In the realm of iOS device forensics, the use of the checkm8 exploit for low-level extractions has become a common practice. However, when using this method, you may occasionally need to remove the device’s screen lock passcode, which can lead to several undesirable consequences. In this article, we’ll study these consequences and learn when you need a screen lock reset, when it can be avoided, and how what the latest iOS Forensic Toolkit has to do with it.
With the release of iOS Forensic Toolkit 8.55, we have managed to bypass the requirement for resetting the screen lock passcode for the vast majority of devices for which it was previously required. However, for three devices (iPhone 8, 8 Plus, iPhone X) running iOS 14 or 15, you still have to remove the screen lock passcode when using checkm8 extraction. However, we propose using an alternative low-level extraction method instead that does not care about the passcode.
Why a passcode reset may be required (and why it may not even help)
The vulnerability used in the checkm8 exploit resides in the hardcoded bootloader. This itself cannot be changed or patched by Apple. However, we’ve seen Apple developers largely mitigate the effects of the exploit when it comes to data extraction.
With the release of iOS 14, Apple made things more difficult for the mobile forensic specialists. On A11 iPhones specifically, iOS 16 added further hardening to the SEP (Secure Enclave Processor), which is responsible for the systems data protection. When booting the device through DFU-mode, SEP disables the cryptographic keys needed to decrypt user data. In iOS 15 (on A10 and A11 devices) it was enough to remove the passcode when booting in normal mode, to not rely on those hardware disabled keys during extraction. In iOS 16 however, if a passcode was ever set on the device after a clean restore, it is no longer possible to not-rely on the keys that SEP disables, thus greatly improving protection of user data.
On older A10X devices (like the iPad Pro 2) we can exploit SEP with blackbird and tell SEP not to disable those keys, while even older devices (<=A9) like the iPad 5 didn’t receive that hardening in the first place.
Therefore, the extraction will fail if a passcode was ever used on the iPhone 8, 8 Plus or iPhone X after the initial setup if one is running iOS 16. If one of those iPhones runs iOS 14 or 15, we can still access the user data; however, a passcode removal is required.
TL&DR: when a passcode reset is required
Removing the screen lock passcode is only required if (all conditions must apply):
You are doing a checkm8 extraction
The device is either an iPhone 8, 8 Plus, or iPhone X
The device is running iOS 14 or 15
If any one condition is not true, you don’t need to remove the passcode.
Why removing the passcode can be detrimental
There are several consequences to removing the screen lock passcode during an investigation.
The extraction process is no longer forensically sound as many changes are made to the device.
The passcode removal causes some data to be permanently lost, such as Apple Pay transactions, downloaded Exchange-based mail, some application tokens etc.
Under certain circumstances, the passcode cannot be removed until one signs in to iCloud from the affected device, which creates the obvious risks of remote wipe/lock, as well as unwanted data sync.
If you use a workaround described in How to Remove The iPhone Passcode You Cannot Remove, the reset of device settings causes even more changes on the device, let along it’s not always possible (e.g. if a Screen Time password is set, or the device is managed).
The device is no longer “trusted” in a sense of accessing end-to-end encrypted data stored in iCloud.
For these reasons, we discourage this practice if it can be avoided. Consider removing the password as a last resort, one that should only be taken after careful consideration of all the pros and cons. If you still need to reset the screen lock code, make sure that a backup of the device has been made beforehand (even if it’s password-protected), media files have been extracted via the AFC protocol, and diagnostic logs and application files have been saved.
How to remove the screen lock passcode
While removing the screen lock passcode is normally a simple and straightforward procedure (Settings, Face ID & Passcode, Turn Passcode Off; you’ll be prompted for the original passcode), you may encounter problems even during this simple procedure. Screen Time password, MDM, external security policy and certain device settings may prevent you from disabling passcode authentication. Please read How to Remove The iPhone Passcode You Cannot Remove for more information.
When NOT to reset the passcode
By now we’ve figured that you only need to reset the screen lock passcode for iPhone 8, 8 Plus, and iPhone X devices running iOS 14 and 15 when you do checkm8 extraction. However, an alternative low-level extraction method exists that returns the same amount of data without requiring you to reset the screen lock passcode.
If the device is running iOS 14 or 15 (and even iOS 16, currently up to iOS 16.5.1), you can use the extraction agent in iOS Forensic Toolkit. The extraction agent does not require the screen lock passcode to be removed.
Important: Previously, you would be prompted to remove the screen lock passcode for the following iPad models if they were running iOS 16:
iPad Pro // A9X
iPad Pro 2 // A10X
iPad 5 // A9
iPad 6 // A10
iPad 7 // A10
This is no longer the case with the latest release of iOS Forensic Toolkit 8.55. We recommend updating to the latest version of iOS Forensic Toolkit if you have an older version installed.
Conclusion
It is important to mention that competing solutions often necessitate the removal of the screen lock passcode over a significantly broader range than our solution does. In iOS Forensic Toolkit, we leverage all current exploits, including the SEP exploit for A10 processors, to work around the passcode whenever possible. Consequently, when using our products, resetting the screen lock passcode is only required when one cannot bypass it even theoretically.
By Oleg Afonin at 2024-04-30 16:07:45 Source ElcomSoft blog: