“If I had an hour to solve a problem I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.”
― Albert Einstein
At Gillware Digital Forensics, we see a fair amount of the aftermath of tragedies. We are often a family’s last resort when a loved dies and the family needs to access their electronic devices. We’ve seen firsthand the importance of thinking about our digital legacy and have a plan about how family members can access and settle our digital affairs.
This particular case is doubly tragic. It involves the death of two people in the primes of their lives, the parents of young toddler twins. In February of 2017, this loving couple was on their way to see a Badgers basketball game. The unthinkable happened. A reckless driver traveling in the opposite direction crossed the median, went airborne, and struck their vehicle. The husband died instantly, and the wife later succumbed from her injuries.
The husband’s parents brought his damaged iPhone into Gillware, hoping that we could extract the data from it to preserve precious communications related to the kids. Those communications would become lasting keepsakes of how much the parents cared for the kids. Family members had already attempted to get the data from the phone but only succeeded in getting pictures.
A good deal of successful problem solving involves thinking through the problem. Unlocking and extracting data from smartphones can be difficult. The difference between being successful in getting to the data or failing lies in carefully thinking about the problem and considering options. When the stakes are high, thinking through things is important.
We had some major things going in our favor. The phone had withstood incredible physical forces without breaking. Despite the noticeable bend in its body, it still worked! There was no passcode protecting the phone. The iCloud account the phone was synced to had known credentials so we could backup data from that location as well.
Not far into the examination process, I discovered the reason that the family had been unable to get data out of the phone successfully. There was an encrypted backup of the phone that had been previously created.
Once that’s been done, the same password is needed to open up subsequent backups made of the phone. When an encrypted backup has previously been made, the examiner can still use tools like Cellebrite UFED4PC or Physical Analyzer, Magnet Acquire, iTunes or others to extract data from the device. That data is encrypted, though, and is inaccessible without breaking the encryption.
Apple is pretty clear in their instructions to users about encrypting backups:
This isn’t always necessarily the case. There are tools, including Passware Forensic, Elcomsoft’s Phone Breaker, and TenorShare’s iPhone Backup Unlocker that can sometimes help us get into encrypted iTunes backups. But brute-forcing strong passwords can be an extremely time-consuming proposition–another thing to consider in these situations.
Another potential solution to think about is bypassing the phone altogether, and downloading backups from the iCloud account. We had the credentials and consent to access the account. The iPhone was set to sync and backup data to the iCloud account. I logged into the account and got a warning that the cloud account was full.
Note that from the iCloud user’s perspective, you can see whether backups exist in the cloud. However, you cannot see how many backups exist, let alone the dates of their creation. And you can’t directly download them. For that we need tools. Elcomsoft Phone Breaker, Dr.Fone Wondershare, or Tenorshare’s iPhone Data Recovery tool can be used to download iOS backups from the cloud. These tools require credentials to access cloud-based backup files. In this case, the cloud backups were downloaded but didn’t contain all of the data the family was after.
Right about the time the phone came to us, Apple released iOS 11. It feels like every week Apple releases a new version of their operating system. Each of those releases can add more challenges to the forensic examiner’s plate. New artifacts come, and old ones drop off. Data is encoded in new and different ways, and the location of important artifacts can be moved to a different place. New versions of operating systems can throw our forensic tools for a loop. Already, I was thinking about and wrestling with the new timestamp translation issues raised by iOS 11, discussed in Heather Mahalik’s excellent blog post on the subject.
Thinking and reading about the changes in iOS 11 provided a novel new potential solution for the problem of the previously encrypted backup. With iOS 11, it is now possible to remove the key associated with the previously encrypted back up from the phone. This won’t help with already-created backups: those remain encrypted. But it does create the potential for making new, unencrypted backups.
Apple’s help page about encrypted backups got an update when iOS 11 came out. They give the following advice for people who have forgotten their backup password:
You can’t restore an encrypted backup without its password. With iOS 11 or later, though, you can make a new encrypted backup of your device by resetting the password. Here’s what to do:
On your iOS device, go to Settings > General > Reset.
The device I was trying to extract usable data from was running iOS 10.3. If it were running iOS 11, ostensibly I could reset the password and create a new encrypted backup with a known password. But could I be sure that I could do that without losing user data? When you’re proposing to do something new and different, testing is always important. Installing a new operating system can cause strange side effects. While the case I was working on wouldn’t end up in court, I didn’t want to lose precious data. So, we tried it on another phone. Many times. And it worked!
There were some changes noted during the upgrade process: the modified date and time for some (but not all) database files that store user data were updated with the OS change, and the wallpaper was changed to an iOS default image. The user data itself, though, remained unchanged. I reached out to the family, advised them of the various options and risks, and got their OK to try upgrading their son’s iPhone to iOS 11 in order to reset the password on the device.
There are advantages to not being in Law Enforcement. One of those advantages is in the flexibility to try new things and branch out in methodology in ways that would take a lot longer to adopt in dealing solely with criminal cases. If you’re reading this and you’re dealing with an iOS device as evidence from a civil or criminal case with a previously encrypted backup, obviously you will need to consider the ramifications of making changes to the original device and weigh that into the equation. Be sure you have the legal authority to make changes to the device. Careful documentation of the process is essential.
Carrying out this iOS upgrade method is a bit nerve-wracking. You have to allow the phone to connect to the network and Wi-Fi, download the new version of iOS and allow it to install. Then you go through the initial setup process, which can feel like you’ve already lost the user’s data. Once you’ve installed and setup iOS 11, you then must go through the process to reset all settings as described above. Then, perform a backup or extraction with the mobile forensics tool of your choice.
More good news: If you’re working with an iPhone already running iOS 11, the password reset method will work.
In our case, it worked beautifully. I could perform various data extractions, decode and parse them using forensic tools, and successfully provided the data to the family.