Most would agree that the golden age of mobile forensics is over. There is no longer an easy way to get through the passcode in new iOS devices running the latest version of iOS. Chip-off acquisition is dead for iOS devices due to full-disk encryption, while physical acquisition of Apple hardware is dead since the introduction of 64-bit devices and versions of iOS 8 that cannot be jailbroken. Blackberries were highly resistant to chip-off acquisition from the beginning, and Android is getting there quickly. In this whitepaper, we will look at the current state of mobile forensics for the different platforms and devices, analyze current trends and attempt to predict how mobile forensics will look in the years ahead.
To gather these predictions, the authors analyzed state-of-the-art tools, methods and hardware offered by leading manufacturers, and interviewed experts working for manufacturers of digital forensic products. Since manufacturers often specialize in specific areas (e.g., producing equipment for breaking iPhone passcodes), we questioned multiple representatives to be able to see the whole picture. Today, we are ready to share our findings.
Ever since Apple has used full-disk encryption with passcode-dependent, hardware-based encryption, chip-off acquisition has not been a possible. The following acquisition methods are available for Apple devices:
- Sending the device back to Apple. Generally available to government agencies and law enforcement. Only for iOS versions prior to iOS 8.
- Physical acquisition. A non-destructive acquisition method that allows one to obtain the full image of the device via the standard Apple cord.
- Logical (backup) acquisition. Deals with offline backup files produced by the device being analyzed.
- Over-the-air acquisition. Downloads information from the iCloud.
Sending to Apple
iOS Physical Acquisition
When it comes to physical acquisition, the technique only works for jailbroken 32-bit devices (both conditions must be met), or 32-bit devices with a known passcode that can be jailbroken by the investigator. Compared to Android, relatively few Apple users jailbreak their phones. Since there is currently no jailbreak for the latest version of iOS available, and all new devices use 64-bit circuitry, physical acquisition will only work in rare cases (with the exception of developing countries where older 32-bit Apple hardware still occupies a major market niche).
iOS Logical Acquisition
If a passcode is known, or there is a way of finding it out, investigators can make the device produce an offline backup via iTunes. The backup can then be analyzed, but with some restrictions:
- Device secrets (items stored in the keychain) will only be available if the backup was password-protected (and will NOT be available in backups saved without a password). Somewhat counterintuitively, if you have a device that is configured to produce backups without password protection, setting a known backup password and entering that same password in the forensic tool will enable access to more information compared to analyzing non-protected backups.
- Cached items such as downloaded mail are not available in backups.
Over-the-Air Acquisition (iCloud)
Finally, there is a way to acquire the content of Apple devices by downloading backups from iCloud.
iCloud is a cloud service available to Apple customers. Five GB of cloud storage are available free of charge, and up to 50 GB can be purchased for a fee.
Apple designed a very convenient system for backing up devices to the cloud. Backups are incremental and occur automatically every time the device is put on a charger while locked and connected to a known Wi-Fi network (all conditions must be met). Back in 2012, about 33 percent of Apple customers were using iCloud. While no recent statistics are available, we can guess that iCloud usage has increased dramatically, with the majority of Apple customers backing up their information into the cloud.
Cloud backups contain all of the same information as offline backups produced via iTunes. iCloud backups can be retrieved with forensic software if the user’s Apple ID and password are known, or if a binary authentication token from the user’s computer is available. Information can also be obtained directly from Apple by law enforcement with a government request.
Acquisition methods available for Android devices differ significantly.
- Sending the device to the manufacturer for data extraction. Generally available to government agencies and law enforcement for most domestic devices. May not be available for international models (e.g. no-name Chinese phones).
- Physical acquisition. A non-destructive acquisition method allowing to obtain the full image of the device via a USB cord and forensic software.
- JTAG forensics. Retrieves information via the phone’s Test Access Port.
- Chip-off acquisition. Requires the removal of memory chips. Produces raw binary dumps.
- Over-the-air acquisition. Involves downloading information from Google Account.
Sending to Manufacturer
Sending the device to its manufacturer may be a viable acquisition strategy if the device is unavailable via other means. For example, Samsung, who is the number one seller of smartphone devices in the US, has an official policy to support information extraction when served a government request.
Notably, this approach may not be available in the case of international devices (in particular, no-name and C-brand smartphones originating from China). On the other hand, most Chinese devices are not secured in any reasonable way, and can usually be acquired via physical acquisition.
Android is a highly fragmented platform with several hundred manufacturers and many thousand device models. In a report dated August 2014, OpenSignal states: “We have seen 18,769 distinct devices download our app in the past few months. In our report last year we saw 11,868.” According to the same report, “Samsung have a 43 percent share of the Android market
JTAG Forensics (Android)
JTAG forensics is an advanced acquisition procedure, which uses the standard JTAG port to access raw data stored in the connected device. By using specialized equipment and a matching device-specific JTAG cable, one can retrieve the entire flash memory contents from compatible devices. Notably, JTAG acquisition is often available even for locked, damaged or otherwise inaccessible devices.
It is important to realize that JTAG forensics is a low-level acquisition method that will return raw content of the memory chips. If whole-disk data encryption is present on the device (either pre-activated by the manufacturer or enabled by the user), JTAG acquisition will produce an encrypted image. In order to decrypt the raw image, one will need access to the phone’s higher-level API, which, in turn, requires supplying the correct passcode. Notably, whole-disk encryption is active out of the box on many Samsung phones, Nexus 6 and Nexus 9 devices as well as some other flagship phones sold by leading manufacturers.
Feel free to contact E-SPIN for end to end comprehensive digital forensics solution, from computer, mobile, database, live and network forensics.