2. Agenda
• Basics
• iOS Forensics
– iOS Security before iOS 4
– iOS 4 Data Protection
– iOS 5 Data Protection Changes
• BlackBerry Forensics
• Summary
2
3. Forensics 101
Acquisition ➜ Analysis ➜ Reporting
GOALS:
1.
Assuming
physical
access
to
the
device
extract
as
much
informa>on
as
prac>cal
2.
Leave
as
li@le
traces/ar>facts
as
prac>cal
3
5. iOS: Why Even Bother?
• Almost 5 years on the market
• 250+ million iOS devices sold worldwide
• 6 iPhones, 4 iPods, 2 iPads
• “Smart devices” – they do carry a lot of sensitive data
• Corporate deployments are increasing
There was, is, and will be a real need in iPhone
Forensics
5
6. iPhone Forensics 101
• Acquisition
–Need to get data off the device
• Passcode
–Prevents unauthorized access to the device
–Bypassing passcode is usually enough
• Keychain
–Central storage for sensitive data (passwords, keys)
–Encrypted
• Storage (disk) encryption
6
7. iPhone Forensics 101
• Acquisition
–Need to get data off the device
• Passcode
–Prevents unauthorized access to the device
–Bypassing passcode is usually enough
• Keychain
–Central storage for sensitive data (passwords, keys)
–Encrypted
• Storage (disk) encryption
7
8. Acquisition Options
• Logical: iPhone Backup
–Device must be unlocked
–Device may produce encrypted backup
–Limited amount of information
• Read files directly (AFP)
–Device must be unlocked
–Limited access (non-jailbroken devices)
• Physical: filesystem acquisition
–Boot-time exploit to run unsigned code
–Device lock state isn’t relevant
–Can get all information from the device
8
9. What is Jailbreak?
• Jailbreak – circumventing iOS
security in order to run
custom code
• Boot-level or application-level
• Tethered or untethered
9
10. Types of Jailbreaks
• App-level JB gets kernel code execution by
exploiting apps
–e.g. JailbreakMe
–Can be fixed by new firmware
• Boot-level JB breaks loads custom kernel by
breaking chain of trust
–e.g. limera1n
–Can’t be fixed if exploits vulnerability in BootROM
10
11. Jailbreak and Forensics
• Tethered JB
–Host connection is required to boot into JB state
–Exploit(s) are sent by the host
–May leave minimal traces on the device
• Untethered JB
–Device is modified so that it can boot in jailbroken state
by itself
–Leaves permanent traces
11
12. Acquisition Options
• Logical: iPhone Backup
–Device must be unlocked
–Device may produce encrypted backup
–Limited amount of information
• Read files directly (AFP)
–Device must be unlocked
–Limited access (non-jailbroken devices)
• Physical: filesystem acquisition
–Boot-time exploit to run unsigned code
–Device lock state isn’t relevant
–Can get all information from the device
12
13. Acquisition Options
• Logical: iPhone Backup
–Device must be unlocked
–Device may produce encrypted backup
–Limited amount of information
• Read files directly (AFP)
–Device must be unlocked
–Limited access (non-jailbroken devices)
• Physical: filesystem acquisition
–Boot-time exploit to run unsigned code
–Device lock state isn’t relevant
–Can get all information from the device
13
14. Unlocking the Device
• Passcode
• iTunes pairing
–if iTunes have seen the device before, it can unlock it
–iOS 4: always
–iOS 5: if passcode has been entered on device after
power-on
–don’t switch off iOS 5 device after seizure (if there is a
chance that you’ll have PC/Mac it is paired with)
14
15. iPhone Forensics 101
• Acquisition
–Need to get data off the device
• Passcode
–Prevents unauthorized access to the device
–Bypassing passcode is usually enough
• Keychain
–Central storage for sensitive data (passwords, keys)
–Encrypted
• Storage (disk) encryption
15
16. iOS < 4.0 Passcode
• Lockscreen (i.e. UI) is the only protection
• Passcode is stored in the keychain
–Passcode itself, not its hash
• Can be recovered or removed instantly
–Remove record from the keychain
–And/or remove setting telling UI to ask for the
passcode
16
17. iOS 4/5 Passcode
• Passcode is used to compute encryption key
–Computation tied to hardware key
–Same passcode will yield different passcode keys on
different devices!
• Passcode key is required to unlock some of the
content protection keys
–most files don’t require a passcode for decryption
–most keychain items do require a passcode for
decryption
17
18. iOS 4/5 Passcode
• Passcode-to-Key transformation is slow
• Offline bruteforce currently is not possible
–Requires extracting hardware key
• On-device bruteforce is slow
–2 p/s on iPhone 3G, 7 p/s on iPad
• We have hint on password complexity
18
22. iOS 4/5 Passcode
• 0 – digits only, length = 4 (simple passcode)
• 1 – digits only, length != 4
• 2 – contains non-digits, any length
Can at least identify
weak passcodes
22
23. iPhone Forensics 101
• Acquisition
–Need to get data off the device
• Passcode
–Prevents unauthorized access to the device
–Bypassing passcode is usually enough
• Keychain
–Central storage for sensitive data (passwords, keys)
–Encrypted
• Storage (disk) encryption
23
24. iOS < 4.0 Keychain
• SQLite3 DB, only passwords are encrypted
• All items are encrypted with the device key and
random IV
• Key can be extracted (computed) for offline use
• All past and future keychain items from the device
can be decrypted using that key
Encrypted
with
Key
0x835
IV Data SHA-‐1
(Data)
0
16
24
25. iOS 4 Keychain
• SQLite3 DB, only passwords are encrypted
• Random key for each item, AES-CBC
• Item key is protected with corresponding
protection class master key
• Some keychain items are included in the iTunes
backup
• In encrypted iTunes backup keychain items are
encrypted using backup password
0 Class Wrapped
Item
Key Encrypted
Item
0 4 8 48
25
26. iOS 5 Keychain
• Based on iOS 4 encryption
• All attributes are now encrypted (not only
password)
• AES-GCM is used instead of AES-CBC
• Enables integrity verification
2 Class Wrapped
Key
Length Wrapped
Key Encrypted
Data
(+Integrity
Tag)
0 4 8 12
26
27. iPhone Forensics 101
• Acquisition
–Need to get data off the device
• Passcode
–Prevents unauthorized access to the device
–Bypassing passcode is usually enough
• Keychain
–Central storage for sensitive data (passwords, keys)
–Encrypted
• Storage (disk) encryption
27
29. iOS 4 Disk Encryption
• Only User partition is encrypted
• Available protection classes:
– NSProtectionNone (can decrypt without passcode)
– NSProtectionComplete (can’t decrypt without passcode)
• Filesystem metadata encrypted transparently
• Files are encrypted using per-file random key
–Reliable recovery of deleted files is not currently
possible
29
30. iOS 5 Disk Encryption
• New partition scheme
– “LwVM” – Lightweight Volume Manager
• Any partition can be encrypted
• New protection classes
– NSFileProtectionCompleteUntilFirstUserAuthentication
– NSFileProtectionCompleteUnlessOpen
• IV for file encryption is computed differently
30
31. iOS Forensics
• Acquiring disk image is not enough for iOS 4+
– Content protection keys must also be extracted from
the device during acquisition
• Passcode or escrow keybag is needed for a
complete set of content protection keys
• In real world it might be a good idea to extract
source data and compute protection keys offline
31
32. iOS Forensics
Must be done on the device Passcode
Required to decrypt files/keychain
Sufficient for offline key reconstruction
UID Key KDF
FS Key Decrypt Key 89B Key 835 Passcode Key
Effaceable Storage
‘EMF!’ / ‘LwVM’
System Keybag (locked)
‘Dkey’
Class A Key (#1)
‘BAG1’ Unlock
Class B Key (#2)
Class C Key (#3)
Class D Key (#4)
Class Key #5
systembag.kb Decrypt System Keybag
…
(unlocked)
Class Key #11
32
35. Conclusions
• iPhone physical analysis is possible
• Physical acquisition requires boot-time exploit
• Passcode is usually not a problem
– Due to technology before iOS 4
– Due to human factor with iOS 4/5
• Both proprietary and open-source tools for iOS
4/5 acquisition are available
35
36. iCloud Backups
• It is now possible to download iOS backups from
the iCloud
• Backups in iCloud are NOT encrypted
–Even if backup encryption is ON
• Apple ID and password are required
– Can be found on PC/Mac/iOS devices
36
38. BlackBerry Forensics 101
• Acquisition
–Need to get data off the device
• Device password
–Prevents unauthorized access to the device
• File encryption
–i.e. *.rem files on SD Card
38
39. Acquisition Options
• Logical: BlackBerry backup
–Must know device password
–Backup encryption is NOT enforced
–Limited amount of information
• Physical
–Must know device password
–Can get all information from the device
• Chip-off
–Don’t need device password
–Destructive process
39
40. Acquisition Options
• Logical: BlackBerry backup
–Must know device password
–Backup encryption is NOT enforced
–Limited amount of information
• Physical
–Must know device password
–Can get all information from the device
• Chip-off
–Don’t need device password
–Destructive process
40
41. Device Password
• No reliable ways to recover
• Can be recovered in one special case:
–Files on SD card are encrypted
–Encryption is set to “Security
password” or “Device password”
• Can be recovered for “Device
password & Device Key” if
device dump is available
41
42. BlackBerry Forensics 101
• Acquisition
–Need to get data off the device
• Device password
–Prevents unauthorized access to the device
• File encryption
–i.e. *.rem files on SD Card
42
43. File Encryption
• Encryption options:
–Device Key
–Device Password
–Device Password & Device Key
• Device Key is per-card and stored in NVRAM
• Some files are encrypted using different key (?)
–E.g. WhatsApp database on SD card
–Not clear why, maybe an implementation of
PersistentStore
43
44. File Decryption
• Files can be decrypted provided
–Device dump (for Device Key option)
–Device password (for Device Password option)
–Both (for Device Password & Device Key option)
• ‘PersistentStore’ files (e.g. WhatsApp database)
can be decrypted provided device dump
–Tool for this is available free of charge for law
enforcement
44