Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet
2022-11-15 19:32:20 Author: blog.elcomsoft.com(查看原文) 阅读量:23 收藏

Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.

What is advanced logical acquisition?

Advanced (or “extended”) logical acquisition is an unofficial name for a set of data extraction methods available for all iPhone, iPad, and iPod Touch devices regardless of the version of iOS installed and regardless of the hardware platform. Advanced logical acquisition includes the extraction of a local backup, media files, shared files, and system crash logs and diagnostic logs. You must be able to unlock the device and pair it to the computer, which requires a screen lock passcode.

An iTunes-style backup is part of the logical extraction process. In iOS and iPadOS, local backups may be protected (and securely encrypted) with a password. Such password-protected backups have more information available to the examiner compared to unencrypted backups. For this reason, we recommend setting a temporary backup password (e.g., ‘123’) before creating a backup, which requires a confirmation with a screen lock passcode. Do not forget removing the temporary password when you are done; more on that in iOS Backups: Leftover Passwords.

Note that you can only change the backup password if the original backup password is known or empty. If the device has an unknown backup password, we recommend creating a backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).

Note: changing a backup password in recent versions of iOS requires a screen lock passcode.

In addition to local backups, extended logical acquisition returns media-files, some diagnostic logs and shared app data. Additional information on logical acquisition is available in the following articles:

Extended logical extraction cheat sheet

To perform complete logical extraction, follow the steps:

  1. Connect the iPhone to the computer’s USB port.
  2. Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode. If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:
    ./EIFT_cmd normal pair

    On the phone, confirm the “Trust this computer?” prompt.

  3. On the phone, you may be prompted for a passcode if the device is running a recent version of iOS. Enter the screen lock passcode to confirm pairing.
  4. Extract information about the device:
    ./EIFT_cmd info
  5. Check if a backup password is set:
    ./EIFT_cmd normal backuppwcheck

    If you are using an external pairing record file, pass it in the command line. Note: if this is the case, you will have to use the -r switch along with the path to the pairing record for all subsequent commands:

    ./EIFT_cmd normal backuppwcheck -r record.plist

    Check the output, looking for “Backup password” status:

    Started logging Thread!
    Got device:
    Mode: [normal]
    BuildVersion: 16H50 
    DeviceName: iPhone 
    HardwareModel: N53AP 
    Paired: YES 
    PasswordProtected: NO
    ProductName: iPhone OS 
    ProductType: iPhone6,2 
    ProductVersion: 5.4
    SerialNumber: <serial number> udid: <udid>
    Loading custom record from=record.plist 
    Checking backup password...
    Backup password is DISABLED 
    Done
  6. If the backup password is enabled, make a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device). To reset the backup password, follow Apple instructions: “On the iPhone, go to [Settings] | [General] | [Reset]. Press [Reset All Settings]; Follow the steps (you will be prompted for device passcode).”
  7. (optional step) If the backup password is empty, you may manually set a known temporary password such as ‘123’. If you don’t, iOS Forensic Toolkit will automatically set a temporary password ‘123’ before the extraction, and remove it afterwards. Either way, the device will prompt for a screen lock passcode. Make sure to enter one quickly as the prompt is only displayed for a limited time.
    ./EIFT_cmd normal backuppwset -p "123"
  8. Make a backup (the last parameter specifies using the current folder; you may provide a different path instead of “./”)
    Note: if the backup password is empty, iOS Forensic Toolkit will automatically attempt to set a temporary backup password of ‘123’. During the process, the device will prompt for a screen lock passcode. Make sure to enter the passcode prompted. If you don’t, the prompt goes away in a few seconds, and the backup is created without a password.
    ./EIFT_cmd normal backup -o ./

    If you are creating a large backup, you may want to use an external disk as a destination. In that case, use the following syntax:

    ./EIFT_cmd normal backup -o /Volumes/DISKNAME

    DISKNAME is the name of the disk as displayed in Finder. Note that the backup contains multiple files. If you need to attack the backup password, you will only need a single file named manifest.plist.

  9. If you have manually enabled a backup password during Step 7, remove that temporary backup password. If you haven’t, iOS Forensic Toolkit will automatically remove the temporary password. Either way, the device prompt for a screen lock passcode. The prompt will be shown for a limited time. If you miss the prompt, the command will finish, while the temporary password will  still be enabled on the devide. In this case, you will have to manually remove the backup password. In the example below, “123” is the previously set password. It must be provided as an argument:
    ./EIFT_cmd normal backuppwunset -p "123"
  10. Extract media files via afc. Note that the afc protocol returns media files regardless of the backup password, and is available on Apple TV and Apple Watch devices as well as the iPhone and iPad. In addition to photos and videos, afc returns valuable metadata.
    ./EIFT_cmd normal dumpafc -o afcdump.tar

    If you need to save the file in a different folder or disk, use the following syntax (also applies to subsequent commands):

    ./EIFT_cmd normal dumpafc -o /Volumes/DISKNAME/afcdump.tar
  11. On the iPhone, generate sysdiagnose logs. To do that, hold Vol+, Vol- and Power buttons for 250 milliseconds, then wait up to 5 minutes.
  12. Pull crash logs and diagnostic (sysdiagnose) logs:
    ./EIFT_cmd normal dumpcrash -o crashlogs.tar
  13. Extract shared files (the command below uses a file named “container.tar” in the current folder):
    ./EIFT_cmd normal dumpshared -o container.tar
  14. Decrypt the backup with Elcomsoft Phone Breaker or open it directly in Elcomsoft Phone Viewer providing the known backup password (e.g., 123).

TL&DR

Here is the short list of all commands you will need most of the time to perform advanced logical acquisition:

./EIFT_cmd info
./EIFT_cmd normal backup -o ./
./EIFT_cmd normal dumpafc -o afcdump.tar
./EIFT_cmd normal dumpcrash -o crashlogs.tar
./EIFT_cmd normal dumpshared -o container.tar

Using lockdown records (pairing records)

Lockdown records, or pairing records, are files containing cached authentication data for accessing trusted iOS devices without the need to re-pair them to a computer. In specific circumstances (the device’s screen is locked, the screen lock passcode is unknown, and the device’s USB port is not locked with USB restricted mode), a lockdown record may be used to perform advanced logical acquisition of a locked device. Today, the use of lockdown files is limited since lockdown files expire quickly.

The lockdown files are stored in the following folders.

Windows Vista, 7, 8, 8.1, Windows 10 and 11:

%ProgramData%\Apple\Lockdown

Windows XP:

%AllUsersProfile%\Application Data\Apple\Lockdown

macOS:

/var/db/lockdown

When performing live system analysis, a permission change is required to access lockdown files. More information on extracting lockdown files: Accessing Lockdown Files on macOS

When performing advanced logical acquisition, using a lockdown file requires an argument added to each command. For example, device information (also available in BFU mode) will use the following syntax (replace “record.plist” with a path to a lockdown file; please observe the UDID listed in the lockdown file, which must match the UDID of the device being extracted):

./EIFT_cmd info -r record.plist

If you were unable to unlock the device with a certain lockdown file, you may try other lockdown files obtained from that computer (once again, observe the UDID match). If still not successful, the lockdown record may be already expired, in which case you will need to unlock the device and establish a new pairing relationship, which requires a screen lock passcode.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


文章来源: https://blog.elcomsoft.com/2022/11/advanced-logical-extraction-with-ios-forensic-toolkit-8-cheat-sheet/
如有侵权请联系:admin#unsafe.sh