Retrieving data from iPhones can prove to be challenging for digital forensics investigators. So for this week’s blog, I’ll be discussing the complications that can occur from iPhone passwords, iPhone backup passwords, and resetting an iPhone.
The basic password on an iPhone is 4 numbers, unless of course the user decides to use a standard style password or the IT department for their company pushes down a policy requiring iPhone users in their environment to use a standard style password (there are other security options IT can push down to iPhone in their environment as well). So if you need to get into an iPhone and it has a password, that password will have to be cracked. At the moment, the only iPhone passwords that can be cracked without modifying the original device are the original iPhone, iPhone 3G, and iPhone 4. All of the newer iPhones will need to be “jailbroken” before any password cracking can occur. While it is possible to jailbreak the newer iPhones, depending on what iOS version they are running, it is not a path many investigators like to travel down because of all the changes that are made on the iPhone. It may be possible in the future that password cracking will be available on today’s newer model iPhones, but most likely it will never be available on whatever model iPhone is current. The reason is due to the amount of time and effort it takes to create the software to interface with the latest iPhone and bypass its native security without changing the data on the iPhone itself; which is crucial in the Forensics industry. When cracking the basic 4 digit password used on an iPhone, it will take 30 minutes using brute force techniques. Brute force password cracking means that the program will literally try every combination of characters than can be used in the password, which is why when an individual is using the basic 4 digit password, it can be cracked within 30 minutes. On the other hand, if the individual is using the complex password on an iPhone, then the time it would take to crack the password depends on the length of the password and whether uppercase letters, lowercase letters, numbers and special characters were used. If you’re thinking, well it shouldn’t take too long to crack the password, the combinations of passwords mixed with the length of passwords can be in the billions or even trillions depending on the length of the password–which can take quite some time to decrypt.
iPhone Backup Encryption
Now let’s move on to Backup Passwords for iPhones. Most people might believe that by simply having a password to access their iPhone, that the backups are also encrypted using that password, which is false. Even if there is a password on the iPhone, a backup of the iPhone can be parsed without needing the password. There is however, a way for a user to encrypt and password protect the iPhone backups. This process needs to be done inside of iTunes or pushed down via IT security policies in a business environment. When configuring the iPhone inside of iTunes, a user can choose to encrypt backups of their iPhone and set a password of their choice, separate from the password needed to access the iPhone. Once this process is complete in iTunes and the iPhone is synchronized, the setting is changed on the iPhone so that if it is connected to another computer with iTunes, it will still encrypt and protect backups created of the iPhone. While it is possible, with the right piece of software, to break the password used to encrypt the backup and then gain the ability to parse the data, it can take some time depending on the complexity of the password, as explained above.
Resetting an iPhone
Now on to the last section of this blog–how to reset a locked iPhone. Back before the iPhone 3GS, encryption was not used. This lack of encryption meant that even if a device was reset, you could still potentially create a physical image of the iPhone and carve out data, much like one would do with a computer. Ever since the iPhone 3GS was introduced, all the data on an iPhone is encrypted and a key is created on the iPhone that is used in conjunction with the password to encrypt your data. When you reset an iPhone 3GS or newer, the key used to decrypt the data is destroyed. Destroying the key means there isn’t a way to decrypt the data making it nearly impossible to carve out deleted data, even if you could create a physical image of the device, which you often can’t. What we can tell from a reset iPhone, is when it was reset. When an iPhone is reset, an artifact is created on the device which we are able to extract during the imaging process. This artifact alone can be huge for a case, depending on the circumstances, as it can show when an individual reset their iPhone. Another point to mention, is that a user doesn’t necessarily need physical access to their iPhone in order to reset it. When a user sets up their iPhone, they create an iCloud account (or link to the one they already have) on the iPhone. Once iCloud is setup on the iPhone, the user has to enable “Find My iPhone” and after that, as long as the iPhone is connected to the internet, the user can remotely send a reset command to the iPhone from almost any device that has internet access. This feature was added by Apple for people that have lost their iPhone or have had their iPhone stolen.
So as you’ve read, whether or not it is possible to acquire data from an iPhone or a backup of the iPhone is determined by: the model of the iPhone, whether or not a password is being used on the iPhone itself, whether or not a password is being used to encrypt the backup of an iPhone, and whether a user has reset their iPhone. We’ve encountered each of these scenarios and wanted to better inform everyone of the various circumstances that could arise when needing to acquire data from an iPhone.
by Nick Ventura, CCE, CFCA, Security+, A+
Senior Forensic Analyst