ElcomSoft updated the iOS Forensic Toolkit with iOS 5 support for recovering keychain information in iOS 5 devices.
Providing near-instant forensic access to encrypted information stored in the latest iPhone and iPad devices, iOS Forensic Toolkit enables access to protected file system dumps extracted from supported Apple devices even if the original device passcode is unknown.
By performing a physical acquisition analysis of the device itself, the toolkit offers instant access to all protected information including SMS and email messages, call history, contacts and organizer data, Web browsing history, voicemail and email accounts and settings, stored logins and passwords, geolocation history and the original plain-text user passcode.
The tool can also perform logical acquisition of iOS devices, or provide forensic access to encrypted iOS file system dumps.
The toolkit can acquire a 16-Gb iPhone 4 in about 20 minutes, or a 32-Gb version in 40 minutes.
With the release of iOS 5, Apple made some minor tweaks and some major changes to data encryption. “There was no break-through in the iOS security model”, says Andrey Belenko, ElcomSoft leading developer. “The architectural changes are more of an evolution of the existing model. However, we highly welcome these changes, as they present better security to the end user. In particular, the number of keychain items that can be decrypted without the passkey is now less than it used to be. Device passcode is one of the hallmarks of Apple’s security model, and they are expanding the use of it to cover more data than ever before.”
The Toolkit currently supports the following iOS devices:
- iPhone 3G
- iPhone 3GS
- iPhone 4 (GSM and CDMA models)
- iPod Touch (3rd and 4th generations)
- iPad (1st generation only).
Forensic specialists are well aware of the amount of valuable information stored in Apple iOS devices such as the iPhone. iPhone users accumulate huge amounts of highly sensitive information stored in their smartphones.
Besides the obvious pieces such as pictures, email and SMS messages, iPhone devices store advanced usage information such as historical geolocation data, viewed Google maps and routes, Web browsing history and call logs, login information (usernames and passwords), and nearly everything typed on the iPhone.
Some but not all of this information ends up being stored in iPhone backups when they’re produced with Apple iTunes. However, the amount of information that can be extracted from phone backups is naturally limited.
The physical acquisition analysis uses the dumped contents of the actual device to perform a comprehensive investigation of user and system data stored in the device.
Physical acquisition analysis provides access to a lot more information about the usage of an iOS device than a backup file can store, and offers investigators a number of additional benefits not available with the analysis of backup files. Before iOS Forensic Toolkit, decrypting the encrypted dump was simply not possible, whether or not the original passcode was available.