The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.

For iOS and iPad OS devices, low-level extraction requires exploiting undocumented vulnerabilities in order to access the file system and some encryption keys required to decrypt the keychain. Such exploits are typically discovered in older hardware platforms and older versions of iOS. In general, devices released less than five years ago and running a recent version of iOS are immune to known public exploits and can be only extracted with logical acquisition. Logical acquisition is universally available on iOS and iPadOS devices regardless of their hardware platform and version of iOS. However, logical acquisition on devices running tvOS and watchOS will be limited as there is no backup services on such devices.

Low-level extraction methods are available on older platforms and versions of iOS. These methods include checkm8 (a booloader-based exploit) and Elcomsoft’s software-based low-level extraction agent. Please refer to the following table to determine which acquisition methods are available to your device:

Notes:

• The iPhone SE 3 (2022) was released with iOS 15.4 on board, which is not supported by the extraction agent.
• For iOS 15.2-15.3.1 the extraction agent can only extract the file system but not the keychain.
• checkm8 extraction of Apple A11 devices running iOS 14 and 15 is only possible once the screen lock passcode is empty.
• No agent-based extraction is available for checkm8-capable Apple TV devices.
• checkm8 support for iOS 16 devices is under development and will be available soon for all supported devices.
• The extraction agent is in active development, with full support for iOS 15.5 and lower (including keychain decryption) coming soon.

Choosing the right extraction method

When more than one extraction method is available, the order matters. We recommend the following workflow.

Note: logical extraction is available for all generations of Apple hardware and all supported versions of iOS.

For older devices compatible with checkm8 (this includes iPhone devices up to and including the iPhone 8, 8 Plus, and iPhone X, as well as the corresponding iPad, Apple Watch, and Apple TV models):

• Only use checkm8 extraction. Attempt other methods if and only if the checkm8 extraction fails.

The checkm8 extraction is the most sophisticated extraction method available for Apple devices that have a vulnerability in their bootloader. Our implementation of checkm8 offers clean, forensically sound extractions with repeatable, verifiable results. If you’ve used checkm8, you have already received the fullest set of data extractable from the device; there is no need to use any other acquisition method.

Using checkm8 extraction: checkm8 Extraction Cheat Sheet: iPhone and iPad Devices

For devices not compatible with checkm8 but running a version of iOS supporting the extraction agent (currently, iOS 9.0 through 15.3.1 for devices supporting these OS versions):

1. First, make a local backup with iOS Forensic Toolkit. If the backup is password-protected, make a backup nevertheless. Do not reset the backup password in device settings.
2. Use the extraction agent. The backup password will be extracted along with the rest of the data.

For all other devices that support neither checkm8 nor the extraction agent, including the iPhone 14 range:

1. First, make a local backup with iOS Forensic Toolkit. If the backup is password-protected, make a backup nevertheless. Do not reset the backup password in device settings. If the backup password is empty, the tool automatically sets a temporary password of “123”.
2. Extract all other data that can be obtained through the advanced logical process. This includes media files (photos, videos and metadata), shared application data, some system logs and device information.
3. If the backup has an unknown password, attempt a local attack with Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery. If unsuccessful, consider resetting the backup password through device settings. Mind the risks and consequences.

Using advanced logical extraction: Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet

Conclusion

This publication should help experts better understand their options when extracting Apple devices based on their hardware platform and OS.

iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

Introduction

Low-level extraction can be done differently. For older hardware, the checkm8 extraction delivers the cleanest results; our solution is unrivaled in providing truly forensically sound extractions for all compatible devices, which include a number of iPhone, iPad, Apple Watch and Apple TV devices. checkm8 extractions are great, but they aren’t compatible with newer devices. To deliver low-level extraction for newer iPhones and iPads, we developed an in-house extraction agent that comes as close to being forensically sound as possible. This method is highly dependent on kernel exploits, which are extremely difficult to implement. This is why low-level extraction almost never comes to the current, up-to-date and fully patched versions of iOS. For newer models starting with iPhone Xr/Xs, using the extraction agent is the only way to extract the file system and decrypt the keychain.

What is an extraction agent?

The extraction agent is an app sideloaded to the iPhone being extracted. The app establishes a communication channel between the device and the computer, escalates privileges, and gains access to the file and the encryption keys required to decrypt the content of the keychain.

Agent-based low-level extractions deliver the cleanest experience for newer devices without checkm8 support. While the process is not fully forensically sound, the modifications made to the data are minimal. Once the extraction agent is uninstalled, the only traces left on the device are several records representing agent-related events in the device’s diagnostic logs.

Extraction agent cheat sheet

Note: we recommend using a USB 3.0 port to speed up the extraction of certain devices.

On the computer, launch iOS Forensic Toolkit.

Connect the iPhone to the computer.

Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode.

If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:

./EIFT_cmd normal pair

Sideload the extraction agent onto the device by running the following command:

./EIFT_cmd agent install

On the iPhone: if you are using a non-developer Apple ID to sideload the agent, validate the signing certificate on the iPhone. (Note: this requires an active internet connection and carries certain security risks).

If an error message pops up (e.g. “all exploits failed”), restart the iPhone.

On the computer:

./EIFT_cmd agent keychain -o keychain.xml

./EIFT_cmd agent tar -o data.tar

Only if suspecting root-level malware:

./EIFT_cmd agent tar –system -o system.tar

On the computer (uninstall the extraction agent):

./EIFT_cmd agent uninstall

Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.

Installing the extraction agent

The extraction agent is an iOS app that must be sideloaded (installed) onto the iOS device. Note: if a previous version of the extraction agent is already installed, remove it from the device as you would uninstall any other app.

When installing the extraction agent, the iPhone must be unlocked and paired to the computer.

Sideloading the extraction agent requires an Apple ID login and password. We strongly recommend using an Apple ID account enrolled in Apple Developer Program. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the iPhone, which requires an active internet connection and brings the associated security risks

Pair the iPhone to the computer before sideloading the extraction agent. The pairing prompt is usually displayed automatically when you connect the iPhone to the computer. Confirm the pairing prompt and type the screen lock passcode on the device. If for any reason no pairing is established, run the following command:

./EIFT_cmd normal pair

On the iPhone: confirm pairing request and enter screen lock password when prompted.

Install the extraction agent by running the following command on the computer:

./EIFT_cmd agent install

You will be prompted for Apple ID credentials (login, password, and one-time code for passing two-factor authentication). A developer account is strongly recommended. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the device before you can launch the app. This in turn requires an active internet connection, placing the device at risk of unwanted synchronization and/or remote lock or remote erase. When using an Apple ID enrolled in Apple’s Developer Program, this check can be skipped, and the device can be kept offline.

Using the extraction agent

The extraction agent enables full file system extraction from all supported devices, as well as keychain decryption on select supported devices.

To use the extraction agent, install (sideload) the agent onto the iOS device according to the instructions, then touch its icon to launch the app. Make sure to keep the app open in foreground at all times during the extraction; do not switch to any other apps.

The extraction agent will automatically attempt to obtain elevated privileges. Since the agent uses unofficial exploits, on rare occasions the device may reboot. If this happens, wait until the device fully boots, unlock it, and run the agent app again. There is no need to reinstall the agent.

Keychain decryption

Extract the keychain into a file named keychain.xml:

./EIFT_cmd agent keychain -o keychain.xml

File system image

The extracted file system image is saved into a .tar archive. The process may take a while depending on the size of the file system. Make sure the agent app is open and runs in the foreground during the entire extraction.

The following command extracts and saves a file system image from the device into a file named “data.tar”. Only the user data will be copied.

./EIFT_cmd agent tar -o data.tar

You can also extract the system partition. Generally, you would only need to do it if you suspect that a rootkit or other system-level malware on the device.

./EIFT_cmd agent tar --system -o system.tar

Please note that you would normally only need to extract the data and not the system partition.

Finally, uninstall the extraction agent by either doing it regularly on the device or running the following command:

./EIFT_cmd agent uninstall

Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.

Extraction steps explained

When sideloading the extraction agent, we strongly recommend using an Apple ID registered in the Apple’s Developer Program. This allows keeping the device offline and disconnected from the network. If you must use a regular Apple ID, you will need to validate the signing certificate in the device settings, which in turn requires an active internet connection. If this is the case, make sure to configure a firewall to whitelist access to Apple signing services only. More in Extracting iPhone File System and Keychain Without an Apple Developer Account.

1. Download and install the latest version of Elcomsoft iOS Forensic Toolkit.
2. Launch iOS Forensic Toolkit on your computer.
3. Connect and pair the iOS device ./EIFT_cmd normal pair
4. Install the extraction agent ./EIFT_cmd agent install
   You will need an Apple ID (preferably enrolled in Apple’s Developer Program) with a login, password, and one-time two-factor authentication code to sideload the agent app.
5. If you used a regular, non-developer Apple ID, validate the signing certificate on the iPhone. This step is not needed when using a developer account.
6. Launch the extraction agent by tapping its icon. Keep the agent running in the foreground during the rest of the extraction process.
7. Extract and decrypt the keychain ./EIFT_cmd agent keychain -o keychain.xml
8. Extract user data ./EIFT_cmd agent tar -o data.tar
9. Optional: if suspecting malware or rootkit, extract system data ./EIFT_cmd agent tar –system -o system.tar
10. Uninstall the extraction agent regularly or by running ./EIFT_cmd agent uninstall

Conclusion

The extraction agent is a software-based low-level extraction solution available in iOS Forensic Toolkit for iPhone and iPad devices running compatible versions of iOS. We actively develop the extraction agent, planning full support for iOS 15.5 and lower (including keychain decryption) in near future.

Apple offers by far the most sophisticated solution for backing up, restoring, transferring and synchronizing data across devices belonging to the company’s ecosystem. Apple iCloud can store cloud backups and media files, synchronize essential information between Apple devices, and keep highly sensitive information such as Health and authentication credentials securely synchronized. In this article we’ll explain what kinds of data are stored in iCloud and what you need to access them.

iCloud: what’s inside?

Apple iCloud contains information belonging to several different categories.

iCloud backups. This is the classic cloud-based backup and restore mechanism introduced back in 2011. iCloud backups contain a set of system and application data that is similar to the content of passwordless local backups, with select exceptions for synchronized data. For example, if the user enables iCloud Photos (as a synchronized category), the photos may be no longer present in iCloud backups.

Apple only provides basic backup management, and does not allow downloading iCloud backups in any other way except restoring onto a physical Apple device. By logging in to an iCloud account (or accessing backups from any logged-in device), users can only view and delete backups with no other options available. One can restore a new device from almost any backup (the iOS version on the device being restored should be the same or newer than the OS version of the original device). Note that one can only restore from a cloud (or local) backup during the initial device setup (for new devices or devices after a factory reset).

Elcomsoft Phone Breaker was the first tool on the market to download iCloud backups without requiring authentic Apple hardware. Today, the tool can download backups created with devices running all versions of iOS up to and including iOS 16.x. To download an iCloud backup, you will need all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

Authentication tokens cannot be used to access iCloud backups. Downloading the initial backup may take a long time. Subsequent incremental backups are downloaded a lot faster. We do not recommend using a VPN during the download as the speed may suffer.

• How to open: Unless you enable the “restore original file names” option, iCloud backups will be downloaded in the standard iTunes format compatible with Elcomsoft and third-party forensic tools.

Note 1: you can download backups made by all devices registered with a given Apple ID. Due to the incremental nature of cloud backups, Apple keeps up to two most recent snapshots for each device. Elcomsoft Phone Breaker downloads all snapshots for the devices you specify.

Note 2: you can download the complete backup or selectively download only the essential parts. Selective download allows to speed up the investigation as a full download may take a while depending on the size of the backup.

Note 3: Apple attempts to detect and restrict non-Apple access to iCloud backups. During one time, Apple used to temporarily lock accounts from which iCloud backups were obtained. Currently this is not the case, and it never occurred when accessing other types of data.

Note 4: Apple only provides 5GB of free cloud space, which practically rules out the backup functionality of iCloud (with the exception of temporary iCloud backups). An iCloud+ subscription provides 50GB of cloud space, which might be enough to store cloud backups.

Temporary iCloud backups. This is a new type of backups that appeared in iOS 15 to solve the problem of insufficient space in the user’s iCloud account when transferring data to a new Apple device or restoring onto the same device after a factory reset. Temporary iCloud backups do not count against iCloud storage quota and are retained for 21 days, automatically deleted afterwards. Our tool can supports the extraction of temporary iCloud backups. More in iOS 15 Forensic Implications: Temporary iCloud Backups.

Downloading a temporary iCloud backup is subject to the same authentication rules and limitations as regular cloud backups.

Synchronized data. These data include calendars, contacts, notes, and many other types of data synchronized by Apple apps.

To download synchronized data from the user’s iCloud account, you will need all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

Alternatively, you may use a supported authentication token to access synchronized data.

• How to open: Synchronized data are downloaded raw, and stored in a custom SQLite database. Elcomsoft Phone Viewer is the only product that supports these data.

Files. iCloud also serves as a file storage. By default, any files downloaded by the user through Safari land into an iCloud-synced folder. iCloud Files also include files from macOS computers, Books, and more. iCloud Files are accessible on all devices sharing a common Apple ID.

Extracting files from the user’s iCloud account requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

Files can be also extracted with a supported authentication token.

iCloud Photos. This service uploads all of your photos and videos to iCloud and keeps them up to date across your devices. Technically, iCloud Photos belong to synchronized data, but we listed it separately because photos may belong to several different categories, sometimes simultaneously.

Downloading iCloud Photos requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

iCloud Photos belong to the synchronized data category, and, as such, they can be accessed with a supported authentication token.

My Photo Stream. This is an older incarnation of the media storage service that uploads the most recent photos and keeps them in iCloud for 30 days. My Photo Stream is now legacy, and is no longer available for newly opened Apple ID’s. My Photo Stream and iCloud Photos can be enabled or disabled individually, which may result in two copies of the same picture stored in the cloud.

My Photo Stream is a legacy service that is not available for Apple IDs created during the past several years. For this reason, Elcomsoft Phone Breaker does not support the extraction of My Photo Stream.

End-to-end encrypted data. Technically, end-to-end encrypted records belong to synchronized data. However, these data are encrypted with a key that can be unlocked with a screen lock passcode (iOS) or macOS account password of one of the trusted devices. End-to-end encrypted data include iCloud keychain (authentication data and passwords), Health, Safari bookmarks and history, call history, iMessages, and several other categories.

Downloading end-to-end encrypted data requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account
• Screen lock passcode or system password of a trusted Apple device with the same Apple ID

You cannot use authentication tokens to access end-to-end encrypted data.

Authentication tokens

Authentication tokens are stored on the user’s computer to help installed Apple tools avoid re-authentication. In the past, authentication tokens were transferrable and could be used to access information in iCloud from another computer. Today, authentication tokens are non-transferrable, and can only be used on the computer they were originally created on. When it comes to Ecomsoft Phone Breaker, you can only use authentication tokens created on macOS computers (Windows tokens are useless), and only on the particular macOS computer the token was created on, which essentially limits the use of authentication tokens.

All previously created authentication tokens immediately expire if the user changes their Apple ID/iCloud password. In addition, the tokens are only valid for a limited time; we don’t know their exact lifespan.

Supported (non-expired, macOS, same physical computer) authentication tokens can be used to access the following types of data:

1. Synchronized data except end-to-end encrypted categories
2. iCloud Photos
3. iCloud files

iCloud extraction steps

To perform an iCloud extraction, you need all of the following.

1. Elcomsoft Phone Breaker (the latest version)
2. Basic authentication data: login, password, and a way to pass two-factor authentication
3. To access end-to-end encrypted data: screen lock passcode or system password from one of the user’s trusted devices (the list will be displayed in the extraction wizard)

First, run Elcomsoft Phone Breaker and select between iCloud backups and synchronized data. Since downloading an iCloud backup may lead to a temporary account lock, we recommend starting from obtaining synchronized data.

When selecting the types of data to extract, note the different check box colors. If a certain type of data is orange-colored, it means that the category is end-to-end encrypted, and you will require a screen lock passcode or a system password of one of the user’s trusted devices. If you don’t know the passcode, clear all end-to-end encrypted categories.

If you select at least one end-to-end encrypted type of data, Elcomsoft Phone Breaker will download the list of trusted devices.

You will need to select one of the trusted devices, then specify its screen lock passcode or system password to continue.

The data will be downloaded. The download may take a while depending on the size of the data and your Internet connection speed.

Downloading iCloud backups

To download iCloud backups, select the first option in Elcomsoft Phone Breaker.

Provide the user’s Apple ID and password.

Most Apple accounts nowadays are protected with two-factor authentication.

Specify the type of two-factor authentication. The most common types are “trusted device” (sends a push message to all of the user’s trusted devices that are online and connected to Internet), “text message” (an SMS to the trusted SIM card), and “code generator” (a time-limited one-time password generated from the Settings app on a trusted device, which may remain offline). The authentication process is self-explanatory.

Once you’ve passed two-factor authentication, you will be able to see the list of available backups. Some devices may have several snapshots, which are incremental backup copies. Currently, Apple keeps up to two snapshots per device. Click “See details” to view snapshot data. Elcomsoft Phone Breaker will download all snapshots, and produce the complete backups for each snapshot. The available options are:

Restore original file names: gives extracted files the same names as on the device. Select this option if you plan to manually analyze the backup. Keep it clear if you are planning to use a third-party forensic tool to analyze the data.

Download only specific data: selective download, allows quickly extracting only the essential bits and pieces. Keep it clear if you are planning to use a third-party forensic tool to analyze the data.

Click “Download” to download the backup. The process may take a while.

Once the backup is downloaded, you may open it in Elcomsoft Phone Viewer by clicking the “Open in EPV” link. Clicking on the “eye” icon opens the folder containing the backup in File Explorer (Win) or Finder (Mac). Third-party tools can be used to analyze iCloud backups downloaded with Elcomsoft Phone Breaker if you keep both options “Restore original file names” and “Download only specific data” clear.

Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.

What is advanced logical acquisition?

Advanced (or “extended”) logical acquisition is an unofficial name for a set of data extraction methods available for all iPhone, iPad, and iPod Touch devices regardless of the version of iOS installed and regardless of the hardware platform. Advanced logical acquisition includes the extraction of a local backup, media files, shared files, and system crash logs and diagnostic logs. You must be able to unlock the device and pair it to the computer, which requires a screen lock passcode.

An iTunes-style backup is part of the logical extraction process. In iOS and iPadOS, local backups may be protected (and securely encrypted) with a password. Such password-protected backups have more information available to the examiner compared to unencrypted backups. For this reason, we recommend setting a temporary backup password (e.g., ‘123’) before creating a backup, which requires a confirmation with a screen lock passcode. Do not forget removing the temporary password when you are done; more on that in iOS Backups: Leftover Passwords.

Note that you can only change the backup password if the original backup password is known or empty. If the device has an unknown backup password, we recommend creating a backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).

Note: changing a backup password in recent versions of iOS requires a screen lock passcode.

In addition to local backups, extended logical acquisition returns media-files, some diagnostic logs and shared app data. Additional information on logical acquisition is available in the following articles:

• Logical Acquisition: Not as Simple as It Sounds
• Demystifying Advanced Logical Acquisition

Extended logical extraction cheat sheet

To perform complete logical extraction, follow the steps:

1. Connect the iPhone to the computer’s USB port.
2. Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode. If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:

   ./EIFT_cmd normal pair

   On the phone, confirm the “Trust this computer?” prompt.

3. On the phone, you may be prompted for a passcode if the device is running a recent version of iOS. Enter the screen lock passcode to confirm pairing.
4. Extract information about the device:

   ./EIFT_cmd info

5. Check if a backup password is set:

   ./EIFT_cmd normal backuppwcheck

   If you are using an external pairing record file, pass it in the command line. Note: if this is the case, you will have to use the -r switch along with the path to the pairing record for all subsequent commands:

   ./EIFT_cmd normal backuppwcheck -r record.plist

   Check the output, looking for “Backup password” status:

   Started logging Thread!
   Got device:
   Mode: [normal]
   BuildVersion: 16H50 
   DeviceName: iPhone 
   HardwareModel: N53AP 
   Paired: YES 
   PasswordProtected: NO
   ProductName: iPhone OS 
   ProductType: iPhone6,2 
   ProductVersion: 5.4
   SerialNumber: <serial number> udid: <udid>
   Loading custom record from=record.plist 
   Checking backup password...
   Backup password is DISABLED 
   Done

6. If the backup password is enabled, make a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device). To reset the backup password, follow Apple instructions: “On the iPhone, go to [Settings] | [General] | [Reset]. Press [Reset All Settings]; Follow the steps (you will be prompted for device passcode).”
7. (optional step) If the backup password is empty, you may manually set a known temporary password such as ‘123’. If you don’t, iOS Forensic Toolkit will automatically set a temporary password ‘123’ before the extraction, and remove it afterwards. Either way, the device will prompt for a screen lock passcode. Make sure to enter one quickly as the prompt is only displayed for a limited time.

   ./EIFT_cmd normal backuppwset -p "123"

8. Make a backup (the last parameter specifies using the current folder; you may provide a different path instead of “./”)
   Note: if the backup password is empty, iOS Forensic Toolkit will automatically attempt to set a temporary backup password of ‘123’. During the process, the device will prompt for a screen lock passcode. Make sure to enter the passcode prompted. If you don’t, the prompt goes away in a few seconds, and the backup is created without a password.

   ./EIFT_cmd normal backup -o ./

   If you are creating a large backup, you may want to use an external disk as a destination. In that case, use the following syntax:

   ./EIFT_cmd normal backup -o /Volumes/DISKNAME

   DISKNAME is the name of the disk as displayed in Finder. Note that the backup contains multiple files. If you need to attack the backup password, you will only need a single file named manifest.plist.

9. If you have manually enabled a backup password during Step 7, remove that temporary backup password. If you haven’t, iOS Forensic Toolkit will automatically remove the temporary password. Either way, the device prompt for a screen lock passcode. The prompt will be shown for a limited time. If you miss the prompt, the command will finish, while the temporary password will  still be enabled on the devide. In this case, you will have to manually remove the backup password. In the example below, “123” is the previously set password. It must be provided as an argument:

   ./EIFT_cmd normal backuppwunset -p "123"

10. Extract media files via afc. Note that the afc protocol returns media files regardless of the backup password, and is available on Apple TV and Apple Watch devices as well as the iPhone and iPad. In addition to photos and videos, afc returns valuable metadata.

    ./EIFT_cmd normal dumpafc -o afcdump.tar

    If you need to save the file in a different folder or disk, use the following syntax (also applies to subsequent commands):

    ./EIFT_cmd normal dumpafc -o /Volumes/DISKNAME/afcdump.tar

11. On the iPhone, generate sysdiagnose logs. To do that, hold Vol+, Vol- and Power buttons for 250 milliseconds, then wait up to 5 minutes.
12. Pull crash logs and diagnostic (sysdiagnose) logs:

    ./EIFT_cmd normal dumpcrash -o crashlogs.tar

13. Extract shared files (the command below uses a file named “container.tar” in the current folder):

    ./EIFT_cmd normal dumpshared -o container.tar

14. Decrypt the backup with Elcomsoft Phone Breaker or open it directly in Elcomsoft Phone Viewer providing the known backup password (e.g., 123).

TL&DR

Here is the short list of all commands you will need most of the time to perform advanced logical acquisition:

./EIFT_cmd info
./EIFT_cmd normal backup -o ./
./EIFT_cmd normal dumpafc -o afcdump.tar
./EIFT_cmd normal dumpcrash -o crashlogs.tar
./EIFT_cmd normal dumpshared -o container.tar

Using lockdown records (pairing records)

Lockdown records, or pairing records, are files containing cached authentication data for accessing trusted iOS devices without the need to re-pair them to a computer. In specific circumstances (the device’s screen is locked, the screen lock passcode is unknown, and the device’s USB port is not locked with USB restricted mode), a lockdown record may be used to perform advanced logical acquisition of a locked device. Today, the use of lockdown files is limited since lockdown files expire quickly.

The lockdown files are stored in the following folders.

Windows Vista, 7, 8, 8.1, Windows 10 and 11:

%ProgramData%\Apple\Lockdown

Windows XP:

%AllUsersProfile%\Application Data\Apple\Lockdown

macOS:

/var/db/lockdown

When performing live system analysis, a permission change is required to access lockdown files. More information on extracting lockdown files: Accessing Lockdown Files on macOS

When performing advanced logical acquisition, using a lockdown file requires an argument added to each command. For example, device information (also available in BFU mode) will use the following syntax (replace “record.plist” with a path to a lockdown file; please observe the UDID listed in the lockdown file, which must match the UDID of the device being extracted):

./EIFT_cmd info -r record.plist

If you were unable to unlock the device with a certain lockdown file, you may try other lockdown files obtained from that computer (once again, observe the UDID match). If still not successful, the lockdown record may be already expired, in which case you will need to unlock the device and establish a new pairing relationship, which requires a screen lock passcode.

In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.

Password-protected iOS backups

An iTunes-style backup is a major part of the logical extraction process. In iOS and iPadOS, local backups may be protected and securely encrypted with a password. If a backup is protected with a password, some information (such as the keychain) is encrypted with the same password as the rest of the backup. If, however, the backup is not protected with a password, iOS still encrypts the keychain using encryption keys specific to a particular device. This means that the keychain from the unencrypted backup can be only restored onto exactly the particular physical device the backup was captured from, while password-protected backups can be restored onto a the same or different hardware. In addition, certain sensitive information (such as Health, Safari history, etc.) is not included in unencrypted backups at all.

More information: About encrypted backups on your iPhone, iPad, or iPod touch – Apple Support

The issue of leftover passwords

Since password-protected backups offer more available information than unencrypted backups, we recommend setting a temporary backup password (e.g., ‘123’) when performing logical acquisition. The password must be created before creating a backup and removed after the backup is captured. iOS Forensic Toolkit attempts to automatically apply a temporary password before the extraction, and remove it once the process is finished. The process, however, requires some manual intervention as iOS prompts for a manual entry of the screen lock passcode on the device when setting or removing the backup password. The prompt is only displayed for a limited time. If the prompt expires without user input, the operation will continue without changing or removing the backup password.

The screen lock passcode must be manually entered on the iOS device when assigning and removing the backup password. The procedure is identical regardless of the tool; the same prompt will be displayed if you attempt to change or remove the backup password from iTunes or Finder. The prompt will be displayed on the iPhone for a limited time. If the expert skips the prompt before the extraction, the backup will be created without a password. If, however, the expert skips the prompt displayed after the extraction, the temporary backup password will be left on the device. For this reason, we strongly recommend checking the state of the backup password before and after the extraction, and removing the temporary backup password if one is accidentally left on the device.

Depending on the amount of data, making a local backup may take a while, which makes it possible for the expert to miss the end of the process and correspondingly miss the limited-time prompt on the device. If this happens, the temporary backup password cannot be removed from the device.

If the device you are extracting was previously extracted with a third-party forensic tool, it may have a ‘leftover’ backup password on it.

What can you do with an unknown backup password?

There are generally three approaches to unknown backup passwords.

1. Try one of the passwords that are commonly set by the different forensic tools.
2. Try attacking the password with Elcomsoft Phone Breaker. Note that the speed of the attack will be extremely slow (several passwords a minute) due to increased backup security in iOS 10.2.
3. Consider resetting the backup password. This should be only considered as the last resort due to multiple implications.

Leftover passwords set by forensic tools

iOS Forensic Toolkit as well as other forensic tools may automatically set a temporary password before the extraction. If a temporary password is not removed afterwards, try one of the following passwords:

• Elcomsoft iOS Forensic Toolkit: 123
• Cellebrite UFED: 1234
• MSAB XRY: 1234
• Belkasoft Evidence Center: 12345
• Oxygen Forensic Detective: 123456 (or oxygen for older versions)
• Magnet AXIOM: mag123
• MOBILedit Forensic: 123

Recovering the backup password

If none of the passwords match, you may attempt to attack the backup password using Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery. For this, produce a password-protected backup first, then open it in the tool of your choice. Since iOS 10.2, Apple hardened security of password-protected backups following the vulnerability discovered in iOS 10.0. A GPU-assisted attack performed on a single computer delivers the speed of up to hundred passwords per second (depending on the GPU), while a CPU-only attack can only try a handful of passwords per minute. For this reason, we can only realistically recommend attacks based on very short, targeted dictionaries.

Resetting the backup password: the last resort

If you were unable to guess or recover the backup password, we recommend saving a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).

Since iOS 11, Apple makes it possible to reset the backup password on the iPhone by using the following steps.

• Unlock the iPhone with Touch ID, Face ID or passcode.
• Open the Settings app and navigate to General.
• Scroll all the way down and tap Reset.
• Tap and confirm Reset All Settings 
• Enter the iPhone passcode if one is enabled

The “Reset All Settings” command will erase the following settings:

• Display brightness
• Whether or not to display battery percentage
• All Wi-Fi passwords (but not any other passwords or tokens stored in the Keychain)
• apple.wifi.plist
• iTunes backup password
• The passcode

Please note that the device’s screen lock passcode is also removed when you use the “Reset All Settings” command. Removing the screen lock passcode has multiple important implications as it disables certain iCloud-related features (such as end-to-end encryption and the synchronization of end-to-end encrypted data), erases certain types of data (such as Apple Pay transactions, Exchange downloaded mail and accounts, and more). For this reason, resetting the backup password should be only considered as a last resort.

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

Before you begin

Before you begin, make sure you have everything required to perform the extraction. Since checkm8 is a very specific exploit, you’ll need all of the following to do the job.

• A Mac computer. You will need a real Mac computer (no VMs) to install the exploit and perform the extraction. We support both Intel and M1-based Macs.
• iOS Forensic Toolkit 8 for Mac. Note that you will need the Mac edition of the tool.
• A supported iPhone or iPad device (the full list is available at the bottom of the page). The device must be functional enough to be placed into DFU mode. Locked and USB-restricted devices are supported.
• Screen lock passcode must be known or empty. Otherwise, limited BFU extraction may be available, but very little information can be obtained this way.
• A supported version of iOS. Note that iPhone devices running iOS 16.x only have a limited support for checkm8 extraction.
• A USB-A to Lightning cable. Type-C to Lightning cables are not supported. Use a USB-A to Type-C adapter or, better yet, a USB hub.
• You will have to determine the exact version and build number of iOS installed on the iPhone. EIFT will attempt to detect the iOS version and build number automatically during the procedure.

You must be able to download the official Apple firmware (download link will be provided during the extraction) that matches iOS version installed on the device.

Extracting iOS 15 and older devices

First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:

Power off the device if it is powered on.

Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.

On the computer, run the following command:

./EIFT_cmd tools autobootFalse

(Re-enable auto boot before returning a seized device with ./EIFT_cmd tools autobootTrue).

Run EIFT in wait mode:

./EIFT_cmd boot -w

If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.

From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit. After that, run the following commands:

./EIFT_cmd ramdisk loadnfcd

./EIFT_cmd ramdisk unlockdata -s

./EIFT_cmd ramdisk keychain -o {filename}

./EIFT_cmd ramdisk tar -o {filename}

Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):

./EIFT_cmd tools autobootTrue

Power off the device:

./EIFT_cmd ssh halt

Extracting iOS 16 devices

First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:

Power off the device if it is powered on.

Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.

On the computer, run the following command:

./EIFT_cmd tools autobootFalse

(Re-enable auto boot before returning a seized device with ./EIFT_cmd tools autobootTrue).

Run EIFT in wait mode:

./EIFT_cmd boot -w

If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.

From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit.

Please note: you will need to download the matching firmware file from Apple servers, or specify a download link when prompted.

After that, run the following commands:

./EIFT_cmd ramdisk unlockdata

./EIFT_cmd ramdisk keychain -o {filename}

./EIFT_cmd ramdisk tar -o {filename}

Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):

./EIFT_cmd tools autobootTrue

Power off the device:

./EIFT_cmd ssh halt

Entering DFU mode

Placing the device in DFU mode can be tricky, especially if you’ve never done it before. Steps to enter DFU are different for different device models, and there is no on-screen indication of successfully entering DFU. You must follow the steps while carefully observing the timings, and the end result will be a blank screen. We strongly recommend placing the device in recovery mode first, and entering DFU from recovery.

iPhone 6s, 6s Plus and older

Step 1: enter Recovery

On the iPhone 7, iPhone 7 Plus:

• Make sure that the device is powered off. Of not, power it off normally.
• Press and hold the Vol-
• Keep holding the button; connect the iPhone to the computer.
• Still keep holding the button until the device displays the recovery screen.

On the iPhone 6s and older devices including iPhone SE (1^st generation):

• Make sure that the device is powered off. Of not, power it off normally.
• Press and hold the Home
• Keep holding the button; connect the iPhone to the computer.
• Still keep holding the button until the device displays the recovery screen.

Step 2: enter DFU

On the iPhone 6s and older devices including iPhone SE (1^st generation):

• Press the Power button (or the side button) and the Home (Touch ID) button. Hold for exactly 8 seconds.
• Release the Power (side) button; keep holding the Home button for exactly 8 seconds.

On the iPhone 7 and 7 Plus:

• Press the side button and the Vol- button. Hold for exactly 8 seconds.
• Release the side button; keep holding the Vol- button for exactly 8 seconds.

The iPhone screen will remain black. If you see the recovery screen or if the device starts booting into iOS, repeat the steps from the beginning.

iPhone 8, 8 Plus and iPhone X

Devices based on the A11 Bionic have two slightly different DFU modes. Placing the device in the correct DFU mode is critical for successful acquisition. The correct procedure involves the recovery mode as a required first step.

Step 1: enter Recovery

For iPhone 8, 8 Plus and iPhone X devices use the following sequence:

• Make sure that the device is powered off. Of not, power it off normally.
• Press and hold the side button.
• Keep holding the button and quickly connect the iPhone to the computer. If you are not fast enough, the device may begin the boot sequence.
• Still keep holding the button until the device displays the recovery screen:

Step 2: entering DFU for iPhone 8, 8 Plus and iPhone X devices

Keep the iPhone connected to the computer, then launch iOS Forensic Toolkit in wait mode:

./EIFT boot -w

On the iPhone 8, 8 Plus or iPhone X:

• Press and release Vol+ quickly
• Press and release Vol- quickly
• Press and hold the side button until iOS Forensic Toolkit prints “iPhone disconnected”. This message means the iPhone has been disconnected from the computer.
• While still holding the side button, press and hold Vol- for exactly 4 seconds.
• Release the side button (keep holding Vol-).
• iOS Forensic Toolkit will detect the iPhone in DFU mode. Once this happens, release Vol-.

Note: if you keep holding a button for longer than 4 seconds, the iPhone may reboot instead of entering DFU. Disable auto boot and practice with another device before the extraction.

Other ways to place an iPhone into DFU

If the device cannot be placed in DFU via regular means (for example, if one of the buttons is broken), use the following guide:

• How to Put an iOS Device with Broken Buttons in DFU Mode

DFU steps for iPad, Apple TV, and iPod Touch devices:

• DFU Mode Cheat Sheet

Checkm8 extraction requires a certain level of practice, particularly with placing devices into DFU. A wrong DFU sequence may reboot the device into iOS.

Practice DFU mode with a known good device before the extraction!

If the device is running iOS 16, the extraction steps will be slightly different compared to older iOS versions.

Compatible devices

iOS Forensic Toolkit 8 supports checkm8 extraction for the following models:

• iPhone 5S (iPhone6,1): A1453, A1533
• iPhone 5S (iPhone6,2): A1457, A1518, A1528, A1530
• iPhone 6 (iPhone7,2): A1549, A1586, A1589
• iPhone 6 Plus (iPhone7,1): A1522, A1524, A1593
• iPhone 6s (iPhone8,1): A1633, A1688, A1691, A1700
• iPhone 6s Plus (iPhone8,2): A1634, A1687, A1690, A1699
• iPhone SE (iPhone8,4): A1662, A1723, A1724
• iPhone 7 (iPhone9,1 и iPhone9,3): A1778, A1660, A1780, A1779, A1853, A1866
• iPhone 7 Plus (iPhone9,2 и iPhone9,4): A1784, A1661, A1785, A1786
• iPhone 8 (iPhone10,1/iPhone10,4): A1863, A1905, A1906, A1907
• iPhone 8 Plus (iPhone10,2/iPhone10,5): A1864, A1897, A1898, A1899
• iPhone X (iPhone10,3/iPhone10,6): A1865, A1901, A1902, A1903

In addition, support is available for the following models:

• iPod Touch 6/7: A1574, A2178
• iPad Air 1/2: A1474, A1475, A1476, A1566, A1567
• iPad Mini 2/3/4: A1489, A1490, A1491, A1599, A1600, A1601, A1538, A1550
• iPad 5/6/7: A1822, A1823, A1893, A1954, A2197, A2198, A2200
• iPad Pro 1/2: A1584, A1652, A1670, A1671, A1673, A1674, A1675, A1701, A1709, A1821, A1852, A1934, A1979, A1980, A2013

checkm8 extraction is also supported for 32-bit devices such as the iPod Touch 5, iPad 2/3/4, and iPad Mini. However, the steps are slightly different, and some devices require an additional Raspberry Pi Pico board to apply the exploit.

The title says it all. In this article we’ll explain the steps required to put the listed Apple TV models into DFU mode. These Apple TV models are based on the A5, A8, and A10X chips that are susceptible to the checkm8 exploit and checkm8-based extraction with iOS Forensic Toolkit 8, and DFU mode is the required initial step of the process.

Why DFU?

Mobile forensics is not limited to phones and tablets. Many types of devices including wearables and IoT devices contain valuable evidence. Some Apple TV models are compatible with the familiar checkm8 exploit and the same low-level extraction method we use for extracting data from the iPhone. The initial step for applying the checkm8 exploit requires placing the device in DFU mode, which is exactly what we are writing about.

Note: there are two additional Apple TV 4K models released in 2021 (A12 Bionic) and 2022 (A15 Bionic). These models are no longer compatible with the checkm8 exploit.

Apple TV 3 (2012 and 2013)

There are two different Apple TV 3 models with slightly different A5 chips. The A1427 (2012) is based on the dual-core version of the A5 chip with one core disabled, while the updated 2013 model A1469 is based on a different A5 chip that only has a single physical core. Aside of the slightly lower power consumption of the newer chip, both models are otherwise identical. The Apple TV 3 is no longer sold by Apple. Both models are compatible with the checkm8 exploit and the extraction method used in iOS Forensic Toolkit 8.

The two models also share the same DFU process. To place an Apple TV 3 into DFU, you will only need its remote control unit. Unlike in newer models, there is no need to pair the remote to a particular device. The steps are:

1. Make sure the device is connected to power and is turned on
2. Make sure the device is connected to the computer using a micro-USB cable
3. Press and hold Down (1) and Menu (2) button until the LED starts flashing very quickly (6 seconds)
4. Release both buttons
5. Quickly press and hold Play (3) and Menu (2) button until the LED starts flashing very quickly (6 seconds)
6. Release both buttons

Note: It is important to actually release both buttons. It will not work if you just keep holding the Menu button without releasing it!

The Down, Menu and Play buttons are marked as (1), (2) and (3) respectively.

If you have done it correctly, the Apple TV should now be in DFU mode.

Important: applying the checkm8 exploit on the first-generation Apple TV 3 (A1427) requires a Raspberry Pi Pico board. The workflow is similar to the iPhone 4s. The newer Apple TV 3 (2013) does not require an external microcontroller.

Apple TV HD (4th Generation)

The original Apple TV 4 was released back in 2017, featuring the new Siri remote. In 2021, it was updated with a redesigned Siri remote control and renamed to Apple TV HD. The main unit remained largely unchanged; it is still based on the Apple A8 chip and still having the bootloader vulnerability unpatched. The Apple TV HD with new Siri remote is still present in Apple’s product range.

The remote control will be used to place the device into DFU. We tested both the original and new Siri remotes, and the steps are identical among the two. Please note that the Siri remote must be paired to the Apple TV device as it is no longer communicating with the box via the IR channel, even though the IR transmitter and receiver are still there. The Apple TV 4 and Apple TV HD feature a USB-C port that can be used to connect the device to the computer, which means you will need a Type-C cable to connect the device in addition to the remote control.

To place the Apple TV 4 or Apple TV HD into DFU, follow these steps.

1. Make sure the device is connected to power and is turned on
2. Connect the device to the computer using a USB-C cable
3. Press and hold the Menu and Play buttons until the LED starts flashing rapidly (6 seconds)
4. Release both buttons

The Menu and Play buttons are marked for Siri Remote 1 and Siri Remote 2 respectively.

Apple TV 4K (2017)

Released back in 2017, the first-generation Apple TV 4K was based in the A10X chip. The device is susceptible to the checkm8 exploit, and is supported by iOS Forensic Toolkit. Unlike previous models, the Apple TV 4K does not have a built-in USB port to connect the device to the computer. For this reason, you will need additional hardware to place the device into DFU and to connect it to the computer for the purpose of data extraction.

A hidden port was discovered under the Ethernet (RJ45) socket. A special connector is now available, the GoldenEye (or Foxlink X892), which is available for around 40€. With this adapter, you can connect your Apple TV 4K using a standard Lightning cable and perform logical acquisition. However, this adapter alone is not enough to perform the checkm8 extraction.

In order to apply the checkm8 exploit, the device must first be placed into DFU mode. The Apple TV 4 (Apple TV HD) and older models can be placed into DFU using the remote control with a special combination of buttons. This is not the case for the Apple TV 4K. While you can place the 4K model into DFU with a special breakout cable, its installation is difficult and requires soldering skills. Instead, we recommend a much easier solution that used the DCSD cable (The Mysterious Apple DCSD Cable Demystified). The adapter is easily available at around 20€.

To place the Apple TV 4K into DFU, use the following steps.

1. Disconnect the device from the power source
2. Connect the DCSD cable to the computer’s USB port
3. Connect the GoldenEye adapter to the DCSD cable (using Lightning)
4. Connect the GoldenEye to the Apple TV 4K
5. Connect the Apple TV 4K to the power source

After that, the Apple TV 4K is automatically boots into DFU:

Conclusion

Placing the three generations of Apple TV into DFU requires different steps. The Apple TV 3 can be placed into DFU with a matching IR remote, while the Apple TV 4 and Apple TV HD require a paired Siri remote. The first-generation Apple TV 4K requires additional adapters to place the device into DFU and connect it to the computer, but simply connecting the adapter to the box is enough to make it boot into DFU.

iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.

iOS 16: no more checkm8 for A11 Bionic

Devices based on the Apple A11 Bionic chip, which includes the iPhone 8, 8 Plus, and iPhone X, are the oldest iPhones updated to iOS 16. They are also the only iPhones compatible with the checkm8 exploit that received iOS 16. In iOS 16, Apple were able to effectively block the ability to extract user data from these iPhones, but some forensic software vendors reported otherwise. What happened?

The public testing of iOS 16 started more than two months ago. At the same time, some third-party software vendors started adapting their products to iOS 16, which included the vendors of forensic software. Everything was well, and some forensic vendors reported checkm8 support in their tools days before the release of the final, official build of iOS 16.

Apparently, some vendors rush to be the first to announce something, not caring much about the quality of the final product and not conducting the thorough, comprehensive testing. We started researching starting from the first beta 16, testing everything in all imaginable combinations, and waited patiently until the official release to conduct the final test – which, in turn, revealed a very surprising result that pushed back our own release. You may read more about it in iOS 16: Extracting the File System and Keychain from A11 Devices.

Our goal is remaining fully transparent about everything we make. We strive to provide the most complete information about the limitations and compatibility (see for example our list of supported devices), and give as much information about the inner working of the things as we can. We have nothing to hide, and we want our customers to have full information about not just functionality but also the insides.

That final, official build now includes a brand-new SEP (Secure Enclave Processor) hardening patch that effectively prevents access to user data if a screen lock passcode was ever used on the device.

Historically, Apple already attempted to patch checkm8 extractions in iOS 14. At the time, the iPhone 7, 7 Plus, 8, 8 Plus, and iPhone X devices received a SEP hardening patch that blocked checkm8 extractions if a screen lock passcode was currently enabled. Removing the screen lock passcode in device settings re-enabled checkm8 extractions on these devices, albeit at the cost of not being forensically sound anymore. A SEP vulnerability was later discovered for A10 devices (iPhone 7 and 7 Plus), making it possible to bypass the requirement and use checkm8 on passcode-protected devices without removing the screen lock passcode. No such vulnerability was discovered for A11 Bionic.

Why it matters:

• For A11 Bionic devices (iPhone 8, 8 Plus, iPhone X) running iOS 16, checkm8 extraction will be unavailable if the device had a screen lock passcode configured at any time after initial setup.
• Removing the passcode will no longer re-enable checkm8 extractions on iPhone 8, 8 Plus, iPhone X running iOS 16. This limitation does not apply to other devices (e.g. iPads).
• Limited BFU (Before First Unlock) extraction is also no longer available for A11/iOS 16 devices.
• checkm8 extraction for A11 Bionic devices is available if they are running iOS 15.7 or older, or if a screen lock passcode was never used on the device after initial setup.

Lockdown Mode

iOS 16 introduces Lockdown Mode, a special mode offering an additional level of security for the users who are likely to become targets of personal attacks. When describing the feature, Apple specifically mentions “sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware”. According to Apple, turning on Lockdown Mode hardens device defenses and limits certain functionalities, thus reducing the attack surface that potentially could be exploited by targeted spyware.

Activating Lockdown Mode requires toggling a setting and rebooting the iPhone. In this mode, some device functions will be restricted. The following limitations will initially apply (with additional protections potentially available over time):

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

Passkeys

Passkeys are yet another attempt to re-invent authentication. Based on classic asymmetric cryptography, passkeys are aimed to eliminate the need to use passwords and jump through the hoops of two-factor authentication ever again.

Technically, passkeys are cryptographic key pairs of matching public and private keys as defined in asymmetric cryptography. A private key is stored on the iPhone in the keychain (and synchronized across devices via iCloud Keychain, which in turn is protected with end-to-end encryption), while a public key is stored on the service side. According to TechCrunch, Passkey is based on WebAuthn standard, so users can use biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. The standard is based on FIDO’s proposed multi-device credentials that allow users to store authentication keys across devices enabling users to log in without requiring a password. This means it should work across platforms, but Google and Microsoft are yet to implement the technology on their platforms. More information is available in What is Apple Passkey, and how will it help you go passwordless? | TechCrunch

From the forensic point of view, Passkeys are parts of credentials stored in the device keychain and iCloud Keychain. Experts can extract Passkeys from the device itself or use Elcomsoft Phone Breaker to download from iCloud Keychain. Since iCloud Keychain is end-to-end encrypted, accessing iCloud Keychain will require a screen lock passcode or system password of an enrolled device in addition to the user’s Apple ID and password.

Rapid Security Response

Rapid Security Response is an interesting new feature that can install security patches without the need for a full iOS update. The exact forensic implications of Rapid Security Response are still unknown. On the one hand, Rapid Security Response may deliver critical security patches faster without pushing the users to update the OS, thus patching any potential vulnerabilities that might otherwise be used for low-level extractions. On the other hand, some sources suggest that updates delivered through Rapid Security Response can be uninstalled by going to Settings > General > About, tapping iOS Version, and then tapping Remove Security Update.

Landscape Face ID

The iPhone 13 and 14 will be able to use Face ID in landscape orientation. This feature does not affect iOS forensics. As a reminder, Apple last improved Face ID in iOS 15.4 by adding the ability to unlock iPhones while wearing a medical mask. iOS 14.5 brought the ability to unlock iPhones while wearing a medical mask with Apple Watch. This latter feature may be a potential vector of attack.

iOS 16 Privacy Protection

Apple works hard on improving privacy protections. The features listed below are unlikely to affect forensic experts, with one notable exception.

Safety Check

According to Apple, Safety Check is designed to “check whom you’re sharing information with, restrict Messages and FaceTime to your iPhone, reset system privacy permissions for apps, change your passcode, change your Apple ID password, and more.” The feature enables reviewing and removing permissions granted to apps or people from a single point of access. Safety Check can be also used to restrict incoming messages and FaceTime calls to a single iPhone by disabling iCloud Messages and calling. As a reminder, iCloud Messages are end-to-end encrypted, and can be only extracted with Elcomsoft Phone Breaker if you have a screen lock passcode or system password of an enrolled device (in addition to login credentials and two-factor authentication).

Permission to Access the Clipboard

iOS 14 introduced a pop-up bubble informing that a certain app accessed the clipboard. The message could not be disabled system-wide, and many users were irritated by constant pop-ups.  iOS 16 attempts to solve this issue by introducing a new permission to access the clipboard in background. More information is available in UIPasteBoard’s privacy change in iOS 16 | Sarunw. When testing the feature, we found it to be half-baked since Apple did not provide a way to view or recall this permission. It turned out that the feature is, indeed, half-baked and buggy.

Hidden Photos Protection

Prior to iOS 16, hidden albums were just that. Users could ‘hide’ a picture by placing it into a ‘hidden’ album. The image would then disappear from the main photo stream, yet simply opening the hidden album would instantly reveal such pictures.

iOS 16 adds an additional layer of protection, now keeping the hidden photos locked behind a passcode or Face ID by default. Users can disable the authentication requirement in the settings.

This feature does not affect the ability to extract media files in any way. The hidden photos remain available in backups, and they are easily accessible through AFC during advanced logical acquisition with iOS Forensic Toolkit without requiring any sort of extra authentication.

Privacy Report and App Tracking Transparency

iOS 15.2 enabled Privacy Report, a feature that allows users to see details about how often apps access their data such as location, camera, microphone, and more. Users can also see information about each app’s network activity, as well as the web domains that all apps contact most frequently (About App Privacy Report). Earlier in iOS 14.5 Apple enabled App Tracking Transparency, a feature that gave users control over which apps are allowed to ask for permission if they want to track users’ activities across other apps and websites.

These thigs happened many months before the release of iOS 16. Why are we addressing them now?

“Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press”, say GARANCE BURKE and JASON DEAREN in Tech tool offers police ‘mass surveillance on a budget’ | AP News. According to the publication, the service named Fog Reveal was provided by Fog Data Science LLC, a company founded by two former high-ranking Department of Homeland Security officials.

Fog Reveal obtained the data from various ad mediators and owners of advertisement SDKs such as Waze, Starbucks, Meta, and many other companies collecting information about the users’ movements and interest. Such information is openly sold, albeit in anonymized form.

Using Fog’s data, which the company claims is anonymized, police can geofence an area or search by a specific device’s ad ID numbers, according to a user agreement obtained by AP. But, Fog maintains that “we have no way of linking signals back to a specific device or owner,” according to a sales representative who emailed the California Highway Patrol in 2018, after a lieutenant asked whether the tool could be legally used.

Despite such privacy assurances, the records show that law enforcement can use Fog’s data as a clue to find identifying information. “There is no (personal information) linked to the (ad ID),” wrote a Missouri official about Fog in 2019. “But if we are good at what we do, we should be able to figure out the owner.” (source)

It is exactly the devices’ unique advertising identifier that was used to uniquely identify each device, initially for the purposes of tracking and ad targeting. While each devices’ advertising identifier is anonymous, with enough data and some analysis it can be easily linked to a person. App Tracking Transparency gave users control over who can request permission to access the users’ advertising identifier, and Only 4 percent of US iPhone users have agreed to app tracking after iOS 14.5. Privacy Report, on the other hand, gives users important insight on which apps are abusing permissions  and which Web sites they talk to.

Conclusion

In iOS 16, Apple went a long way to protect the users’ personal information and secure their devices. The SEP patch for A11 devices caught us by surprise, rendering checkm8 extraction effectively useless on iPhone 8, 8 Plus and iPhone X devices.

iOS Forensic Toolkit 8.0 is officially released! Delivering forensically sound checkm8 extraction and a new command-line driven user experience, the new release becomes the most sophisticated mobile forensic tool we’ve released to date.

checkm8 Extraction

Released almost exactly three years ago, checkm8 came as a huge surprise. Exploiting a vulnerability in the bootloader of many Apple devices including several generations of iPhones, iPads, iPod Touch, Apple Watch and even Apple TV devices, checkm8 allows breaking into a device almost regardless of the version of iOS installed on these devices. The latest iPhone models that can be exploited include the iPhone 8, 8 Plus and iPhone X devices (up to and including iOS 15.7). For 32-bit devices the exploit can even be used to unlock devices with an unknown screen lock passcode.

Today, checkm8 is a common and widely accepted tool in the mobile forensic community. Multiple solutions exist, but none of them is perfect. We are yet to see a purely checkm8-based solution that does not borrow from checkra1n while offering repeatable extractions several times in a raw, so we developed our own implementation built from the ground up. As a result, there won’t be a trace left on the iPhone extracted with iOS Forensic Toolkit, not a single log entry and not even a changed timestamp. How did we make it possible?

checkm8 is ideal when it comes to forensic extractions. By its very nature, the exploit does not need to modify the file system; all modifications are performed on the fly in the device’s volatile memory. Our implementation works entirely in the RAM; it does not boot the OS installed on the device and does not modify the data or system partition. For that to work, during the extraction process you will need to download a matching copy of the original device firmware from Apple (the download link will be provided at the time of extraction).

Compatibility, System Requirements and Limitations

The initial release of iOS Forensic Toolkit 8.0 is available for macOS computers and can be launched on both x86 and Apple Silicon (M1/M2) computers. Linux and Windows editions are in the works.

Our implementation of checkm8 extraction is available for 76 Apple devices including a host of iPhone, iPad, iPod Touch, Apple Watch and Apple TV models. We support a number of major OS releases ranging from iOS 7 through iOS 15.7 (with limited iOS 16 support) in three different flavors (iOS, tvOS, and watchOS) for three different architectures (arm64, armv7, and armv7k). We support 18 different chips vulnerable to BootROM exploits, namely:

S5L8930, S5L8940, S5L8942, S5L8945, S5L8947, S5L8950, S5L8955, S5L8960, S5L8965, T7000, T7001, S8000, S8001, S8003, T8004, T8010, T8011, T8015

These chips include:

• 4 AppleTVs: AppleTV3,1 AppleTV3,2 AppleTV5,3 AppleTV6,2
• 40 iPads: iPad2,1 iPad2,2 iPad2,3 iPad2,4 iPad2,5 iPad2,6 iPad2,7, iPad3,1 iPad3,2 iPad3,3 iPad3,4 iPad3,5 iPad3,6 iPad4,1 iPad4,2 iPad4,3 iPad4,4, iPad4,5 iPad4,6 iPad4,7 iPad4,8 iPad4,9 iPad5,1 iPad5,2 iPad5,3 iPad5,4 iPad6,11, iPad6,12 iPad6,3 iPad6,4 iPad6,7 iPad6,8 iPad7,1 iPad7,11 iPad7,12 iPad7,2 iPad7,3, iPad7,4 iPad7,5 iPad7,6
• 25 iPhones: iPhone10,1 iPhone10,2 iPhone10,3 iPhone10,4 iPhone10,5 iPhone10,6, iPhone3,1 iPhone3,2 iPhone3,3 iPhone4,1 iPhone5,1 iPhone5,2, iPhone5,3 iPhone5,4 iPhone6,1 iPhone6,2 iPhone7,1 iPhone7,2 iPhone8,1 iPhone8,2 iPhone8,4 iPhone9,1, iPhone9,2 iPhone9,3 iPhone9,4
• 3 iPods: iPod5,1 iPod7,1 iPod9,1
• 4 Watches: Watch3,1, Watch3,2, Watch3,3, Watch3,4

In response to checkm8, Apple attempted to strengthen security of the latest vulnerable devices, the iPhone 7, 7 Plus, 8, 8 Plus and iPhone X range by hardening SEP protection. The increased security measures require removing the screen lock passcode before applying the exploit on the iPhone 8, 8 Plus and iPhone X models running iOS 14 through 15.7, yet we were able to overcome this protection for the iPhone 7 and 7 Plus.

iOS 16 support is limited. Days before the release of the final build of iOS 16 we were ready to roll out iOS Forensic Toolkit 8 with iOS 16 support on A11 devices. Apple’s last-minute change in the release version of iOS 16 included an unexpected SEP patch that broke checkm8 extraction completely. The patch effectively blocks the exploit from accessing the data if a passcode was ever configured on the device (even if subsequently removed). The new SEP hardening measures effectively prevent checkm8 extractions on the absolute majority of A11-based devices in circulation (the iPhone 8, 8 Plus, and iPhone X).

The complete compatibility matrix now looks as follows:

Passcode Unlock

checkm8 does not affect the Secure Enclave. It cannot be used to break the screen lock passcode, and without the passcode it cannot be used to decrypt most of the data in the file system (limited BFU mode access is still possible).

Having said that, we can still do the unlock for older Apple devices with no Secure Enclave by using checkm8 or another bootloader exploit. Such devices include the iPhone 4, 4s, 5, and 5c. For these iPhone models, our tool can do everything from recovering the passcode to bit-precise physical extraction. Note: the iPhone 4s requires an additional piece of hardware due to a specific USB controller (see checkm8: Unlocking and Imaging the iPhone 4s).

Unknown Passcode and BFU Extraction

As already mentioned, our solution can perform a limited BFU (Before First Unlock) extraction for 64-bit devices protected with an unknown screen lock passcode. In this mode, you can extract information that is not encrypted with a key derived from the screen lock passcode. This includes the call history log, account list, draft messages (SMS/iMessage) and attachments (drafts only!), as well as some geolocation data and some app data. In addition, WAL files (write-ahead logs) to many databases can also be extracted.

checkm8 vs. Advanced Logical Acquisition

Advanced logical acquisition is the easiest and most compatible extraction method that includes local backups, media files, crash logs and shared files. Advanced logical extraction often delivers just enough data to jump-start the investigation. What is not included with the advanced logical process are many types of data such as chats occurring in the most secure messaging apps such as Signal or Telegram, email messages, low-level system data, SQLite databases with their respective write-ahead logs, location data, and many system logs that may reveal every detail of device usage history. All of that and much more is readily available when you use checkm8 extraction.

checkm8 or checkra1n?

The first checkm8-based solutions in mobile forensics were built with checkra1n, a public, closed-source jailbreak that is based on the open-source checkm8 exploit. checkra1n extractions deliver the same amount of data as any other low-level extraction method. However, the use of checkra1n inevitably alters the content of the device, which impacts its use in mobile forensics.

Compared to checkra1n-based extractions, our checkm8 extraction process has the following differences:

• Repeatable, verifiable extractions
• Unaltered system and data partitions
• 100% of the patching occurs in the RAM
• Supports 76 devices, 3 different architectures, and several generations of iOS from iOS 7.0 through iOS 15.7 (with limited iOS 16 support)
• Passcode unlock available for armv7 devices (iPhone 4 through iPhone 5c)
• BFU (Before First Unlock) extraction supported
• Supports iPhone, iPad, iPod Touch, Apple Watch and Apple TV devices

The Command Line

iOS Forensic Toolkit 8.0 brings a new, advanced user experience built around the command line. The use of the command line enables full control over every step of the extraction workflow, allowing experts to stay in control of every step of the process. Thanks to the command line, experts can also build their own scripts to automate their specific routines.

Conclusion

With this update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iOS acquisition tool on the market. The toolkit now supports all possible acquisition methods including advanced logical, agent-based and checkm8-based low-level extraction.

Bootloader-based acquisition is the only 100% forensically sound data extraction method for Apple devices. It is the only way to acquire the full set of data from those devices that run iOS 16, albeit with a huge caveat that makes the whole thing more of a brain exercise than a practical forensic tool. Let’s review the iOS 16 compatibility in iOS Forensic Toolkit and go through the whole process step by step.

Supported devices

The checkm8 exploit is compatible with multiple generations of Apple devices. However, only some of those devices are compatible with Apples’ latest iOS builds. Here is the full list of devices that are compatible with both the bootrom-based acquisition method and can run iOS 16 and its variants such as iPadOS and tvOS:

• iPhone 8, iPhone 8 Plus, iPhone X
• iPad 5/6/7
• iPad Pro (1^st and 2^nd gen)
• Apple TV HD (4^th gen) and Apple TV 4K (1^st gen)

iPad and iPro devices do not have iPadOS 16 update yet. iPadOS 16.1 soon will be available, but there are some bad news coming.

First, the “…cannot be fixed with a software patch” mantra about the bootloader vulnerability and the checkm8 exploit did not actually work. For the most part, Apple was able to fix it in iOS 16, specifically for devices based on the A11 SoC, which includes the iPhone 8, 8 Plus and iPhone X. The first part of the fix arrived with the release of iOS 14. Back then you had to disable the screen lock passcode in order for checkm8 to work. iOS 16 improved this even further: if the device had a passcode set at any time after it was initially set up, the data volume cannot be unlocked anymore. The file system extraction, let alone keychain decryption, of a passcode-locked iPhone 8/X running iOS 16 is no longer possible if you know the passcode and even if you remove it from the device.

Second, iPadOS 16.1 (and iOS 16.1) will bring significant changes (in particular the ramdisk format) that will prevent our software from working. At this point we cannot say whether this change is made to improve security (probably not). We can fix it, but we need more time.

Prerequisites

A compatible device. This is the trickiest part. If you are working with an iPhone 8, iPhone 8 Plus or iPhone X and it has a passcode set, you are out of luck. With iOS 14 or 15, you had to remove the passcode first (see How to Remove The iPhone Passcode You Cannot Remove for more details), but that does not work anymore with iOS 16. For iOS 16 and an iPhone 8, iPhone 8 Plus or iPhone X you’ll need a phone that never had a passcode at any point after the user set it up.

You’ll need a Mac. For the time being, iOS Forensic Toolkit 8.0 can only be used on a Mac. We do have a Windows build, but it currently lacks support for bootloader-based acquisition. Both Windows and Linux editions with full support for bootloader-based acquisition are currently under development. iOS Forensic Toolkit can work even on older Mac running macOS High Sierra, but we recommend one of the newer models instead. If you have a choice, pick one based on Apple Silicon running macOS Big Sur or Monterey. Note that we have not tested iOS Forensic Toolkit on macOS 13 Venture, although it should work.

Please note that we do not officially support virtual machines or Hakintoshes.

A USB-A to Lightning cable. If your Mac has USB-C or Thunderbolt ports only, you will also need a hub with at least two USB-A ports (one to connect the device, and the other to connect the iOS Forensic Toolkit dongle).

For iPads, there is still no need to remove the passcode prior to the acquisition, but you must know the passcode; however, as noted above, we don’t support iPads running iPadOS 16 yet, sorry (working on that).

Finally, Apple TV does not have passcode protection, so there is nothing to worry about.

Installation

We have two separate installation packages:

• Legacy: for macOS High Sierra, Mojave and Catalina (Intel-based Macs)
• Current: for macOS Big Sur and Monterey (intel or Apple Silicon)

Make sure to download a package compatible with your system.

To install the downloaded package, first mount the installation file (.dmg) using the installation password you received, and copy EIFT8 (or EIFT8L for legacy version) folder to a known location on your computer, such as desktop.

Next, start the Terminal app and remove the quarantine flag:

xattr -r -d com.apple.quarantine <path to EIFT folder>

Now you can cd into the iOS Forensic Toolkit folder and start the program. The general syntax is:

./EIFT_cmd <options>

Entering DFU

Placing the device in DFU is probably the trickiest part of the process. Entering DFU is always manual; you need to press and hold the buttons on the device in a particular order with precise timings. The steps are different for different devices, and every little detail (such as ports and cables) matters.

We posted a lot about DFU. You can start with DFU Mode Cheat Sheet. There is something specific to the Apple TV 4K that does not have a USB port (Apple TV 4K Keychain and Full File System Acquisition); and we have a detailed (and carefully tested) set of instructions for the iPhone 8 and iPhone X range: Entering DFU: iPhone 8, 8 Plus, and iPhone X.

In short, we recommend starting iOS Forensic Toolkit first with boot command and -w flag (which means “wait for device in DFU mode”) like this:

./EIFT_cmd boot -w

The programs will keep looking for connected devices and will indicate once such device is connected or disconnected (in any mode), which makes things simpler.

Usage

If you did everything right, the bootloader exploit will be applied automatically and immediately as soon as iOS Forensic Toolkit founds a device connected in DFU mode. The tool will then detect the installed iOS version; unfortunately, in some cases the exact iOS version cannot be determined, and the tool will print out the closest range of iOS builds.

You will then have to provide the tool with a path to a proper firmware image; a download link will be printed out by iOS Forensic Toolkit. If the exact iOS version could not be determined, you will receive several download links; in that case, select the first one from the list. You can either download the firmware and specify name and path to the local file in iOS Forensic Toolkit, or just paste the download link instead, in which case iOS Forensic Toolkit will download only the mandatory data, which is a bit faster.

iOS Forensic Toolkit will perform further steps, booting a proper ramdisk and making the necessary patches in the device’s volatile memory. If everything is OK, the device screen will display the Exploited message.

You can now acquire the data by following the steps:

./EIFT_cmd ramdisk unlockdata

The command unlocks the data partition. Yes, you do NOT need to run “ramsisk loadnfcd” command (that mounts the relevant filesystems and starts ncfd daemon) as before. It is still needed for iOS 15 and lower, though.

If the passcode is set (or was set before, and later removed), the command fails. There is currently absolutely no way to acquire the data (keychain and full file system) from iPhone 8/X devices running iOS 16 protected with the passcode using checkm8 exploit, at least for now.

./EIFT_cmd ramdisk keychain -o <path to keychain file>

The keychain is should be normally extracted first as it contains some of the most valuable data: see Keychain: the Gold Mine of Apple Mobile Devices for details.

./EIFT_cmd ramdisk tar -o <path to file system image> By default, only the data partition is extracted, and it is the recommended setting. The system partition does not contain any user-specific data, and its extraction will slow down further analysis. Only pull the system partition if the device is jailbroken or you think that it might be compromised with something like Pegasus spyware.

iOS Forensic Toolkit saves the file system in a form of a .tar archive that can be analyzed, for example, with open-source iLEAPP software. Of course, commercial software like Cellebrite UFED, Magnet AXIOM, MSAB XRY or Oxygen Forensic Detective will also work. Some of these products may not support iOS 16 file system analysis at this point, but I am sure they will. For the time being, it looks like iLEAPP does the job (and it is free!)

Troubleshooting & error reporting

I bet you will get some troubles entering DFU at first; this is normal. Just follow the instructions exactly (and remember about the hub and USB-A cable).

Still, applying the exploit may fail, sometimes because the device is in a “wrong” DFU mode (see the DFU article above for more details); if this happens, just try again.

The other error you may encounter occurs when the output file with the same name (keychain or .tar archive with the file system) already exists; just check that the output file name is unique.

From time to time, you may get an error when booting the ramdisk or data unlocking the data partition. Such errors may occur randomly, and they are completely unpredictable. If this happens, we would love to receive the complete log file(s) created by iOS Forensic Toolkit to develop a solution; the log files are saved at:

~/Elcomsoft/EIFT/logs

By request, we can provide you with a debug version of iOS Forensic Toolkit that logs even more information that may help us locate and fix the problem.

TL;DR

So, here is the sequence of commands once iOS Forensic Toolkit is installed:

• Start terminal and change current folder to EIFT
• ./EIFT_cmd -w
• Place the device in DFU mode
• Supply the firmware file or link
• ./EIFT_cmd ramdisk unlockdata
• ./EIFT_cmd ramdisk keychain -o <path to keychain file>
• ./EIFT_cmd ramdisk tar -o <path to file system image>

Conclusion

Despite limitations, our implementation of checkm8-based extraction is still the best and most forensically-sound acquisition method for supported devices. With the release of iOS 16, the iPhone 8, 8 Plus and iPhone X became practically invulnerable to the “unpatchable” bootloader exploit. Forensic specialists will be unable to extract real-life devices that are (or ever were) protected with a passcode, at least not until a SEP exploit emerges. There is also a possibility that an OS-level vulnerability will be discovered in iOS 16, making agent-based extraction possible. This, however, is a distant project as Apple complicated a lot of things in iOS 16.

DFU (Device Firmware Update) is a special service mode available in many Apple devices for recovering corrupted devices by uploading a clean copy of the firmware. Forensic specialists use DFU during checkm8 extractions (Elcomsoft iOS Forensic Toolkit). Unlike Recovery, which serves a similar purpose, DFU operates on a lower level and is undocumented. Surprisingly, there might be more than one DFU mode, one being more reliable than the others when it comes to forensic extractions. The method described in this article works for the iPhone 8, 8 Plus and iPhone X.

Before You Begin

Before you begin, make sure you have everything to proceed. Check out our past articles on the subject including iPhone X, DFU mode and checkm8, How to Put an iOS Device with Broken Buttons in DFU Mode, and DFU Mode Cheat Sheet.

• Only use USB-A to Lightning cables; no Type-C cables!
• For better compatibility, use a hub instead of a USB-C to USB-A adapter.
• Unless you practiced before, placing an iPhone into DFU rarely succeeds on the first try. We recommend practicing the steps on a ‘safe’ device.
• The iPhone 8/X devices have two slightly different DFU modes, and only one of them can be reliably for extractions. One cannot tell between the two DFU modes, so following the correct procedure is extremely important. If the iPhone is placed into the wrong DFU mode, the exploit may fail or you may experience issues during subsequent extraction steps.

Step 1: enter Recovery

Before placing the device into DFU, we recommend entering the Recovery mode first. There are two different ways to do that depending on the iPhone’s power-on status.

If the device is powered off and not connected to a PC:

• press and immediately release Vol+;
• press and immediately release Vol-;
• press and hold Power; while holding the Power button, connect the iPhone to the computer with a Lightning cable.
• Keep holding the Power key until you see the recovery image:

If the device is powered on and already connected to a PC:

• press and immediately release Vol+;
• press and immediately release Vol-;
• press and hold Power until you see the recovery image.

Step 2: Entering DFU

Once the iPhone is in Recovery and connected to the computer, launch iOS Forensic Toolkit with the following command:

./EIFT boot -w

On the iPhone:

• press and immediately release Vol+;
• press and immediately release Vol-;
• press and hold Power until the iPhone you see the “iPhone disconnected” message in iOS Forensic Toolkit on the computer. This message means that the iPhone has been disconnected from the computer. If you are not using iOS Forensic Toolkit, you can check Finder instead.
• Once the iPhone disconnects from the computer, keep holding the Power button and press and hold Vol-.
• Keep holding the buttons for 4 seconds, then release Power (keep holding Vol-).
• iOS Forensic Toolkit will pick up and start booting the iPhone once the device is in DFU. When this happens, release the Vol- button.

Note: if you keep holding the buttons longer than the 4 seconds, the iPhone will be rebooted instead of entering DFU.

In macOS, Finder will show the iPhone in “Recovery” more regardless of whether the device is in DFU or Recovery. However, in Recovery you will see both Update and Restore, while in DFU you will only see Restore (the Update button will be disabled).

iOS Forensic Toolkit 7.60 brings gapless low-level extraction support for several iOS versions from iOS 15.2 up to and including iOS 15.3.1, adding full file system extraction support for Apple devices based on Apple A11-A15 and M1 chips.

What’s it all about

Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.

Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone and iPad models running iOS 9 through iOS 15-15.1.1, delivering full file system extraction and keychain decryption. In this release, we are once again extending the range of supported iOS builds, now covering iOS 15.2 through iOS 15.3.1 on Apple A11-A15 and M1 based devices. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.3.1 for all compatible iPhone and iPad models.

Benefits of agent-based extraction

There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.

Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

Breaking iOS 15.2-15.3.1

Unlike checkm8-based extraction, which exploits a boot loader-level vulnerability only available on legacy devices, the extraction agent relies on kernel exploits. These exploits enable the extraction agent to escape the sandbox and gain low-level access to the file system and establish a communication channel between the iPhone and the computer.

Apple actively resists low-level extraction attempts, making it more difficult to sideload apps. Today, sideloading only works reliably in macOS. We are working on improving the process.

iOS 15.2 introduced a new memory protection mechanism that makes it more difficult to apply the exploit. While in this release we can only extract the file system, we are working on keychain decryption as well.

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.

Low-level extraction in iOS Forensic Toolkit 7.60

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1 INSTALL - Install acquisition agent on device
2 KEYCHAIN - Acquire device keychain
3 FILE SYSTEM - Acquire device file system (as TAR archive)
4 FILE SYSTEM (USER) - Acquire user files only (as TAR archive)
5 UNINSTALL - Uninstall acquisition agent on device

Detailed instructions:

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.60 or newer.
3. On the computer, sideload the extraction agent by using the 1 INSTALL command in iOS Forensic Toolkit.
4. On the iPhone, launch the extraction agent by tapping its icon.
   Windows: developer account required. Use app-specific password.
   macOS: developer account not required but strongly recommended.
5. If supported, extract the keychain with 2 KEYCHAIN.
6. Extract file system image (full file system or data partition) with 4 FILE SYSTEM (USER). We recommend extracting the data partition only; the full image (3) may be usable e.g. to check the system partition for persistent malware.
7. On the iPhone, uninstall the extraction agent in a regular way or by using the 5 UNINSTALL command.

You may now disconnect the iPhone and start analyzing the data

Low-level extraction in iOS Forensic Toolkit 8.0 Beta

iOS Forensic Toolkit 8.0 features a new, command-line driven user interface, and employs a whole different set of commands compared to EIFT 7.x. To perform agent-based extraction in EIFT 8, follow these steps.

To install the extraction agent onto the device, connect and pair the device to the computer. Then, in the EIFT folder, run the following commands:

• Connect and pair the device to the computer: ./EIFT_cmd normal pair
• Install extraction agent: ./EIFT_cmd agent install
  You Will be prompted for Apple ID and password followed by two-factor authentication if the device is not trusted yet.
• If a regular, on-developer Apple ID was used, you will have to verify the certificate on the device.
• Tap the app icon to launch the extraction agent.
• Type ./EIFT_cmd agent keychain -o keychain.xml to extract the keychain (supported versions of iOS only)
• Type ./EIFT_cmd agent tar -o data.tar to extract the full file system image. Important: use a unique file name, or the extraction will fail.
• Type ./EIFT_cmd agent uninstall to uninstall the agent.

Disk encryption is widely used desktop and laptop computers. Many non-ZFS Linux distributions rely on LUKS for data protection. LUKS is a classic implementation of disk encryption offering the choice of encryption algorithms, encryption modes and hash functions. LUKS2 further improves the already tough disk encryption. Learn how to deal with LUKS2 encryption in Windows and how to break in with distributed password attacks.

Disk Encryption Basics

Disk encryption tools rely on symmetric cryptography to encrypt data. The default encryption algorithm today is hardware-accelerated AES-256 encryption, although Microsoft BitLocker defaults to using AES-128. Some disk encryption tools offer the choice of encryption algorithms, while others can only alter the key length and/or encryption mode.

The symmetric encryption keys are derived from the user’s password (or other data) by using a Key Derivation Function (KDF). The KDF employs multiple rounds of one-way transformations (hashing) of the user’s input to produce a binary key. This binary key is rarely used directly to encrypt or decrypt data. Instead, it is typically used to protect and unprotect (wrap/unwrap) the actual symmetric encryption key. Different hash functions and with numerous hash iterations are used to slow down the speed of potential brute force attacks.

The Original LUKS Encryption

LUKS is a platform-independent disk encryption specification originally developed for the Linux OS. LUKS is a de-facto standard for full-disk encryption in Linux, facilitating compatibility among various Linux distributions and providing secure management of multiple user passwords. Today, LUKS is widely used in nearly every Linux distribution on desktop and laptop computers.

When attacking an encrypted disk, one must know the exact combination of encryption and hashing algorithms, as well as the number of hash rounds. Attacking a disk using the wrong parameters will not result in a successful recovery. LUKS offers users the choice of various encryption algorithms, hash functions and encryption modes, thus providing many possible combinations. The default encryption settings for LUKS encrypted disks are aes-cbc-essiv:sha256 with 256-bit symmetric encryption keys, but these can be changed by the user or the developers of a Linux distro. The exact encryption settings are stored in metadata in the encrypted disk’s header.

Elcomsoft Distributed Password Recovery automatically detects LUKS encryption settings by analyzing the encryption metadata, which must be extracted with Elcomsoft Forensic Disk Decryptor prior to launching the attack.

LUKS2: A Stronger LUKS

LUKS2 is a newer, better, and more secure version of LUKS. According to the developers, LUKS2 extends LUKS with more flexible ways of storing metadata, redundant information to provide recovery in the case of corruption in a metadata area. It also introduces an interface to store externally managed metadata for integration with other tools.

What is probably more important is the change in how LUKS2 implements the default Key Derivation Function (KDF). Instead of infinitely bumping the number of hash rounds to the millions, LUKS2 developers decided to go with Argon2, a key derivation function that was selected as the winner of the 2015 Password Hashing Competition. The new default KDF is designed to maximize resistance to GPU cracking attacks.  The new KDF is as fast as the one used in the original LUKS when mounting the encrypted disk or performing other operations, yet by design it makes it very costly to perform large-scale hardware-accelerated attacks. This in turn required us to make use of the computer’s CPU instead of the much faster GPU to attack LUKS2 disks protected with argon2id .

The choice of Argon2 as a KDF makes GPU acceleration impossible. As a result, you’ll be restricted to CPU-only attacks, which may be very slow or extremely slow depending on your CPU. To give an idea, you can try 2 (that’s right, two) passwords per second on a single Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz. Modern CPUs will deliver a slightly better performance, but don’t expect a miracle: LUKS2 default KDF is deliberately made to resist attacks.

What if a LUKS2 disk is protected with a KDF other than Argon2, such as PBKDF2+SHA-256? In this case, full GPU acceleration is available with much better speeds. The Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz can enumerate 29 passwords per second, while using a NVIDIA GeForce RTX 2070 GPU results in 381 p/s, which is about 190 times faster than the speed of a CPU-only attack on Argon2.

Breaking LUKS2 Encryption Step 1: Extracting Encryption Metadata

To secure access to the data stored in the encrypted device, you must first recover the original, plain-text password. There are several steps involved requiring the use of several different tools.

1. Extract the encryption metadata from the encrypted device or disk image using Elcomsoft Forensic Disk Decryptor or Elcomsoft System Recovery.
2. Use the extracted metadata (a small file) to launch an attack on the password with Elcomsoft Distributed Password Recovery.
3. Once the password is found, mount the disk volume, or decrypt the data.

We have two different tools for extracting LUKS encryption metadata. The choice of the right tool depends on whether you are working in the field or in a lab. If you are analyzing the suspect’s computer, Elcomsoft System Recovery can be used to boot the system from a USB flash drive and extract the encryption metadata from the storage devices connected to the computer.

Note: LUKS2 encryption is supported in Elcomsoft System Recovery 8.30 and newer. If you are using an older version of the tool, please update to the latest version to obtain LUKS support.

1. Download Elcomsoft System Recovery, launch the installer and create a bootable USB drive.
2. Use the USB drive to boot the target system into the Windows PE environment.
3. Elcomsoft System Recovery will be launched automatically.
4. Review the attached disks.
5. Select LUKS2-encrypted partitions and click “Dump” to extract the encryption metadata.
6. Transfer the encryption metadata on your computer and use it with Elcomsoft Distributed Password Recovery to launch an attack on the LUKS2 encryption password.

If you are working in a lab and processing disks or disk images, you’ll be using Elcomsoft Forensic Disk Decryptor. Extracting encryption metadata with Elcomsoft Forensic Disk Decryptor is simple.

Note: LUKS2 encryption is supported in Elcomsoft Forensic Disk Decryptor 2.20 and newer versions. If you are using an older version of the tool, please update to the latest version to obtain LUKS2 support.

1. Launch Elcomsoft Forensic Disk Decryptor.
2. Select “Extract/prepare data for further password recovery”.
3. Open the physical device or disk image containing LUKS2 volume(s). In the example below, we’re dealing with a physical device.
4. EFDD will display the list of encrypted volumes. Select the volume you are about to extract encryption metadata from.
5. Click Next to extract the encryption metadata and save it into a file.

Breaking LUKS2 Encryption Step 2: Attacking the Password

While LUKS2 offers strong protection against brute force attacks by using Argon2(id), we have significant advances in password recovery attacks compared to what we had in the past. Brute-forcing a password today becomes significantly faster due to the use of CPU optimizations across the board, distributed and cloud computing. Up to 10,000 computers and on-demand cloud instances can be used to attack a single password with Elcomsoft Distributed Password Recovery.

To set up the attack, do the following.

1. Launch Elcomsoft Distributed Password Recovery.
2. Open the file containing the encryption metadata that you obtained with Elcomsoft Forensic Disk Decryptor during the previous step.
3. The available key slots along with the number of hash iterations will be displayed. Specify the key slot to attack.
4. Configure and launch the attack.

Brute force attacks became not just faster, but much smarter as well. The user’s existing passwords are an excellent starting point. These passwords can be pulled from the user’s Google Account, macOS, iOS or iCloud keychain, Microsoft Account, or simply extracted from the user’s computer. The user’s existing passwords give a hint at what character groups are likely used:

Elcomsoft Distributed Password Recovery offers a number of options to automatically try the most common variations of your password (such as the Password1, password1967 or pa$$w0rd):

Masks can be used to try passwords matching established common patterns:

Advanced techniques allow composing passwords with up to two dictionaries and scriptable rules:

Conclusion

The original LUKS is still among the most commonly used encryption specifications in Linux. LUKS2 makes Linux disk encryption even more secure with a new Key Derivation Function, effectively banning GPU acceleration when attacking LUKS2 volumes.

Modern versions of Windows have many different types of accounts. Local Windows accounts, Microsoft accounts, and domain accounts feature different types of protection. There is also Windows Hello with PIN codes, which are protected differently from everything else. How secure are these types of passwords, and how can you break them? Read along to find out!

The classic passwords

When attacking Windows account passwords, one has to deal with several different ways the password hashes are produced, protected, and stored.

LM hashes are the oldest types of passwords used since the original version of Windows was released. Microsoft discontinued the use of LM hashes quite some time ago in Windows Vista/Server 2008, but you may still encounter one of those in an older system. LM hashes are stored locally in the SAM database, or the NTDS database on the Domain Controller.

NTLM hashes are the modern replacement of LM. Microsoft still uses the NTLM mechanism to store passwords in modern versions of Windows. These passwords are also stored in the SAM database, or in the NTDS database on the domain controller. Surprisingly, NTLM hashes are even faster to break than LM due to the way the algorithm is implemented.

NTLM hashes protect local Windows accounts as well as the newer types of accounts introduced in Windows 8: the Microsoft Account sign-in. Windows caches the password hash and stores it locally on the computer. This allows users to log in to their computer while using it offline. On another hand, this also allows extracting the cached hash file and running an offline attack to recover the original password. The hashed Microsoft Account passwords are stored locally in the SAM database along with the rest of NTLM hashes. Technically, the locally cached Microsoft Accounts passwords are protected with the same NTLM mechanism as other types of cached credentials, which makes them just as easy and as fast to attack as local Windows passwords.

NTLM hashes are poorly salted. Microsoft uses cryptographic salt to protect LM and NTLM password hashes. However, the same salt is used to protect all LM and all NTLM passwords, which allows attacking all user accounts that present on a certain computer simultaneously. This only changed in Windows Hello PINs.

Windows also has DCC, which stands for Domain Cached Credentials. These are locally stored, cached password hashes that are used to log in to the domain. Domain Cached Credentials are protected differently compared to all other types of credentials, and feature a significantly stronger protection compared to LM and NTLM passwords.

Microsoft Account passwords

In Windows 8, Microsoft introduced a different authentication system, Windows Hello. Users of Windows 8, 10 and Windows 11 are encouraged to set up a PIN and use it instead of their account password. Microsoft claims that the PIN is more secure than a traditional password, which is generally true only if the user’s computer is equipped with a configured TPM module. Without a TPM, the PIN becomes just another password – and a very weak one if the user follows Microsoft’s defaults and sets up a 4-digit or 6-digit PIN. If, however, the user configures an alphanumerical PIN (which, basically, is yet another name for the password), the situation changes.

Windows Hello PIN codes

Attacking Windows Hello PIN codes is significantly slower compared to NTLM attacks. According to the table below, the attack on an alphanumerical Windows Hello PIN with Elcomsoft Distributed Password Recovery can be some 50,000 to about 150,000 times slower compared to the attack on the NTLM hash. In addition, Windows Hello PINs are individually salted, which means that all PIN-protected accounts must be attacked in sequence.

While Windows 11 requires a Trusted Platform Module (TPM), older versions of Windows can do without while still using PIN-based Windows Hello sign-in. We prove that all-digit PINs are a serious security risk on systems without a TPM, and can be broken in a matter of minutes.

Traditionally, Windows accounts are protected with a password, which is used to sign-in to the computer and unlock protected items (such as authentication credentials, browser stored passwords or file system encryption). Resetting the account password, while granting access to the user’s account, would also invalidate such protected credentials, rendering encrypted files inaccessible and effectively blocking access to the user’s stored passwords. Accessing such protected items would require recovering the original password.

Starting with Windows 8, Microsoft introduced a new way to sign-in by using the online credentials to the user’s Microsoft Account. To help secure the user’s account, Microsoft developed an additional authentication system, Windows Hello. In Windows 8, Windows 10 and Windows 11 users are encouraged to set up a PIN and use it instead of a password. Microsoft even goes as far as claiming that the PIN is more secure than a traditional password. In Why a PIN is better than an online password (Windows), Microsoft states the following:

PIN is tied to the device

One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.

This information suggests that the PIN code is always protected by a Trusted Platform Module (TPM) chip, is always tied to the device, and is inherently more secure than the password. These claims are misleading in a way that they are only true if the computer is equipped with a Trusted Platform Module (TPM) module (or emulation), and the TPM is configured to be used in Windows. This is not always the case. Older computers (especially desktop computers) equipped with 7th generation and older Intel Core processors typically do not have a TPM or its emulation, while many newer systems (including many mainboards supporting the 9th generation Intel Core CPUs) come with TPM emulation turned off in UEFI BIOS by default.

While Windows 11 won’t run without a TPM for good reasons, Windows 8 and Windows 10 happily do. These older systems do not report the presence of the TPM to the user when setting up Windows Hello yet still allowing (and even encouraging) using Windows Hello and the PIN code. This in turn is a serious vulnerability that affects users who choose simple all-digit PINs.

When setting up Windows Hello, the system suggests using an all-digit PIN, with alphanumeric PINs being an option. Users commonly choose 4-digit and 6-digit PINs.

Without a TPM, a 4-digit or 6-digit PIN is nothing else than a very, very weak password.

To prove this statement, we’ll use the recently updated Elcomsoft System Recovery 8.30. Note that one can only break Windows Hello PIN codes on systems without a TPM.

First, boot the target computer from the USB drive made by Elcomsoft System Recovery. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery and accept the license agreement, you will see the program’s main window. Click SAM – Local User Database:

Then select the target computer’s system drive:

Click Change local user account:

Set up the attack as shown on the screen shot below (the “Check weak PINs” option must be selected):

The tool will then detect user accounts protected with PIN codes, and automatically run a brute-force attack. Once the PINs are discovered, they will be shown in the corresponding window:

Here’s how long it takes us to enumerate all-digit PINs on a 7 year old Intel Core i7-5930K CPU @3.5GHz:

• All 4 digit PINs: 2 seconds
• All 5 digit PINs: 18 seconds
• All 6 digit PINs: 2 minutes

Checking all 4-digit, 5-digit and 6-digit combinations takes up to 2:20 min. If there more than one PIN-enabled account is present, the attacks will be performed separately on all accounts – quite unlike the attack on NTLM hashes, which can be recovered all at once due to shared salt. Interestingly, we discovered that even deleted accounts leave enough traces to launch a PIN attack.

Alphanumeric PIN codes and all-digit PINs that contain more than 6 characters must be attacked offline with Elcomsoft Distributed Password Recovery (update required).

Conclusion

Windows Hello is a great authentication system when used in combination with a TPM. If the computer is not equipped with a TPM chip or firmware-based emulation, or if the TPM is not configured, the use of PIN-based authentication poses a serious security risk if a weak PIN is used.

Elcomsoft System Recovery 8.30 introduced the ability to break Windows Hello PIN codes on TPM-less computers. This, however, was just one of the many new features added to the updated release. Other features include the ability to detect Microsoft Azure accounts and LUKS2 encryption, as well  as new filters for bootable forensic tools.

Microsoft Azure accounts

There are several types of user accounts in Windows that include local accounts, Active Directory, and Microsoft Accounts. Local accounts used to be the most common among home users, now being phased out by Microsoft in favor of online Microsoft Account. For corporate users, domain accounts are the most common type.

Elcomsoft System Recovery supports all of these account types. The tool can be used to reset account passwords, assign administrative privileges to a given account, or change the account type from (e.g. converting a Microsoft Account into a local account). The tool supports the newest type of Windows 11 accounts with passwordless sign-in.

However, there is yet another type of account tied to Microsoft Azure. Microsoft Azure accounts belong to Microsoft Works and School Accounts. They are relatively little known. Microsoft Azure accounts are not listed in the Settings app. Elcomsoft System Recovery 8.30 can now detect the presence of Microsoft Azure accounts on the user’s computer.

LUKS2 encryption

The many features of Elcomsoft System Recovery are targeted to Windows computers. However, the tool supports macOS and Linux systems to a limited extent. For these systems, Elcomsoft System Recovery can detect encrypted disks and extract encryption metadata for subsequent recovery in Elcomsoft Distributed Password Recovery. Previous versions of the product supported a long list of disk encryption standards including TrueCrypt, VeraCrypt, BitLocker, FileVault (HFS+/APFS), PGP Disk, and LUKS.

LUKS is the most common disk encryption system in many Linux distributions. The latest Elcomsoft System Recovery update can not detect disks encrypted with its successor, LUKS2. Compared to the original LUKS, LUKS2 is even more secure, supporting more algorithms and more hash iterations.

We are working on an update to Elcomsoft Distributed Password Recovery that will support the recovery of LUKS2 encrypted drives with optimized performance on modern graphics cards. However, you can extract LUKS2 encryption metadata today.

An update to bootable forensic tools

Elcomsoft System Recovery helps forensic experts overcome the challenge of accessing a locked system, delivering a straightforward workflow for investigating computers in the field. A recent update added several bootable forensic tools, which include:

• Timeline: allows reviewing the user’s activities logged by the Windows Timeline. This includes the list of launched apps and past activities laid out in the convenient timeline view.
• Recent files and folders: lists recently accessed files and folders.
• Installed apps: lists applications installed in the system.

Thanks to these features, experts can simply boot a PC from a USB flash drive and quickly review the user’s latest activities. The shortcut saves the time and effort of removing and imaging the hard drive(s), making it possible to make real-time decisions in the field.

In real life, the amount of data returned by these tools quickly becomes overwhelming. Moreover, a significant chunk of that data might be irrelevant to the investigation. To streamline the analysis, we introduced a powerful filtering system. By using filters, one can quickly configure the tool to only display data that belongs to a certain date and time range, or only include files located in specific directories, or exclude files located in a specific folder (such as C:\Windows\ for system files).

To access the new Forensic Tools section, boot the computer being investigated from a dedicated USB media with Elcomsoft System Recovery 8.30 or newer. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery and accept the license agreement, you will see the program’s main window. Click the “Forensic Tools” shortcut at the bottom of the window. You will see the list of available forensic tools:

The Installed apps tool displays the list of applications installed in the system being investigated. By default, the tool lists all apps installed on the computer:

You can easily configure the tool to only include certain apps (or exclude certain apps) with newly added filters:

Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications, searches, documents, and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage. By analyzing the Timeline data, experts can access to timestamped information about the app usage and Web page visits.

Timeline data is collected individually per user. When analyzing the timeline, you will have to specify the Windows installation path as well as the path to the user profile. The user’s password is not required. The sheer amount of Timeline data can quickly overwhelm even the most experienced expert:

The newly added filters help restrict the amount of data displayed, allowing experts to concentrate on what’s really important:

The filtered result is much easier to read:

Just like the Timeline, Recent files and folders is a user-specific feature, requiring the path to the user profile. Just like the Timeline, Recent files and folders may contain an overwhelming number of records. The newly added filters help concentrate on files stored under specific paths or exclude irrelevant information:

Conclusion

Originally released as a simple tool for resetting Windows users’ passwords, Elcomsoft System Recovery is quickly evolving into a fully featured bootable forensic toolkit. The new release makes field analysis faster and more straightforward while still producing court admissible evidence with write-blocking disk imaging. Conveniently, using many of the newly added features do not require the user’s or administrator’s password.

Elcomsoft iOS Forensic Toolkit supports checkm8 extraction from all compatible devices ranging from the iPhone 4s and all the way through the iPhone X (as well as the corresponding iPad, iPod Touch, Apple Watch and Apple TV models). The new update removes an important obstacle to the acquisition of the iPhone 7 and iPhone 7 Plus devices running recent versions of iOS.

The Issue

At the time checkm8 was initially released, it was often referenced as a “permanent, unpatchable” exploit. However, Apple introduced new security measures in iOS 14 specifically for the newer devices including the iPhone 7, iPhone 8 and iPhone X range that changed the way the device boots and how the data volumes are unlocked. These patches had an immediate result on iOS forensics. In order to extract the file system and decrypt the keychain, the screen lock passcode had to be removed from the device prior to exploiting and unlocking. There are several problems with this approach:

1. The extraction process is no longer forensically sound as many changes are made to the device.
2. Under certain circumstances, the passcode cannot be removed until one signs in to iCloud from the affected device, which creates the obvious risks of remote wipe/lock, as well as unwanted data sync.
3. If you use a workaround described in How to Remove The iPhone Passcode You Cannot Remove, the reset of device settings causes even more changes on the device, let along it’s not always possible (e.g. if a Screen Time password is set, or the device is managed).
4. The passcode removal causes some data to be permanently lost, such as Apple Pay transactions, downloaded Exchange-based mail, some application tokens etc.
5. The device is no longer “trusted” in a sense of accessing end-to-end encrypted data stored in iCloud.

The Solution

Our approach to solving the issue is applying a SEP exploit. SEP (Secure Enclave Processor) is exploitable on the iPhone 7, and the exploit is available in public. With this exploit, we were able to improve the checkm8 extraction of the iPhone 7, eliminating the need to remove the screen lock passcode. The data partition is successfully unlocked even in iOS 15, but only if you know the passcode. If you don’t, you will be limited to BFU (Before First Unlock) extraction, which is honestly not a lot but still better than nothing.

Unfortunately, the same approach cannot be implemented for the iPhone 8 and iPhone X devices running iOS 14 or newer. No SEP exploit is available for these models, and so performing a full file system extraction with checkm8 still requires you to remove the screen lock passcode from the device. Alternatively, you may perform agent-based acquisition, which is currently limited to iOS 15.1 and lower (support for newer versions is under development).

Conclusion

With the latest update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iPhone acquisition product on the market, supporting all possible acquisition methods (extended logical, checkm8 and agent) supporting a wide range of devices and iOS versions.

Mobile forensics is not limited to phones and tablets. Many types of other gadgets, including IoT devices, contain tons of valuable data. Such devices include smart watches, media players, routers, smart home devices, and so on. In this article, we will cover the extraction of an Apple TV 4K, one of the most popular digital media players.

We already covered Apple TV forensics in the past; check out the following articles:

• Apple TV and Apple Watch Forensics 01: Acquisition
• Apple TV Forensics 03: Analysis
• Forensic Acquisition of Apple TV with checkra1n Jailbreak
• Jailbreaking Apple TV 4K

There are generally two methods to access data stored in an Apple TV: logical acquisition (media files with the metadata, diagnostics logs), and full file system extraction. The latter required jailbreaking (see above), which is limited to certain versions of tvOS. We have the full checkm8 support for all models up to and including the Apple TV 4K, which means that the version of tvOS no longer matters. Only the latest Apple TV HDR is not vulnerable.

The problem

Everything was relatively simple up to and including the Apple TV 4. The 4K version, however, has two problems:

• No USB port
• Difficult to enter DFU

The first problem has been resolved, as a hidden port was discovered under the Ethernet (RJ45) socket. A special connector is now available, the GoldenEye (or Foxlink X892), which is available for around 40€. With this adapter, you can connect your Apple TV 4K using a standard lightning cable and perform logical acquisition (the good news is that the Apple TV cannot be locked with a passcode).

The second problem is more serious. In order to run the checkm8 exploit, the device must be in DFU mode. The Apple TV 4 and older models can be placed into DFU using the remote control with a special combination of buttons. This is not the case for the Apple TV 4K.

One way to place the 4K model into DFU uses a special breakout cable (available at around $70), but the installation is difficult and requires some soldering skills.

The solution

Fortunately, there is an easier way, revealed by @matteyeux about two years ago. Apart of the GoldenEye cable, you will also need the DCSD cable; we covered it in The Mysterious Apple DCSD Cable Demystified. The adapter is easily available at around 20€.

So here is how to place the AppleTV 4K into DFU:

• Disconnect Apple TV 4K from the power source
• Connect the DCSD cable to the computer’s USB port
• Connect the GoldenEye adapter to the DCSD cable (using Lightning)
• Connect the GoldenEye to the Apple TV 4K
• Connect the Apple TV 4K to the power source

And there we go: the Apple TV 4K is automatically boots into DFU!

You can now install the checkra1n jailbreak if your Apple TV runs tvOS 14 or older, or use the latest Elcomsoft iOS Forensic Toolkit 8.0 beta to perform a forensically sound keychain and file system extraction. As easy as that.

The acquisition steps are basically the same as for iPhones and iPads. Boot our custom ramdisk (you will have to download a proper firmware image using the link provided in our software):

Unlock the data partition:

And then pull the keychain (lightning fast) and the file system (at an impressive ~2.5 GB per minute).

Conclusion

Elcomsoft iOS Forensic Toolkit remains the only software capable of performing a forensically sound keychain and file system extraction from the majority of Apple TV models including the second and third generations, Apple TV HD and Apple TV 4K. If you are working in the field, do not miss the opportunity to get valuable data from this part of Apple ecosystem!

This article continues the series of publications aimed to help experts specify and build economical and power-efficient workstations for password recovery workloads. Electricity costs, long-term reliability and warranty coverage must be considered when building a password recovery workstation. In this article we will review the most common cooling solutions found in today’s GPUs, and compare consumer-grade video cards with their much lesser known professional counterparts.

Is expertise in mining any relevant?

At a glance, crypto currency mining may look a similar enough workload to password recovery, tempting experts learn from miners’ experience when building a password recovery rig. In reality, this approach isn’t the best for multiple reasons. Mining farms are built for profit; ideally, a quick profit. These are commonly built in an open housing from the available components that are rarely designed to withstand these types of workload. Power consumption and power efficiency are often disregarded, while long-term reliability is not a concern if a given video card had made enough crypto-cash.

While mining farm-like systems may and are used by forensic experts, they are commonly considered stop-gap solutions, even if they are used for many months or years. Workstations built for the needs of digital forensics have different priorities, with energy-efficiency, overall stability, long-term reliability and warranty coverage being on top of the list.

GPU cooling solutions

A typical modern video card is cooled with a large heatsink and one or several fans. The design of the cooling solution determines where the hot air goes. Depending on the working environment and workload type the different types of cooling solutions have advantages over the rest of the pack.

Most consumer video cards employ a so-called ‘open-air’ solution. In this design, the fans blow air onto the heatsink, while hot air escapes through the sides of the heatsink. The warm air lands on the motherboard and in the computer’s case. If more than a single video card is installed, this solution works best in open cases or benches.

(source: cgdirector.com)

A slightly different heatsink design places fins in parallel to the video card, thus blowing some hot air away from the computer case through the PCIe slot cover, while the rest of the air is still thrown into the case.

If you are using an open case, the direction of the fins is not significantly relevant. This solution provides better cooling if you are using several video cards in a closed case.

NVIDIA developed a hybrid solution in the 3000 series of its Founders Edition cards. Warm air is partly blown out of the case, and partly driven to the computer’s CPU fan and removed via the computer’s system fan.

Inside, this cooling system looks as follows:

While this is a very good design from the point of view of a typical gamer, and generally works fine if only one or two boards are installed in a closed case, this solution is still not designed to work in workstations or rack cases where multiple video cards are installed side by side. For this purpose, NVIDIA built a different type of cooling solution.

(Source: igor’sLAB)

The idea between this kind of cooling is shown on the following slide (source):

In First look at the “internals” of a single-slot Nvidia RTX A4000 graphics card the thermal solution is disassembled:

These cards are designed to run in rack servers.

If you want to learn more about the various cooling solutions found in today’s video cards, check out the following articles from cgdirector.com:

• Open-Air vs. Blower-Style Cooled GPUs – What’s the difference?
• Are Founders Edition GPUs Any Good?

To learn more about the differences between consumer-grade and pro-level boards, check out this article:

• Pro vs. Consumer GPUs – What’s the difference & Why so expensive?

In these articles, Alex Glawion explains the differences between open-air and blower fan designs:

Blower-style cooling solutions are naturally designed to be used in rack cases:

The “Pro” boards

Many gaming board are optimized for squeezing the last frame-per-second in action games at expense of stability, excess power consumption, and long-term reliability. Board partners are overclocking the GPU chips and increase the available power envelope to achieve higher performance. The extended power envelope delivers limited returns as demonstrated by Igor’sLAB in Cool flagship instead of fusion reactor: the GeForce RTX 3090 Ti turns the efficiency list upside down with a 300-watt throttle.

While consumer video cards are often factory-overclocked and operated at higher power limits and core voltages, this leads to the increase of power consumption that is not proportional to performance bump. The password recovery workload may take days or weeks to finish, making the power consumption and waste heat management a challenge. In addition to unnecessarily wasting energy, consumer boards are not guaranteed for constant workloads, and may have decreased lifespan and/or experience stability problems in the long term.

These issues are addressed in NVIDIA’s professional-level GPUs, which differ from their consumer counterparts in several meaningful ways.

Let’s compare two boards: an NVIDIA RTX 3070 Ti Founders Edition and NVIDIA A4000, a professional board based on the same chip.

As you can see, the professional board delivers nearly identical performance to its consumer counterpart, while doing it at less than half the power. At the price of 25 cents per kW/h, in 24×7 workloads the professional board can save around $328 a year. With electricity prices quickly growing, this can lead to even more significant savings in the future.

Are professional boards worth the investment?

Alex Glawion says: “You would expect the additional cost for pro GPUs to also mean considerably higher performance over consumer cards, but this is seldom the case, with consumer GPUs holding up and even leading in several video editing, 3D rendering, and CAD workloads. Instead, what pro GPUs offer are certified hardware, optimized drivers, and extensive support, making them more of an investment for those with deep pockets who seek higher reliability or a specific feature exclusive to these GPUs.”

For extended workloads such as password recovery, reliability and longevity of a video card do matter, especially considering the current 3-year upgrade cycle between major GPU releases. In addition, consider the differences in power consumption. A professional board sips half the power of its gaming counterpart, making it a much greener solution while being more economical in the long run.

Conclusion

Depending on the type of workload, your budget, and your working environment, you may opt for a set of professional video cards in a server rack, or a number of consumer boards installed into an open bench, or end up with something in between. When building a workstation for crunching passwords, consider the different ‘grades’ of video boards, the different cooling solutions, and the way you’ll be cooling the entire computer.

This article opens the series of publications aimed to help experts specify and build effective and power-efficient workstations for brute-forcing passwords. Power consumption and power efficiency are two crucial parameters that are often overlooked in favor of sheer speed. When building a workstation with 24×7 workload, absolute performance numbers become arguably less important compared to performance per watt. We measured the speed and power consumption of seven video cards ranging from the NVIDIA Quadro T600 to NVIDIA RTX 3070 Ti and calculated their efficiency ratings.

GPU acceleration and power efficiency

The use of video cards for brute-forcing passwords is nothing new. This year alone, we posted GPU Acceleration On The Cheap: Using Affordable Video Cards to Break Passwords Faster followed by GPU Acceleration: Attacking Passwords with NVIDIA RTX Series Boards, the later discussing the price/performance rating of the last generations of GPU chips. Today, we are about to make a different rating, comparing video cards by their performance relative to power consumption. Interestingly, the results are non-linear and deviate significantly from the price/performance rating.

Why some GPUs are more power-hungry than others? There are multiple factors affecting the performance and power consumption of a given chip. The GPU architecture and manufacturing process are obvious, as is the number of Compute Units installed (or activated) in a given model. The more Compute Units a GPU has, the faster it works, and the more power it consumes.

Another factor contributing to the card’s performance is the frequency, which strongly affects the power consumption and power efficiency of the card. The increase in the number of Compute Units results in linear growth of power consumption, while the growth of the card’s frequency increases the card’s power consumption with diminishing returns. For example, an NVIDIA RTX 3090 Ti with its stock TDP of 480 W is only 13% faster than the same card limited to 300 W (a 1.6 times difference) as discovered by igor’sLAB: Cool flagship instead of fusion reactor: the GeForce RTX 3090 Ti turns the efficiency list upside down with a 300-watt throttle and beats the Radeons.

GPU efficiency benchmarks

With multiple tests for every NVIDIA model, do we need yet another benchmark? We believe so. Our tests use NVIDIA’s compute units exclusively, placing a different type of load on the GPU compared to the typical FPS benchmarks. In addition to previously tested models, we are adding an NVIDIA RTX 3070 Ti Founders Edition. This chip is widely criticized for its high power consumption relative to performance. With its TDP of 290 W, reviewers call it an “Inefficient side-grade with high power consumption“. Let us see if this board is as inefficient as the others say.

The following boards participate in today’s benchmark, sorted by TDP:

All the boards except the RTX 2070 were tested on the same system based on Intel’s Alder Lake i9-12900K CPU, while the RTX 2070 was tested in a workstation based on the Intel Core i5-8500 CPU. Note that GPU-accelerated attacks put little load onto the CPU (approximately 3 to 6 per cent utilization per CPU core), which makes such tests CPU-agnostic.

Benchmarks

Using Elcomsoft Distributed Password Recovery as a benchmark, we’ve seen the following results. The benchmarks demonstrate an almost linear growth of performance depending on the video card – with one exception.

This is the exception: the RTX 2070 benchmarked higher than expected in the SHA-256 test. Since the other tests were consistent, and since we had to use a different workstation to benchmark this card, we’d recommend taking this result with a grain of salt.

The power efficiency rating

Our power efficiency charts are based on each board’s advertised TDP. We based the “performance” part on the WinZip/AES-256 benchmark using the latest and highly optimized version of Elcomsoft Distributed Password Recovery. While not perfect, this method allowed us to do a fair comparison.

The following chart shows the performance of each GPU relative to its power consumption (the “passwords per watt” rating is based on the WinZip/AES-256 benchmark alone):

The same chart sorted by efficiency (least efficient models on top):

Frankly, the results were quite unexpected. The slowest tested video card, the Quadro T600 model from NVIDIA’s professional range, has also become the most efficient, demonstrating the highest performance per watt. Is this due to the optimizations of the installed GPU or are professional cards targeting power efficiency by design? We don’t have enough data, but some reports suggest so. You can check out Igor’sLAB review of the NVIDIA A5000 server board to see if there is any truth in this speculation.

Interestingly, the NVIDIA RTX 3070 Ti, which is the fastest unit among the tested boards, is not quite an “inefficient outsider with high power consumption.” High power consumption? Quite so. Outsider? Not really: in our tasks, the card outperforms the NVIDIA RTX 3060 and 3050 models in terms of power efficiency, and is not far off the NVIDIA RTX 3060 Ti.

To be continued

This publication is the first in the series of articles about the power consumption, heat dissipation and energy-efficiency of forensic workstations doing password recovery. Today’s article covers the power efficiency of today’s video cards relative to their performance. In subsequent articles we’ll talk about the waste heat, GPU cooling solutions, and the differences between consumer and server boards.