Apr 14, 2023 / By Wael Alnahari / in Digital Forensics
Welcome to Part 4 of the Perfect Acquisition series! In case you missed the other parts (1, 2, and 3), please check them out for more background information, or dive straight in and learn how to perform Perfect HFS Acquisition yourself. This section contains a comprehensive guide on how to perform the Perfect HFS Acquisition procedure.
The Perfect HFS Acquisition procedure consists of three stages, which are creating a perfect dump, acquiring a complete set of decryption keys, and decrypting the dump. The following conditions must be met to use this method: HFS file system (APFS not supported), and no SEP. The guide then provides instructions for creating a perfect dump, which involves booting into EIFT, creating a disk dump, and optionally dumping the system partition. The next step is to acquire a complete set of decryption keys. We provide instructions on how to extract the system keybag and crack the passcode if necessary.
The following method applies only to devices that meet the following conditions:
Furthermore, our software currently does not work on iPhone 2G, iPhone 3G,iPod Touch 1, iPod Touch 2. This can change in future.
The following devices are fully supported:
The Perfect HFS Acquisition procedure consists of three stages.
In this section, you will be creating a perfect dump of the data partition, extracting BFU keys, and making an optional dump of the system partition.
./EIFT_cmd boot -w
./EIFT_cmd ramdisk diskdump -o data.dmg
Note: If the device was shut down uncleanly or the file system is corrupt, you may get an error like this:
[Error] [!] Data partition is in an unclean state, please run fsck first to fix potential inconsistencies!
Alternatively pass --unclean, to ignore this and proceed with dumping anyways!
In this case add the --unclean
flag to ignore the error and dump anyways.
ATTENTION: If the file system is indeed corrupt, you may need to deal with it at a later stage. It may be require fix corruption in the dump or to inspect the image manually.
Note: In that case it is recommended to create a copy of the dump and perform modifications on the copy rather than on the original dump.
During this procedure the device will not be modified at any time and stays 100% sound and repeatable.
In case of an unclean file system, perform the dump with the following command:
./EIFT_cmd ramdisk diskdump --unclean -o data.dmg
Optionally, it is possible to also dump the system partition. On unmodified devices there will be nothing interesting on the system partition, however a jailbreak or malware could modify the system partition. On older devices (especially those which used to be jailbroken a lot) the system partition should be dumped for good measure.
Dump the system partition with this command:
./EIFT_cmd ramdisk diskdump --system -o system.dmg
Note: If the device was shutdown uncleanly or the file system is corrupt, you may get an error. In that case pass the --unclean
parameter to dump the partition anyways.
Dump BFU keys
To dump BFU keys run the following command:
./EIFT_cmd ramdisk dumpkeys -n -o keys_bfu.plist
This dump will contain an incomplete set of keys. A complete set of keys will be acquired at a later stage.
Congratulations, you now have a perfect dump of the device. The system partition is not encrypted and can already be analyzed. To decrypt the data partition, a complete set of keys needs to be acquired as described in the next section.
You need to acquire a complete set of decryption keys in order to access userdata. Without those keys only limited (BFU) data will be available.
The following passage will describe how to acquire a complete set of keys by using the target device as an oracle.
IMPORTANT: You have to perform the following procedure on the exact same device as you acquired the dump from. You cannot use a different device.
Note: It does not matter what state the device is in. The device can still be used even if it has been tampered with or the data has been erased from device in the meanwhile. Modifications to the device at this point do not impact the soundness of the dump created earlier.
In the following we assume the device is already booted into EIFT ramdisk mode.
Extract systembag.kb
In order to extract the system keybag, you need to be in possession of a data dump (data.dmg
) and the corresponding bfu keys (keys_bfu.plist
).
Note: A complete set of keys can also be used at this stage.
Run the following command to extract the system keybag:
./EIFT_cmd hfstool -i data.dmg -p /keybags/systembag.kb -e -o systembag.kb -k keys_bfu.plist --no-passcode
The command should create a new file called systembag.kb
.
At this point you should verify whether the file got decrypted correctly! The file is expected to start with the bytes bplist
. This can be verified using the following command on a UNIX system:
head -c 6 systembag.kb | hexdump -C
This should output:
00000000 62 70 6c 69 73 74 |bplist|
00000006
Alternatively, you can try opening the file in any plist viewer. If the file can be opened, then the decryption was successful!
Cracking the passcode
If the passcode is not known, it can be cracked at this point. If you already know the passcode, you can skip this step.
For cracking the passcode you will need the system keybag (systembag.kb
) and the BFU keys (keys_bfu.plist
). This will allow cracking the passcode of that specific system keybag from the corresponding device.
To run passcode crack with the default config, run the following command:
./EIFT_cmd ramdisk passcode -b systembag.kb -k keys_bfu.plist
Getting a complete set of keys
To get a complete set of keys, you are required to have the system keybag (systembag.kb
) and the BFU keys (keys_bfu.plist
) as well as to know the passcode of the keybag. If the passcode is not known, you can crack it as described in the previous step.
Run the following command to get a full set of keys:
./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p
Replace with the device passcode. For example if the passcode if
0000
, the command looks like this:
./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p 0000
If the device does not have a passcode set, you can omit the -p
parameter.
This should create a new file called keys.plist
, which is the complete set of keys required to decrypt all files.
For decrypting the data dump (data.dmg
), you need to have a complete set of decryption keys (keys.plist
). The previous section describes how to get them using the same device the dump was performed on.
Decrypt the data
To decrypt the dump, run the following command:
./EIFT_cmd tools decrypthfs -i data.dmg -o data_dec.dmg -k keys.plist -j 16
Note: The -j
parameter specifies the number of threads to use for decryption. The number 16 is a good value for a modern machine. You can decrease the number if you have an old machine with very little RAM or increase it if you have a lot of computing power.
Extract the keychain
To extract and decrypt the keychain from the dump, run the following command:
./EIFT_cmd tools keychain -i data.dmg -k keys.plist -o keychain.xml
Note: It doesn’t matter if the encrypted or decrypted image is used for this command. If the encrypted image is used (as shown) the necessary files are decrypted on the fly.
This should create a new file called keychain.xml
By Elcomsoft R&D at 2023-04-11 13:14:09 Source ElcomSoft blog:
May 31, 2024 by Wael Alnahari
May 15, 2024 by Wael Alnahari
WGN | وغن