Apr 14, 2023 / By Wael Alnahari / in Digital Forensics
The recent update to iOS Forensic Toolkit brought two automations based on the Raspberry Pi Pico board. One of the new automations makes it possible to make long, scrollable screen shots in a semi-automatic fashion. In this article we will show how to build, program, and use a Raspberry Pi Pico board to automate scrolling screenshots.
Capturing screenshots can be a crucial step in mobile device investigations. By taking a series of screenshots of what is displayed on a connected iOS device, investigators can gather digital evidence that may not be accessible through other means, such as advanced logical acquisition, where the data such as protected chat histories may not be available. In a way, the new feature can be viewed as new extraction tool in addition to cloud, advanced logical, and low-level extraction methods.
Using a Raspberry Pi board, one can also make long, scrollable screen shots in a semi-automatic fashion. Available for all devices and most versions of iOS, the experimental new feature also makes use of a Raspberry Pi Pico device with custom, ElcomSoft-developed software that is now included with iOS Forensic Toolkit. The feature is available for most iOS/iPadOS devices staring with iOS 14.
Compared to the auto-DFU process, you will only need a few things other than the iPhone or iPad itself.
To capture scrolling screenshots, do the following.
The firmware is located by the following path:
pico/picoScrollNScreenshot/adafruit-(...).uf2
The files to copy (code.py and the lib folder) are also there.
Once the files are on the Pico, do the following.
Extra power is not required as the Pico takes 5V from the USB plug. However, with an Apple Camera Adapter, you can use its other (Lightning) port to power up the iPhone itself to prevent it from discharging during the process.
After that, copy the screen shots to your computer (by extracting media files, doing full logical acquisition, or with AirDrop). You may want to stitch the screenshots first; there are many iOS apps for that such as Tailor.
Finally, you can OCR the screen shots, index and analyze the text.
The process does not always work out of the box. The screenshots are always captured, but the scrolling sometimes fails unless you connect a USB mouse to the iPhone first and use the wheel to scroll up and down several times.
Also, we are not absolutely sure that this method works with non-native Lightning to USB adapters. It definitely works with an official Apple’s one though.
You may also need to edit the code.py file. The critical options are:
SCROLL_WITH_MOUSE = 1 SCROLL_MOUSE_DISTANCE = 250 DELAY_AFTER_SCROLL = 1
SCROLL_WITH_MOUSE means whether to emulate a keyboard (0) or mouse (1). The first option is more robust but some apps don’t support it (e.g. Telegram).
SCROLL_MOUSE_DISTANCE is only used when mouse emulation is enabled, and specifies the scrolling range. In our tests, the default value of 250 works great if you were to stitch the screen shots, but depending on a particular device you may need to set a different value.
DELAY_AFTER_SCROLL specifies the delay between scrolling and capturing screen shots; the default value is one second, but you can set a greater delay to let delayed images and URL information load after scrolling.
Note that the default behavior of the scrolling is in the down direction. That means that you need to start the process at a top of a page or conversation you need to save.
Finally, please note that the script starts working right when any device is connected to the Pico board. That includes a Mac computer; that’s why we implemented a 15-second delay after connection (so that you have enough time to edit or delete code.py).
Last but not least, the script cannot (and will not) detect when screen shooting is done. You have to stop it manually by disconnecting the cable.
This feature is experimental and not yet perfect. The biggest problem is that all the screenshots are captured and stored right on the device rather than the computer. Yet this may still be the only method to extract certain types of data from some iOS applications in case the device is not vulnerable to a bootloader exploit and not supported by the acquisition agent.
By Oleg Afonin at 2023-04-13 10:00:22 Source ElcomSoft blog:
May 31, 2024 by Wael Alnahari
May 15, 2024 by Wael Alnahari
WGN | وغن