Forensics 101

Forensic Implications of iOS Lockdown (Pairing) Records

by ElcomSoft

In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.

In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:

  1. Runs iOS 8.x through 10.x
  2. When seized, the device was powered on but locked with a passcode and/or Touch ID
  3. Device was never powered off or rebooted since it was seized
  4. Does not have a jailbreak installed and may not allow installing a jailbreak
  5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past

While this list may appear extensive and overly detailed, in real life it simply means an iPhone that was seized in a screen-locked state and stored properly in its current state (i.e. not allowed to power down or reboot). If this is the case, we might be able to access information in the device by using a so-called lockdown file, or pairing record. This record may be available on the suspect’s home or work PC that was either used to sync the iOS device with iTunes or simply used for charging if the suspect ever tapped “OK” on the “Trust this PC” pop-up.

About Pairing Relationships

In terms of iOS forensics, a pairing is a trusted relationship between the iOS device and a computer (Mac or PC). Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this PC” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

Once established, pairing relationships are maintained through reboots. However, the iPhone must be unlocked with a passcode at least once after the reboot. Pairing relationships survive passcode changes; however, since iOS 8 all existing pairing relationships will be lost upon factory reset.

iOS 7 and older: Once established, a pairing relationship will never expire. In iOS 7 and older, established trust would survive through reboots and factory resets. Moreover, if the device is running iOS 7 or earlier, it can be unlocked with a pairing record immediately after it’s turned on (unlocking with passcode not required). This is why it was possible for Apple to extract information from locked iPhones sent in by the government. The company would use a pre-established trust relationship to produce a backup of the locked device. In iOS 8, all existing pairing relationships were invalidated; established trust does not survive through a factory reset, and accessing device data with a pairing record now requires a passcode unlock after a reboot.

About Lockdown Records (Pairing Records)

Lockdown records, or pairing records, are files that are stored on the computer to which the iOS device syncs to. These files are created the first time the user connects their iOS device to a PC that has iTunes installed. Lockdown records are used to re-establish a pairing relationship between the computer and iOS device, allowing the user to conveniently sync their iPhone by simply connecting it to their computer and without having to manually unlock the device every time.

Forensic specialists routinely use lockdown records to produce a full device backup of the connected phone. A lockdown file can be extracted from the original computer and used on a different Mac or PC to re-establish pairing relationship; all that without unlocking the iPhone with a passcode or Touch ID.

Do Lockdown Records Expire?

There is no definite information on the expiry of lockdown records. Since Apple has full control over iOS, it may introduce various expiration rules similar to Touch ID expiry. Officially, pairing relationships last until revoked.

“Trusted computers can sync with your iOS device, create backups, and access your device’s photos, videos, contacts, and other content. These computers remain trusted unless you change which computers you trust or erase your iOS device.” https://support.apple.com/en-us/HT202778

It is possible for the user to revoke trusted relationship with any given PC by performing the following procedure:

“If you don’t want to trust a computer or other device anymore, change the privacy settings on your iPhone, iPad, or iPod touch: In iOS 8 or later, tap Settings > General > Reset > Reset Location & Privacy. Now when you connect to formerly trusted computers, the Trust alert will ask you whether you trust that computer.” https://support.apple.com/en-us/HT202778

Pairing relationships established with devices running iOS 7 or earlier never expire and survive reboots and factory resets. Once such devices get updated to iOS 8 or newer, all existing trust relationships are revoked and must be re-established under new rules.

Since iOS 8, all pairing relationships remain unavailable after the device restarts or powers on until the device is unlocked (at least once) with a passcode.

The ultimate question, of course, is “how much time exactly do I have to use a lockdown record before it expires?” While there is no definite answer to this question, various publications refer to wildly different timeframes. We were able to check some of those claims.

Do lockdown records expire in 48 hours since last unlock?

No. We tested with multiple devices running all major versions of iOS since 8.1 all the way through 10.2 beta, and found that we were able to use lockdown records to obtain backups way past the 48 hours. In fact, we repeated the test (on iOS 10.1 only), this time waiting for 5 days since last unlock, and we were still able to obtain the backup by using a lockdown file.

Do lockdown records expire in 30, 60 or 90 days?

We cannot support this claim, but we can’t reject it either. A single oldest pairing record we have is nearly 4 months old, and it still can be used to produce a backup. However, this single pairing record comes from an iOS 8.1 device; we did not have old enough pairing records for our other devices. As Apple has full control over iOS, it can introduce various expiration rules at any time.

At this time, we believe it’s safe to assume that existing lockdown record would not expire based on their age alone. However, they may or may not be able to be used to unlock an iOS device if the device was passively stored for more than 30 days.

Acquisition of a Locked iPhone with a Lockdown Record

If you possess a turned on and locked iOS device and have no means of unlocking it with either Touch ID or passcode, you may still be able to obtain a backup via the process called logical acquisition. While logical acquisition may return somewhat less information compared to the more advanced physical acquisition, it must be noted that physical acquisition may not be available at all on a given device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device was unlocked with a passcode at least once after booting. For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do not allow it to power off or completely discharge by connecting it to a charger (a portable power pack inside a Faraday bag works great until you transfer the device to a lab). This will give you time to searching user’s computers for a lockdown record.

If you have a powered-on but locked iPhone, using a lockdown record to obtain a backup may be your only chance to perform acquisition. In most cases, this will be the only method that can extract keychain items.

Very important: You can obtain a backup of a locked device only if you possess a non-revoked pairing record, and the device has been unlocked at least once before the seizure. If the device has been turned off or rebooted at least once after the seizure, you will not be able to use the lockdown record unless you are able to unlock the device with a passcode. You’ve seen this warning before, maybe more than once. We’ll keep repeating it because it’s really, really important to keep the phone powered on all the time between the seizure and acquisition.

Password-Protected vs. Unencrypted Backups

Users of iOS devices have the ability to protect backups with a password. This option can be set in iTunes as they an offline backup. If a backup password is specified, you will not be able to change or remove that password without entering it first. In other words, you will need to break that password using Elcomsoft Phone Breaker (see below for a practical guide).

An important difference between password-protected iOS backups and backups that have no password is encryption. If the user specifies a backup password, the full content of the backup will be encrypted with that password.

If, on the other hand, there is no backup password specified, the backup will come out partially unencrypted. In this case, “partially unencrypted” means that some data (such as the keychain) will still come out encrypted. However, as opposed to password-protected backups, the keychain will be encrypted with a strong, hardware-dependent key that cannot be recovered or extracted from any 64-bit device equipped with Secure Enclave (iPhone 5s and newer models).

.tg {border-collapse:collapse;border-spacing:0;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;}
.tg .tg-baqh{text-align:center;vertical-align:top}
.tg .tg-yw4l{vertical-align:top}
.tg .tg-9hbo{font-weight:bold;vertical-align:top}

Password-protected Password-protected No password
Password known? NO YES
Keychain decrypted? YES YES NO*
How to decrypt 1. Break password with Elcomsoft Phone Breaker
2. Use EPB to decrypt the backup
Use Elcomsoft Phone Breaker to decrypt the backup No action needed. * Must set known temporary password to access keychain.

If the user specified a backup password in iTunes, no unencrypted data ever leaves the phone. All encryption is performed by iOS inside the device (iPhone, iPad). iTunes acts as a simple receiver, pulling encrypted data stream from the device and saving it into files on your hard drive. There is no way to intercept plain data since there is none.

If you find a phone set up with an unknown backup password, produce a backup nevertheless. Use Elcomsoft Phone Breaker to recover the original password by running an attack.

Acquisition of iOS Devices Post Shut Down/Reboot

What happens if you find the device that is turned off, or if you attempt to acquire a device that was turned off or allowed to reboot before you started acquisition? In this case, even if you have a valid, non-revoked and unexpired lockdown record, you will not be able to use it to obtain a backup. Not before you unlock the device at least once, in which case you won’t need bothering with a lockdown file at all. In other words, you’ll need to know the passcode to obtain a backup.

Walkthrough: How to Use Lockdown Records to Obtain a Backup

In order to use lockdown records to make a backup of an iOS device, you will need all of the following:

  1. An iOS device that is powered on and that was unlocked with a passcode at least once after last reboot
  2. A lockdown file extracted from the user’s Mac or PC
  3. A copy of Elcomsoft iOS Forensic Toolkit (to obtain a backup using a lockdown file)
  4. A copy of Elcomsoft Phone Breaker (to decrypt backups; to break unknown backup password)

Extracting Lockdown Files

You must extract the correct lockdown record from the user’s computer in order to use it with Elcomsoft iOS Forensic Toolkit for logical acquisition. Lockdown records are stored at the following locations:

Windows Vista, 7, 8, 8.1, Windows 10: %ProgramData%\Apple\Lockdown

(Sample path: C:\ProgramData\Apple\Lockdown\6f3a363e89aaf8e8bd293ee839485730344edba1.plist)

Windows XP: %AllUsersProfile%\Application Data\Apple\Lockdown

(Sample path: C:\Documents and Settings\All Users\Application Data\Apple\Lockdown\6f3a363e89aaf8e8bd293ee839485730344edba1.plist)

macOS: /var/db/lockdown

Note: On systems running macOS Sierra, administrative privileges are required to extract lockdown files. Use “sudo cp (source path)/lockdown/{id}.plist (destination path)” when extracting lockdown files from live systems (password required). Alternatively, lockdown files may be extracted from a forensic disk image.

In these folders, you may see multiple .plist files. Their names correspond to UUID identifiers or iOS devices that were paired with the computer. Discovering the UUID of the device being investigated is as easy as using the “I” command in Elcomsoft iOS forensic Toolkit and analyzing the resulting XML document:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”&gt;
<plist version=”1.0″>
<dict>
<…>
<key>UniqueDeviceID</key>
<string>0a226c3b263e004a76e6199c43c4072ca7c64a59</string>
</dict>
</plist>

Tip: You may want to copy these files to a new folder on your computer, and give them shorter names for easier reference. Since Elcomsoft iOS Forensic Toolkit is a tool based on the command line, you’ll have to type these names when using them with the product.

More information about lockdown files and their location is available at https://support.apple.com/en-us/HT203887

Obtaining a Backup

In order to obtain a backup, do the following.

  1. Launch Elcomsoft iOS Forensic Toolkit by using the “Toolkit-JB” command. Make sure the license protection dongle is attached to a USB port.
  2. Connect iOS device being extracted to another USB port.
  3. In Elcomsoft iOS Forensic Toolkit, select option “B – Create iTunes-style backup of the device”. If this option does not appear in the main menu, make sure you are using iOS Forensic Toolkit 2.1 or newer, and that you are using the “Toolkit-JB” command as opposed to the legacy “Toolkit”.

1

Note that iOS Forensic Toolkit does not require Apple iTunes to be installed on the computer in order to perform the backup.
4. When prompted, enter path to lockdown record you extracted. Giving lockdown files shorter names makes this step easier.
5. If a lockdown record is not accepted, try other lockdown files corresponding to the same UUID if available (e.g. extracted from other computers).
6. If an iOS device being acquired is configured to produce backups without a password, iOS Forensic Toolkit will automatically set a known backup password prior to acquisition. The temporary password is “123”. If this is the case, skip directly to “Viewing and analyzing backups”.
7. If the backup password is set by the user and you don’t know it, obtain a backup nevertheless. You will have to perform an attack (brute-force, dictionary, or combination) with Elcomsoft Phone Breaker in order to recover the password.

Recovering Unknown Backup Password

If the user specified an unknown backup password, you will have to break it before you can access information stored in the backup. For breaking the password, you’ll be using a Windows version of Elcomsoft Phone Breaker. At this time, only a Windows edition of Elcomsoft Phone Breaker supports GPU-accelerated password recovery.

As with most password recovery efforts, the possibility of successful recovery as well as the time required to finish the job will depend on multiple parameters such as the length and complexity of the password, software and hardware used to recover it, and the type of attack (dictionary of common words, custom dictionary, or brute-force). There is no fixed timeframe and no guarantee for breaking backup passwords.

As a rough estimate, a PC equipped with a single NVIDIA GTX 1080 board can try about 100,000 password combinations per second (a rough estimate close enough to real-world performance), which means a password that consists of 6 digits can be broken in under 10 seconds. If a password only contains numbers, the use of each additional character makes the password 10 times stronger, which means that breaking the password takes 10 times longer with every additional number. A password that consists entirely of small Latin characters gets 26 times stronger with each extra letter. If the password contains numbers and both small and capital letters, it gets 62 times stronger with every additional character. A 6-character password composed of small letters and digits has over 2 billion possible combinations, and will take about 6 hours to brute-force.

Elcomsoft Phone Breaker is one of the more advanced tools on the market for breaking iOS backup passwords. It can employ your computer’s GPU units, using your video card to break passwords 20 to 80 times faster compared to a CPU alone.

Elcomsoft Phone Breaker attempts to recover the password by running an offline attack on the backup file. One or more different attacks such as dictionary or brute-force can be specified. A combination of attacks makes up a recovery pipeline.

Hint: Many users think alike. They commonly re-use passwords, or use the same pattern to compose their passwords. Analyzing their computer for existing passwords may reveal such a pattern, allowing you to build a rule to greatly limit the number of possible password combinations to try.

Top 10,000 passwords: According to our research, up to 30% of all passwords can be broken with a dictionary containing the 10,000 most popular passwords. Such dictionaries can be easily found online, e.g. at https://xa.to/top10k. Obtaining this dictionary and using it with Elcomsoft Phone Breaker gives a chance of breaking a complex password almost instantly. Another list containing top 10 million passwords is also available (https://xa.to/10m). However, the rule of diminishing returns applies here: we found that only about 33% of real-world passwords can be successfully broken by using that list. We highly recommend using the Top 10,000 Passwords list for all password recovery cases.

To recover the password in Elcomsoft Phone Breaker, do the following:

  1. Launch Elcomsoft Phone Breaker and open the Password Recovery Wizard.

2

2. In Password Recovery Wizard, click “Choose source” or drag-and-drop the backup’s Manifest.plist file onto the window.

3

3. If you are analyzing a live system, the tool will list all backups available to current Windows user.

4

4. If you are analyzing a mounted disk image, you may specify path to backup files by using the “Choose another” command.

5

If you are specifying the location manually, note the default paths used by iTunes on the different operating systems:

  • Windows XP:
    \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
  • Windows Vista, 7 and 8:
    \Users\username\AppData\Roaming\Apple Computer\MobileSync\Backup\
  • Mac OS X (all versions):
    ~/Library/Application Support/MobileSync/Backup/

5. After selecting the backup file, set up the recovery pipeline by specifying attacks that will be used to break the password.

6

Click on the plus “+” sign to add various attacks for breaking the password. You may drag and drop the attacks to specify the order of their execution. By default, Dictionary and Brute Force attacks are automatically added. (Reminder: using a custom dictionary and/or the Top 10,000 Passwords list may significantly increase the chance of successful recovery).

6. You can optionally configure both the Dictionary Attack and Brute-Force by clicking on the gear icon to the right of each method.

7

Limiting the brute-force attack to a reasonable number of characters and/or a certain character set will speed up the attack, but will not try some password combinations.

8

7. Once the recovery pipeline is configured, click Start recovery. Elcomsoft Phone Breaker will start attacking the password. Estimated time left as well as the currently processed word will be displayed. You can click More Info next to the name of the attack to see additional information such as the number of attempted passwords and the average attack speed.

9

8. If the attack is successful, the discovered password will be displayed in the Recovery results window.

10

Once the password is successfully recovered, it can be used to decrypt the backup including the keychain. If you are using Elcomsoft Phone Viewer, decrypting the backup is optional. However, if a mobile forensic tool of your choice does not support encrypted backups, you will have to perform an extra step to decrypt the backup using the newly recovered password.

In order to decrypt the backup, use the “Decrypt backup with known password” command from Elcomsoft Phone Breaker’s main window:

11

Select the backup to decrypt, then specify output path and password:

12

The Restore original file names option will decrypt the backup while attempting to keep file names to match the way they appear on the device. This option is useful if you are going to perform manual examination. Note, however, that most forensic tools require the backup to be in the standard iTunes format. If you are using one of such tools, we recommend keeping the “Restore original file names” option off.

Once the backup is decrypted, you may open it with a forensic tool of your choice.

Note: If using Elcomsoft Phone Viewer, decrypting the backup is not necessary as the tool supports encrypted files directly.

Viewing and Analyzing iPhone Backups

Multiple forensic tools exist allowing to view and analyze mobile backups. ElcomSoft released a lightweight forensic viewer, Elcomsoft Phone Viewer, to enable quick loading and viewing of mobile backups.

To view an iOS backup in Elcomsoft Phone Viewer, use the “iTunes backup” command or simply drag and drop the Manifest.plist file onto the tool’s main window.

13

If you are working on a live system, you’ll be presented a list of available backups:

14

Elcomsoft Phone Viewer directly supports encrypted backups. You will need to specify the password in order to open encrypted files.

15

The backup will be decrypted and saved into a temporary folder.

16

Once the backup is decrypted, you’ll see a device information window. From that window, you’ll be able to navigate to view contacts, calls, media, calendar events, browsing history etc.

17

18

Conclusion

It may be possible to perform acquisition of iOS devices found locked but powered-on. Lockdown files may exist on the user’s Mac or PC. Those files can be used to obtain backup from an iOS device provided that the device was never allowed to power off or reboot after the seizure. Following established guidelines on seizing and storing mobile devices is a must for successful acquisition.

Tools and References

This article references multiple KB articles, whitepapers, and tools.

Tools:

References:

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

Trackbacks/Pingbacks

  1. Pingback: Week 46 – 2016 – This Week In 4n6 - November 20, 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 955 other followers

%d bloggers like this: