Imaging the file system and decrypting the keychain from iOS devices without jailbreaking
By Oleg Afonin, Security Researcher, ElcomSoft Co.Ltd.
Traditionally, forensic experts without access to proprietary technologies had relied upon jailbreaks to perform the lowest-level extraction of Apple iOS devices. Using jailbreaks, even advanced ones exploiting hardware vulnerabilities, presents a number of challenges. In this article, we are offering an alternative method for accessing the content of iOS devices that does not require jailbreaking.
Before covering jailbreak-free extraction, let’s talk about jailbreaks.
Why is a jailbreak needed during the course of file system extraction? Jailbreaking the device allows experts to raise privileges to the level required to access the protected file system on the device, which is simply not possible on Apple devices without superuser access. In addition, a jailbreak was the only way to extract and decrypt the complete content of the keychain containing all of the user’s saved password and things such as certificates, identities, and encryption keys (e.g. keys to encrypted databases of third-party password managers). In other words, a jailbreak was (and still is) used to obtain the required level of privileges for accessing things such as application sandboxes, stored passwords, and encryption keys.
Why not just keep using a jailbreak?
If jailbreaks are such a great thing, why don’t we keep using them for low-level extractions? The thing is, jailbreaks bring their share of problems. First and most importantly, public jailbreaks were never meant for mobile forensics. Installing a jailbreak unnecessarily modifies the system partition (making the post-acquisition future of the device iffy). Since public jailbreaks are designed to allow running unsigned code (such as the various apps downloaded from third-party app stores), they do a lot more (and a lot deeper) modifications to the system than would be necessary for the purpose of forensic acquisition.
Finding the right jailbreak and installing it properly may also become a challenge if you are not accustomed to this sort of thing. For these and other reasons, jailbreaking may not be an option for some experts. This is where jailbreak-free acquisition comes to help.
How jailbreak-free acquisition works
In the previous chapter, I wrote that one needs low-level access to the file system in order to perform the extraction, and this still stands even if you are not going to use a jailbreak. We developed a different method for obtaining the required level of privileges on a wide range of iOS devices. Explaining the essence of the method brings us back to jailbreaking.
Essentially, a jailbreak exploits several vulnerabilities discovered in a given version of iOS or a range of versions of iOS. The vulnerabilities are exploited consecutively one after another, which makes it a chain of vulnerabilities to exploit. A jailbreak requires a number of different exploits to escape the sandbox, obtain superuser access, and disable various protections iOS has in place to prevent this sort of thing. Finally, a jailbreak opens read/write access to the system partition and patches several files in order to disable signature verification, which allows installing apps missing Apple approval from third-party app stores. While this is a grand oversimplification, you get the idea: a jailbreak does a lot of things that aren’t necessary for just extracting the file system and obtaining the keychain.
A given jailbreak can be installed on a given version of iOS (or a range of versions of iOS). Different jailbreaks are required to break into the different versions of the system since different exploits are required. Our method automatically detects the installed version of iOS and applies exactly those exploits that are minimally required to obtain access to the file system. To do that, one must sign and install the ‘agent’ app to the device, and then use that agent to extract the file system and decrypt the keychain. Unlike jailbreaks, the agent performs all modifications in the device’s volatile memory (RAM) without writing any unnecessary stuff into persistent storage. The agent does not even touch the system partition, leaving the post-acquisition device perfectly usable and updatable.
Why choose jailbreak-free extraction over jailbreaks
There are numerous advantages of agent-based extraction over jailbreaks.
- Jailbreak-free extraction is safe. The agent does not touch the system partition, leaving the device in a clean state after the acquisition.
- Clean and forensically sound. The agent does not write any unnecessary stuff onto the data partition and does not leave any traces behind sans a few records in the system log.
- Much easier to handle. Most jailbreaks (except checkra1n, which uses a hardware exploit) are limited to a narrow range of iOS versions. The agent has all the exploits required to gain access to the data and automatically applies the right exploit for a given version of iOS.
- Robust operation. Jailbreaks are wonky to install, (very) frequently failing without an obvious reason and no path forward. We are yet to see a single case where the agent would fail on a supported platform.
- Offline operation. The agent can and should be installed with the device being in Airplane mode. An Internet connection on the iPhone is never required, making it a safe, risk-free extraction.
Agent-based extraction also has two major drawbacks.
- You will absolutely need a Developer account with Apple to sign and install the agent. A Developer account with Apple costs money (around $100/year if you use a personal one).
- The agent is available for a wide but still limited range of iOS versions, currently supporting iOS 10.0 through iOS 13.4.1 inclusive. Extracting an iPhone running a newer iOS build would be only possible if we discover the corresponding exploit. Alternatively, the checkra1n jailbreak may be available if the device is an iPhone 8, 8 Plus or iPhone X or older.
How to use jailbreak-free extraction
Jailbreak-free extraction is available through Elcomsoft iOS Forensic Toolkit. You will also need an Apple ID enrolled in Apple’s Developer Program, and have an app-specific password created in your profile. Write down that password, you’ll need it to sign the extraction agent. The acquisition steps are:
- Connect the iPhone to your computer. Approve pairing request (you may have to enter the passcode on the device to do that).
- Launch Elcomsoft iOS Forensic Toolkit. The main menu will appear.
- We strongly recommend performing logical acquisition first (by creating the backup, extracting media files, etc.)
- For agent-based extraction, you’ll be using numeric commands.
- Press 1 to install the agent onto the iPhone. Enter the Apple ID and the app-specific password you’ve created in the developer profile, then type the ‘Team ID’ related to your developer account.
- The agent is installed on the device. Tap on the Agent icon on the iPhone to launch it, and keep it in the foreground during the extraction.
- Press 2 to extract and decrypt the keychain (you can view it in Elcomsoft Phone Viewer).
- Press 3 to capture the file system image. The tool uses the TAR format to save the file system image. You can view it with Elcomsoft Phone Viewer or third-party forensic tools.
- Press 4 to clean-up and uninstall the agent from the iPhone.
The jailbreak-free acquisition has numerous advantages over jailbreaks and only two drawbacks. If your iOS device falls in the supported range of iOS 10.0 through 13.4.1, we strongly recommend sticking with the new, jailbreak-free acquisition method. If the iPhone you are analyzing is based on an unsupported platform, a compatible jailbreak may still be an option.
About the Author
Oleg Afonin is ElcomSoft’s security researcher and mobile forensic specialist. He is a frequent speaker at industry-known conferences such as CEIC, HTCIA, FT-Day, Techno Forensics, and others. Oleg co-authored multiple publications on IT security and mobile forensics. With years of experience in digital forensics and security domain, Oleg led forensic training courses for law enforcement departments in multiple countries.