What you need to know
- Elcomsoft says its iOS Forensic toolkit can now extract some files whilst a device is in BFU mode.
- It says it can extract select keychain records in "Before First Unlock" mode.
- The device has to be jailbroken using checkra1n.
Elcomsoft says its iOS Forensic Toolkit can now extract some files from iOS devices in BFU mode before a user has even entered their passcode for the first time.
Elcomsoft's iOS Forensic Toolkit allows users who purchase it to perform physical and logical acquisition of iPhone, iPad, and iPod touch devices. It can be used to image device file systems and extract passwords, encryption keys, and data. Elcomsoft's iOS Forensic Toolkit allows users who purchase it to perform physical and logical acquisition of iPhone, iPad, and iPod touch devices. It can be used to image device file systems and extract passwords, encryption keys, and data. According to Elcomsoft's Blog, the toolkit can now extract select keychain records whilst a device is in BFU mode. The blog states:
The BFU stands for "Before First Unlock". BFU devices are those that have been powered off or rebooted and have never been subsequently unlocked, not even once, by entering the correct screen lock passcode.
In Apple's world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is absolutely required to generate the encryption key, which in turn is absolutely required to decrypt the iPhone's file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.
It is the "almost" part of the "everything" that we target in this update. We've discovered that certain bits and pieces are available in iOS devices even before the first unlock. In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock. This is by design; these bits and pieces are needed to allow the iPhone to start up correctly before the user punches in the passcode.
Elcomsoft affirms that it cannot and will not help to unlock iOS devices, but that it is often possible to extract data from devices without unlocking them. In particular, Apple devices with a bootrom vulnerability that has been exploited by the checkra1n jailbreak can have some of their system files extracted even if you don't know the passcode.
With Elcomsoft iOS Forensic Toolkit, you can now extract the keychain as well. Yes, in BFU mode, even if the device is locked or disabled ("Connect to iTunes"). While this is only a partial keychain extraction, as most keychain records are encrypted using the key derived from the user's passcode, this is much better than nothing – and coming from a locked device!
This also works if a device has been disabled after a password has been entered incorrectly 10 times, as long as Erase data isn't enabled. In terms of the data that can be extracted:
In the BFU mode (unknown device passcode), you can get the list of installed applications, some Wallet data (that was a surprise, I have no idea why they are not encrypted), the list of Wi-Fi connections, a lot of media files, notifications (these may contain some chat messages and other useful data). There are also a lot of location points.
Elcomsoft says it will continue to work in chekra1n integration and checkm8 within its tool. It also says that iOS acquisition by jailbreaking is currently the only method to get data, but that it's not "forensically sound" as it alters the content of the file system. Of course, jailbreaking itself is also risky. They conclude by saying:
However, we are working on integrating the low-level checkm8 exploit into our software. This should straighten up the process, making it faster, simpler, safer and completely forensically sound.
As 9to5Mac notes, less relevant to everyday consumers, Elcomsoft sells its tools mostly to law enforcement agencies, governments, and business as well as individuals.