ios and blackberry forensics

iOS and BlackBerry Forensics

Andrey Belenko

Elcomsoft Co. Ltd.

1

Agenda

• Basics• iOS Forensics– iOS Security before iOS 4– iOS 4 Data Protection– iOS 5 Data Protection Changes

• BlackBerry Forensics• Summary

2

Forensics 101

Acquisition ➜ Analysis ➜ Reporting

GOALS:

1.  Assuming  physical  access  to  the  device  extract  as  much  informa>on  as  prac>cal

2.  Leave  as  li@le  traces/ar>facts  as  prac>cal

3

4

iOS: Why Even Bother?

• Almost 5 years on the market• 250+ million iOS devices sold worldwide• 6 iPhones, 4 iPods, 2 iPads

• “Smart devices” – they do carry a lot of sensitive data• Corporate deployments are increasing

There was, is, and will be a real need in iPhone Forensics

5

iPhone Forensics 101

• Acquisition–Need to get data off the device

• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough

• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted

• Storage (disk) encryption

6

iPhone Forensics 101

• Acquisition–Need to get data off the device

• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough

• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted

• Storage (disk) encryption

7

Acquisition Options

• Logical: iPhone Backup–Device must be unlocked–Device may produce encrypted backup–Limited amount of information

• Read files directly (AFP)–Device must be unlocked–Limited access (non-jailbroken devices)

• Physical: filesystem acquisition–Boot-time exploit to run unsigned code–Device lock state isn’t relevant–Can get all information from the device

8

What is Jailbreak?

• Jailbreak – circumventing iOS security in order to run custom code• Boot-level or application-level• Tethered or untethered

9

Types of Jailbreaks

• App-level JB gets kernel code execution by exploiting apps–e.g. JailbreakMe–Can be fixed by new firmware

• Boot-level JB breaks loads custom kernel by breaking chain of trust–e.g. limera1n–Can’t be fixed if exploits vulnerability in BootROM

10

Jailbreak and Forensics

• Tethered JB–Host connection is required to boot into JB state–Exploit(s) are sent by the host–May leave minimal traces on the device

• Untethered JB–Device is modified so that it can boot in jailbroken state

by itself–Leaves permanent traces

11

Acquisition Options

• Logical: iPhone Backup–Device must be unlocked–Device may produce encrypted backup–Limited amount of information

• Read files directly (AFP)–Device must be unlocked–Limited access (non-jailbroken devices)

• Physical: filesystem acquisition–Boot-time exploit to run unsigned code–Device lock state isn’t relevant–Can get all information from the device

12

Acquisition Options

• Logical: iPhone Backup–Device must be unlocked–Device may produce encrypted backup–Limited amount of information

• Read files directly (AFP)–Device must be unlocked–Limited access (non-jailbroken devices)

• Physical: filesystem acquisition–Boot-time exploit to run unsigned code–Device lock state isn’t relevant–Can get all information from the device

13

Unlocking the Device

• Passcode• iTunes pairing

–if iTunes have seen the device before, it can unlock it–iOS 4: always–iOS 5: if passcode has been entered on device after

power-on–don’t switch off iOS 5 device after seizure (if there is a

chance that you’ll have PC/Mac it is paired with)

14

iPhone Forensics 101

• Acquisition–Need to get data off the device

• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough

• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted

• Storage (disk) encryption

15

iOS < 4.0 Passcode

• Lockscreen (i.e. UI) is the only protection• Passcode is stored in the keychain–Passcode itself, not its hash

• Can be recovered or removed instantly–Remove record from the keychain–And/or remove setting telling UI to ask for the

passcode

16

iOS 4/5 Passcode

• Passcode is used to compute encryption key–Computation tied to hardware key–Same passcode will yield different passcode keys on

different devices!• Passcode key is required to unlock some of the

content protection keys–most files don’t require a passcode for decryption–most keychain items do require a passcode for

decryption

17

iOS 4/5 Passcode

• Passcode-to-Key transformation is slow• Offline bruteforce currently is not possible–Requires extracting hardware key

• On-device bruteforce is slow–2 p/s on iPhone 3G, 7 p/s on iPad

• We have hint on password complexity

18

iOS 4/5 Passcode

• 0 – digits only, length = 4 (simple passcode)

19

iOS 4/5 Passcode

• 0 – digits only, length = 4 (simple passcode)

• 1 – digits only, length != 4

20

iOS 4/5 Passcode

• 0 – digits only, length = 4 (simple passcode)

• 1 – digits only, length != 4

• 2 – contains non-digits, any length

21

iOS 4/5 Passcode

• 0 – digits only, length = 4 (simple passcode)

• 1 – digits only, length != 4

• 2 – contains non-digits, any length

Can at least identify weak passcodes

22

iPhone Forensics 101

• Acquisition–Need to get data off the device

• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough

• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted

• Storage (disk) encryption

23

iOS < 4.0 Keychain

• SQLite3 DB, only passwords are encrypted• All items are encrypted with the device key and

random IV• Key can be extracted (computed) for offline use• All past and future keychain items from the device

can be decrypted using that key

IV Data

016

SHA-­‐1  (Data)

Encrypted  with  Key  0x835

24

iOS 4 Keychain

• SQLite3 DB, only passwords are encrypted• Random key for each item, AES-CBC• Item key is protected with corresponding

protection class master key• Some keychain items are included in the iTunes

backup• In encrypted iTunes backup keychain items are

encrypted using backup password

0 Class Wrapped  Item  Key Encrypted  Item

0 4 8 48

25

iOS 5 Keychain

• Based on iOS 4 encryption

• All attributes are now encrypted (not only password)

• AES-GCM is used instead of AES-CBC• Enables integrity verification

2 Class Wrapped  Key Encrypted  Data  (+Integrity  Tag)

0 4 8

Wrapped  Key  Length

12

26

iPhone Forensics 101

• Acquisition–Need to get data off the device

• Passcode–Prevents unauthorized access to the device–Bypassing passcode is usually enough

• Keychain–Central storage for sensitive data (passwords, keys)–Encrypted

• Storage (disk) encryption

27

iOS < 4.0 Disk Encryption

• No encryption

28

iOS 4 Disk Encryption

• Only User partition is encrypted• Available protection classes:– NSProtectionNone (can decrypt without passcode)– NSProtectionComplete (can’t decrypt without passcode)

• Filesystem metadata encrypted transparently• Files are encrypted using per-file random key–Reliable recovery of deleted files is not currently

possible

29

•New partition scheme– “LwVM” – Lightweight Volume Manager

• Any partition can be encrypted•New protection classes– NSFileProtectionCompleteUntilFirstUserAuthentication– NSFileProtectionCompleteUnlessOpen

• IV for file encryption is computed differently

iOS 5 Disk Encryption

30

iOS Forensics

• Acquiring disk image is not enough for iOS 4+– Content protection keys must also be extracted from

the device during acquisition

• Passcode or escrow keybag is needed for a complete set of content protection keys• In real world it might be a good idea to extract

source data and compute protection keys offline

31

UID Key

Key 835Key 89B

Passcode

Passcode Key

systembag.kb Decrypt

KDF

‘EMF!’ / ‘LwVM’‘Dkey’‘BAG1’

Effaceable Storage

Class A Key (#1)

System Keybag (locked)

Class B Key (#2)Class C Key (#3)Class D Key (#4)

Class Key #5

…Class Key #11

DecryptFS Key

Unlock

System Keybag(unlocked)

Must be done on the device

Required to decrypt files/keychain

Sufficient for offline key reconstruction

iOS Forensics

32

Useful Tools

• Logical: iPhone Backup–iTunes (acquire)–Oxygen Forensics Suite, iBackupBot (view)–Elcomsoft Phone Password Breaker (recover password,

view backup keychain, decrypt backup)

• Read files directly (AFP)–iExplorer

• Physical: filesystem acquisition–Elcomsoft iOS Forensic Toolkit, AccessData MPE+,

Cellebrite UFED, XRY, etc–iphone-dataprotection (at Google Code)

33

iOS Forensic Toolkit

iPhoneiPod Touch 1

iPhone 3GiPod Touch 2iPhone 3G

iPod Touch 2

iPhone 3GSiPod Touch 3

iPad 1

iPhone 3GSiPod Touch 3

iPad 1

iPhone 4iPod Touch 4

iPhone 4SiPad 2

iOS version 3.1.33.1.3 4.2.1 3.1.3 5.1.1 5.1.1 5.0, 5.01 (JB)

Physical acquisition ++ + + ++ +

Passcode recovery instantinstant + instant ++ +

Keychain decryption ++ + + ++ +

Disk decryption not encryptednot encryptednot encryptednot encrypted ++ +

34

Conclusions

• iPhone physical analysis is possible• Physical acquisition requires boot-time exploit• Passcode is usually not a problem– Due to technology before iOS 4– Due to human factor with iOS 4/5

• Both proprietary and open-source tools for iOS 4/5 acquisition are available

35

iCloud Backups

• It is now possible to download iOS backups from the iCloud• Backups in iCloud are NOT encrypted–Even if backup encryption is ON

• Apple ID and password are required– Can be found on PC/Mac/iOS devices

36

37

BlackBerry Forensics 101

• Acquisition–Need to get data off the device

• Device password–Prevents unauthorized access to the device

• File encryption–i.e. *.rem files on SD Card

38

Acquisition Options

• Logical: BlackBerry backup–Must know device password–Backup encryption is NOT enforced–Limited amount of information

• Physical–Must know device password–Can get all information from the device

• Chip-off–Don’t need device password–Destructive process

39

Acquisition Options

• Logical: BlackBerry backup–Must know device password–Backup encryption is NOT enforced–Limited amount of information

• Physical–Must know device password–Can get all information from the device

• Chip-off–Don’t need device password–Destructive process

40

Device Password

• No reliable ways to recover• Can be recovered in one special case:

–Files on SD card are encrypted–Encryption is set to “Security

password” or “Device password”• Can be recovered for “Device

password & Device Key” if device dump is available

41

BlackBerry Forensics 101

• Acquisition–Need to get data off the device

• Device password–Prevents unauthorized access to the device

• File encryption–i.e. *.rem files on SD Card

42

File Encryption

• Encryption options:–Device Key–Device Password–Device Password & Device Key

• Device Key is per-card and stored in NVRAM• Some files are encrypted using different key (?)–E.g. WhatsApp database on SD card–Not clear why, maybe an implementation of

PersistentStore

43

File Decryption

• Files can be decrypted provided–Device dump (for Device Key option)–Device password (for Device Password option)–Both (for Device Password & Device Key option)

• ‘PersistentStore’ files (e.g. WhatsApp database) can be decrypted provided device dump–Tool for this is available free of charge for law

enforcement

44

Useful Tools

• Logical: BlackBerry backup–BlackBerry Desktop Manager (acquire)–Elcomsoft BlackBerry Backup Explorer (view)–Elcomsoft Phone Password Breaker (recover backup

password, decrypt backup; recover BlackBerry PasswordKeeper and Wallet passwords)

• Physical–Cellebrite

• Other–Elcomsoft Phone Password Breaker (recover device

password, decrypt SD card files)

45

Thank You!

a.belenko@elcomsoft.com

http://ru.linkedin.com/in/belenko

@andreybelenko

46

iOS and BlackBerry Forensics

Andrey Belenko

Elcomsoft Co. Ltd.

47