Elcomsoft iOS Forensic Toolkit FAQ (part 2)


Note: this is the second part of EIFT FAQ, mostly on the new version (1.20) released on July 17th, 2013. The first (basic) part is available here.

Q. So you actually support for iPhone 5 now?

A. Yes, we support iPhone 5, 4S, and all previous generations.

Q. What about iPad 4, iPad Mini and iPod Touch 5th gen?

A. They're now also supported.

Q. Are there any limitations supporting these last-generation devices?

A. Unfortunately, there are limitations. For recent devices such as iPhone 4S and 5 or iPad 2 to 4, we can only deal with jailbroken devices. So we can perform physical acquisition if a device is already jailbroken or if you can install the jailbreak yourself.

Q. How can I install the jailbreak?

A. Considering you have a device running iOS 6, you’ll be using the “evasi0n” jailbreak. Currently, it supports iOS 6.0 to 6.1.2. Please make sure you understand the procedure and follow it carefully. Read the original jailbreak documentation before installing the code. The most important points are:

  1. Create a local iTunes backup without password. Backup password is a device-specific setting (it’s not just for the backup). If it is set, you may get problems jailbreaking the device.
  2. Remove passcode from the device.

Q. What about iOS 6.1.3 and 6.1.4? Is it possible to jailbreak them, or downgrade to an earlier version of iOS?

A. Unfortunately, jailbreaking is not yet available for these versions of iOS. Downgrading iOS from these versions is not possible either.

Q. What if I have a last-gen iPhone, it has a supported version of iOS installed, but it’s locked and the passcode is unknown?

A. Physical acquisition for this device is possible if the device is already jailbroken (which means: you can try). If it is not, physical acquisition will not be possible. For non-jailbroken devices locked with an unknown passcode, you can only acquire iPhone up to version 4, the original iPad and early generations of iPod Touch.

Q. Where do I get the “evasi0n” jailbreak?

A. Please use a search engine to discover the code. It’s not exactly legal to distribute (but perfectly legal to *use*), so we’re not publishing it here.

Q. How do I work with a jailbroken iPhone 4 and older devices?

A. Legacy devices do not require a jailbreak to be physically acquired. You can continue working with them via the DFU mode.

Q. Are the any other differences between old and new versions of the Toolkit I should know about?

A. Yes, there are differences affecting the way you’ll be using the product:

  1. We still have two versions of the script - "Toolkit.cmd" (Toolkit.command in Mac version) and "Toolkit-JB.cmd" (Toolkit-JB.command). The second version has a new name now; it was called "Toolkit-A5" before, simply because it was intended for A5 devices only (iPhone 4S, the new iPad, and iPad with Retina display). Now it is more universal and works with A5+ devices, so also including iPhone 5, iPad 4, iPad Mini and iPod Touch 5th gen.
  2. Toolkit menu is reorganized.
  3. You no longer have to specify device type for legacy devices (up to iPhone 4) when using the toolkit script for older devices.
  4. Toolkit script for newer devices (iPhone 5 etc.) is also updated. You will no longer have to upload the utilities ('passcode' and 'dumpkeys') manually, setting the required execute permissions etc. This process is now done automatically once you select the appropriate menu item. However, you still have to specify the iOS version (5 or 6) because there are significant differences between them.

Q. The "Toolkit-JB" script asks me for a password, what's that?

A. It is the password of the user 'root'. The default password (immediately after installing the jailbreak) is "alpine" (without quotes).

Q. How do I change the 'root' password?

A. If you don’t know the password, and the default password does not work, you may need to change it. Use any available tool to access files stored in the iOS device (such as iFunBox or iExplorer) to edit the following file:

/private/etc/master.passwd

The line corresponding to the root account should look like this:

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

Saving the modified master.passwd file back to the device will restore the default root password to "alpine".

Of course, if you know the existing password, there is no need to change it.

Q. Are there any other requirements for jailbroken devices?

A. Yes, there is a requirement to have a working SSH server running on the device. To check whether it is already there, start the 'Toolkit-JB' first; this will automatically establish a tunnel between SSH port (22) on the device and port 3022 on the localhost. Now use an SSH client to connect to localhost on port 3022, e.g. using the following command:

ssh -p 3022 root@localhost

If an SSH session is established, or if you are asked for a password, or if you receive a key fingerprint mismatch error, then the SSH server is already running on the device. If the connection is not established or refused, then there is no SSH server running. You can fix it by installing the OpenSSH package using Cydia (which should be present on all jailbroken devices).

Q. From time to time, I get the following error: "Failed to add the host to the list of known hosts (/cygdrive/c/Device/Null). What does that mean?

A. You can just ignore it.

Q. How long does it take to crack a passcode?

A. It depends on many factors such as the device model, the type and length of the passcode, and sheer luck. A simple 4-digit passcode on iPhone 4 can be cracked in 20-40 minutes. The same passcode on iPhone 5 will take about 10 minutes. Long and complex passcodes may take forever. The speed of password recovery may vary from only 4 passcodes per second on iPhone 4 to about 15 p/s on iPhone 5.

Q. Why is passcode recovery so slow? Are you planning to use GPU acceleration for that?

A. On iOS devices, the password recovery process can only run on the device itself. It cannot be outsourced or broken offline. This is the way Apple secures its devices, and this is one of the reasons why Apple devices are so secure.

Q. Once I run a passcode recovery, will the iPhone be locked, disabled or wiped after too many unsuccessful attempts?

A. No. Even if the device has the "Erase all data on this iPhone after 10 failed passcode attempts" setting turned on, the setting is not applicable here. The Toolkit accesses the hardware directly, and does not care about any iOS settings. The device will never be locked.

Q. In Windows, a separate console window with "Tunnel 3022-22" is being opened, is that normal?

A. Yes. Please do not close it while the Toolkit is running.

Q. Do I ever need physical acquisition? Why is it better than logical?

A. Physical acquisition returns more data than logical acquisition. The keychain can only be completely decrypted with physical acquisition. In addition, some files on the device are locked and not being copied with logical acquisition, while physical acquisition operates at a lower level and acquires the complete image of the device.

Q. With physical acquisition, is it possible to recover the data that have been deleted from the device (such as photos)?

A. For iOS 4/5/6 – unfortunately, no. Sometimes, however, you can restore deleted messages (SMS and iMessage) and some other data stored in SQLite databases (you would need 3rd party forensic software for that, though).

Q. In brief, what is the typical usage of the Toolkit, and where should I start from?

A. The first step depends on the model of your iOS device. For iPhone 4 and older devices, you should enter the device into the DFU mode and load RAMdisk into it (see the manual for details). For iPhone 4S+, you need to jailbreak the device and install OpenSSH. Then, the typical steps are:

  1. Break the passcode (if it is set and not known) via menu item [3]. Without the passcode some information cannot be decrypted; however, this step is still optional.
  2. Obtain device keys and keychain data (menu item [4]). This is mandatory. Without the keys, neither keychain nor device image can be decrypted.
  3. Decrypt the keychain (menu item [5]). This is not needed if you only need to acquire and decrypt the image of the device file system. However, there is a lot of critical data in the keychain such as backup password, passwords to all Wi-Fi access points the device ever connected to, mail (SMTP, POP3 and IMAP) passwords, sometimes the password to Apple ID, passwords entered into Web forms, etc.
  4. Create an image of the disk (menu item [6]) and decrypt it ([7]), or create a tarball (logical acquisition).
  5. Reboot the device (you can do that either by selecting menu item [9] in the Toolkit, or by keeping pressing [Home] and [Sleep] buttons on the device for some time).
  6. Wait while the process finishes, which can take up to 40 minutes for a 32-GB device.