Elcomsoft iOS Forensic Toolkit Guided Mode Extraction Tutorial

Patrick Leahy Center for Digital Investigation (LCDI)Uploading the Toolkit Ramdisk to the DeviceStep 1Once the device is in DFU mode (continuing from Step 5 above), type “y” and click “Enter” to load the ToolkitRamdisk to the device. Additionally, you can select menu item two in the main menu, which will bring up awindow allowing you to choose your device. Enter the corresponding number for your device. In this example,we have an iPhone 3GS, so we will choose menu item 13. Press “Enter” to upload the ramdisk.Step 2a) The software will begin uploading the Ramdisk to the device.Page 7 of 22

Patrick Leahy Center for Digital Investigation (LCDI)b) Once the Ramdisk has uploaded correctly, you will see the Elcomsoft logo displayed on the screen of thedevice.c) Once the device shows the Elcomsoft logo, you have successfully uploaded the Ramdisk to the device. Press‘Enter’ to continue.Acquiring Physical Image(s) of the Device’s FilesystemStep 1Select menu item three from the main menu to acquire a physical image of the device filesystem.Page 8 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 2Once the software detects the iOS version of the phone, you will be presented with two partitions: system anduser (most iOS devices have two partitions). For devices with iOS 4.x, the system partition is labeled rdisk0s1and the user partition is labeled rdisk0s2s1. For devices with iOS 5.x, the system partition is labeled rdisk0s1s1and the user partition is labeled rdisk0s1s2. In this example, our iPhone contains iOS 5. The system partition isnot encrypted, while the user partition is. You will be decrypting the user partition later on in this tutorial. Selectthe corresponding menu item for each partition image and press “Enter.” To keep it simple, image the systempartition first and the user partition second.Step 3Once you select the menu item for the partition to image, you will be prompted to save the image file. If you donot provide a full path to store the image or an image name, the file will be stored in the current directory (thefolder in which the Elcomsoft iOS Forensic Toolkit is located) and the default image name (system.dmg oruser.dmg) will be used. Press “Enter” to save the image file to the current directory.Page 9 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 4The toolkit will begin imaging the device. Imaging the system partition will typically take no longer than 5-7minutes; imaging the user partition will take longer, depending on the size and type of device. Typically a 32GBiPhone 3GS will take about 40 minutes to image the user partition. Once the imaging has finished, press “Enter”to return to the main menu. Repeat steps 1-4 to image the second partition.Acquiring the Users’ files as a Tarball (Logical Acquisition)Step 1At the main menu, select menu item four to retrieve tar files (logical image) and press “Enter.”Step 2Press “y” and “Enter” to continue. You will be prompted to store the files to the archive. If you do not provide afull path to store to the archive or an archive name, the file will be stored in the current directory (the folder inPage 10 of 22

Patrick Leahy Center for Digital Investigation (LCDI)which the Elcomsoft iOS Forensic Toolkit is located) and the default archive name (user.tar) will be used. Press“Enter” to save the archive file to the current directory.Page 11 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 3The logical image will begin. When it is done, press “Enter” to return to the main menu.Page 12 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Recovering Device PasscodeStep 1At the main menu, select menu item six and press “Enter” to recover the device passcode. In order to extractdevice keys and keychain data from the device (menu item five), you must first obtain the passcode to unlock thephone.(Note: Guided mode can only recover simple (4-digit) passcodes. To recover a complex passcode you willhave to use the manual mode.)Step 2Press the “y” key and hit “Enter” to continue. You will be prompted to save the passcode to a file. If you do notprovide a full path to store the passcode or a file name, the file will be stored in the current directory (the folder inwhich the Elcomsoft iOS Forensic Toolkit is located) and the default file name (passcode.txt) will be used. Press“Enter” to save the passcode file to the current directory.Page 13 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 3The software will mount the user partition and attempt to recover the simple (4-digit) passcode. Depending on thesize and device type, this process should take no longer than 20-40 minutes. Once the passcode has beenrecovered successfully, it will be displayed on the screen. Press “Enter” to return to the main menu.Extracting Device Keys and Keychain DataStep 1At the main menu, select menu item five to extract the device keys and keychain data, 1 and then press “Enter.”(Note: In order to extract device keys and keychain data from the device (menu item five), you must firstobtain the passcode to unlock the phone).1 The keychain is the password management system on Apple devices. It allows a user to store passwords for programs, e-mail accounts, web sites, and more.Page 14 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 2Press the “y” key and “Enter” to continue.Step 3Enter in the device passcode, which you retrieved from the Recovering Device Passcode section above, and click“Enter.”Step 4Now you will be asked for the escrow file (optional). The escrow file allows you to decrypt all data stored on thedevice if you do not have the passcode of the device. The escrow files arein %ALLUSERSPROFILE%\ApplicationData\Apple\Lockdown\ on Windows XP andin %ALLUSERSPROFILE%\Apple\Lockdown\ on Windows 7. Press “Enter” to skip the escrow file.(Note: The escrow file is used for iOS 4.x devices only.)Page 15 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 5You will be prompted to save the data to a file. If you do not provide a full path to store the data or a new filename, the file will be stored in the current directory (the folder in which the Elcomsoft iOS Forensic Toolkit islocated) and the default file name (keys.plist) will be used. Press “Enter” to save the file to the current directoryand to begin the extraction.Step 6Once the extraction has completed, it will output the device serial number, the passcode for the device, thekeychain version, and the backup password (iTunes backup), if applicable. Press “Enter” to return to the mainmenu.Page 16 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Decrypting Disk ImageStep 1At the main menu, select menu item eight to decrypt the disk image and press “Enter.”Page 17 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 2The command screen will ask you to select your encrypted image file (user.dmg), which you should have alreadyretrieved from the physical acquisition section. Press “Enter” to select the encrypted image file from the currentdirectory.Step 3Now you will be asked to select your device keys file (keys.plist), which you should have already retrieved fromthe device keys extraction section. Press “Enter” to select the device keys file from the current directory.Step 4Now you will be prompted to save the decrypted image file. If you do not provide a full path to store thedecrypted image file or a new file name, the file will be stored in the current directory (the folder in which thePage 18 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Elcomsoft iOS Forensic Toolkit is located) and the default file name (user-decrypted.dmg) will be used. Press“Enter” to save the file to the current directory and to begin the decryption process. The decryption process timewill depend on the size of the encrypted image.Step 5Once the image has finished decrypting, the tool will output the image encryption statistics on the screen. Thiswill tell you the number of total files, the number of files that were decrypted, the size of image that wasdecrypted (28.51 of 28.51 GB decrypted), and the SHA1 hash of the decrypted image. Press “Enter” to return tothe main menu.Page 19 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Decrypting the KeychainStep 1At the main menu, select menu item nine to decrypt the keychain and press “Enter.”Step 2You will be prompted to select your device keys file (keys.plist), which you should have already retrieved fromthe device keys extraction section. Press “Enter” to select the device keys file from the current directory.Page 20 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Step 3Now you will be prompted to save the decrypted keychain file. If you do not provide a full path to store thedecrypted keychain file or a new file name, the file will be stored in the current directory (the folder in which theElcomsoft iOS Forensic Toolkit is located) and the default file name (keychain.txt) will be used. Press “Enter” tosave the file to the current directory and to begin the decryption process, which will begin almost immediatelyafter you press enter.Step 4Once the keychain has finished decrypting, the tool will let you know that the complete key set has been loadedand all keychain items will decrypt. Press “Enter” to return to the main menu.Rebooting the DeviceStep 1Once you have extracted all of the data, reboot the device to remove the Ramdisk and remove the device fromDFU mode. At the main menu, select menu item seven to reboot the device and press “Enter.” The device willautomatically reboot and turn on.Page 21 of 22

Patrick Leahy Center for Digital Investigation (LCDI)Page 22 of 22