Nov 15, 2022 / By Wael Alnahari / in Digital Forensics
Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.
Advanced (or “extended”) logical acquisition is an unofficial name for a set of data extraction methods available for all iPhone, iPad, and iPod Touch devices regardless of the version of iOS installed and regardless of the hardware platform. Advanced logical acquisition includes the extraction of a local backup, media files, shared files, and system crash logs and diagnostic logs. You must be able to unlock the device and pair it to the computer, which requires a screen lock passcode.
An iTunes-style backup is part of the logical extraction process. In iOS and iPadOS, local backups may be protected (and securely encrypted) with a password. Such password-protected backups have more information available to the examiner compared to unencrypted backups. For this reason, we recommend setting a temporary backup password (e.g., ‘123’) before creating a backup, which requires a confirmation with a screen lock passcode. Do not forget removing the temporary password when you are done; more on that in iOS Backups: Leftover Passwords.
Note that you can only change the backup password if the original backup password is known or empty. If the device has an unknown backup password, we recommend creating a backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).
Note: changing a backup password in recent versions of iOS requires a screen lock passcode.
In addition to local backups, extended logical acquisition returns media-files, some diagnostic logs and shared app data. Additional information on logical acquisition is available in the following articles:
To perform complete logical extraction, follow the steps:
./EIFT_cmd normal pair
On the phone, confirm the “Trust this computer?” prompt.
./EIFT_cmd info
./EIFT_cmd normal backuppwcheck
If you are using an external pairing record file, pass it in the command line. Note: if this is the case, you will have to use the -r switch along with the path to the pairing record for all subsequent commands:
./EIFT_cmd normal backuppwcheck -r record.plist
Check the output, looking for “Backup password” status:
Started logging Thread! Got device: Mode: [normal] BuildVersion: 16H50 DeviceName: iPhone HardwareModel: N53AP Paired: YES PasswordProtected: NO ProductName: iPhone OS ProductType: iPhone6,2 ProductVersion: 5.4 SerialNumber: udid: Loading custom record from=record.plist Checking backup password... Backup password is DISABLED Done
./EIFT_cmd normal backuppwset -p "123"
./EIFT_cmd normal backup -o ./
If you are creating a large backup, you may want to use an external disk as a destination. In that case, use the following syntax:
./EIFT_cmd normal backup -o /Volumes/DISKNAME
DISKNAME is the name of the disk as displayed in Finder. Note that the backup contains multiple files. If you need to attack the backup password, you will only need a single file named manifest.plist.
./EIFT_cmd normal backuppwunset -p "123"
./EIFT_cmd normal dumpafc -o afcdump.tar
If you need to save the file in a different folder or disk, use the following syntax (also applies to subsequent commands):
./EIFT_cmd normal dumpafc -o /Volumes/DISKNAME/afcdump.tar
./EIFT_cmd normal dumpcrash -o crashlogs.tar
./EIFT_cmd normal dumpshared -o container.tar
Here is the short list of all commands you will need most of the time to perform advanced logical acquisition:
./EIFT_cmd info ./EIFT_cmd normal backup -o ./ ./EIFT_cmd normal dumpafc -o afcdump.tar ./EIFT_cmd normal dumpcrash -o crashlogs.tar ./EIFT_cmd normal dumpshared -o container.tar
Lockdown records, or pairing records, are files containing cached authentication data for accessing trusted iOS devices without the need to re-pair them to a computer. In specific circumstances (the device’s screen is locked, the screen lock passcode is unknown, and the device’s USB port is not locked with USB restricted mode), a lockdown record may be used to perform advanced logical acquisition of a locked device. Today, the use of lockdown files is limited since lockdown files expire quickly.
The lockdown files are stored in the following folders.
Windows Vista, 7, 8, 8.1, Windows 10 and 11:
%ProgramData%AppleLockdown
Windows XP:
%AllUsersProfile%Application DataAppleLockdown
macOS:
/var/db/lockdown
When performing live system analysis, a permission change is required to access lockdown files. More information on extracting lockdown files: Accessing Lockdown Files on macOS
When performing advanced logical acquisition, using a lockdown file requires an argument added to each command. For example, device information (also available in BFU mode) will use the following syntax (replace “record.plist” with a path to a lockdown file; please observe the UDID listed in the lockdown file, which must match the UDID of the device being extracted):
./EIFT_cmd info -r record.plist
If you were unable to unlock the device with a certain lockdown file, you may try other lockdown files obtained from that computer (once again, observe the UDID match). If still not successful, the lockdown record may be already expired, in which case you will need to unlock the device and establish a new pairing relationship, which requires a screen lock passcode.
By Oleg Afonin at 2022-11-15 14:32:20 Source ElcomSoft blog:
May 31, 2024 by Wael Alnahari
May 15, 2024 by Wael Alnahari
WGN | وغن