fruitless in the case of full-disk encryption; learn about the different types of protectors and the different attack workflows. In any case, do get Elcomsoft Forensic Disk Decryptor, and capture the memory dump to secure access to encrypted evidence.

Why do you need the memory dump? You can use Elcomsoft Forensic Disk Decryptor to scan the memory dump for OTFE keys (on-the-fly encryption keys) that can be used to instantly mount or decrypt the volume without brute-forcing the password. OTFE extraction might be the only method available to unlock BitLocker volumes protected with certain type of protectors (e.g. TPM Only). More about breaking full-disk encryption with Elcomsoft Forensic Disk Decryptor in our blog: Unlocking BitLocker: Can You Break That Password?

If this does not help (or if some of the encrypted disks discovered had not been mounted), use Elcomsoft Distributed Password Recovery to attack the password. EDPR implements all possible optimizations while targeting the human factor, but prepare to wait as brute-forcing passwords to encrypted disks can be slow.

Download Elcomsoft Encrypted Disk Hunter

You can download Elcomsoft Encrypted Disk Hunter free of charge from our official Web site.

Download Elcomsoft Encrypted Disk Hunter

The tool is available as a ZIP archive with no installer. The portable command-line tool is digitally signed. Simply unpack the tool, store it on a flash drive and use on the target system with administrative privileges. We strongly recommend launching the tool directly from the flash drive.