One of our top tech support questions is “Are iOS device passcodes different than iOS backup passwords?” The answer is ‘yes’, and this blog seeks to clarify which is which and how an examiner manages these two credential types during an iPhone or iPad forensic examination.
iOS Handset Passcodes
A passcode-protected iOS device is sometimes referred to as a ‘handset locked’ device (please see our Accessing a Handset-Locked iPhone, iPad, or iPod Touch Device blog entry). A user selects or changes an iPhone or iPad passcode on the device itself, and once set, the passcode locks the device screen to protect the device from unauthorized use.
iOS device users may choose one of three handset lock protections:
1 - A simple passcode
2 - A complex numeric passcode
3 - A complex alphanumeric passcode or passphrase
By default, iOS devices have a four-digit simple passcode (sometimes called a ‘PIN code’) enabled. If an iOS device is protected with a four-digit simple passcode, four text fields appear when the device is booted or awakened.
A user may enable the complex passcode feature by disabling the simple passcode setting via the iOS device’s ‘Settings’ app. If a complex passcode is enabled, and the passcode contains numeric values only, a text field and numeric touch pad displays when the device is booted or awakened. If a complex passcode is enabled, and the passcode contains alphanumeric characters and/or spaces (passphrase), a text field and an alphanumeric touch pad displays.
An examiner may recover an iOS device passcode by using a third-party software product, such as ElcomSoft’s iOS Forensic Toolkit, to perform a brute-force password attack. Please visit the ElcomSoft iOS Forensic Toolkit product webpage for further details as iPhone and iPad passcode recovery times vary according to passcode strength.
Examiners may locate unique iPhone device ID numbers, such as IMEI, UDID, and serial numbers without unlocking the iOS device. For further information about how to accomplish this, please read our Locating a Unique Identifier on a Pin/Passcode Protected iPhone and Finding the Serial Number on a Pin/Passcode Protected iPhone Using the Windows Operating System blog entries.
iOS Encrypted Backup Passwords
An iOS encrypted backup password is a separate password that a user enables and configures via the iTunes application Summary>Backups interface rather than on the iOS device. This password protects (encrypts) the data inside the user’s iOS backup folder on a synced computer and not the device itself.
iTunes does not encrypt iOS device backups by default, so a user must intentionally enable backup encryption. A user has the option of saving the iTunes backup password to their keychain file, though this option is also disabled by default.
Note: IT administrators may use Mobile Device Management (MDM) software, such as MobileIron, to force encrypted backup policies for users in a BYOD environment. So, if backup encryption is enabled, an examiner may also wish to look for indication that the device is a managed device. Please see our iPhone and iPad Forensics in a BYOD Enterprise Environment blog entry for more information.
To import an encrypted iOS backup into BlackLight, an examiner must:
1 - Know the encrypted backup password or passphrase, or know the user’s keychain password to access a saved iOS backup password or passphrase
2 - Use a third-party iOS device backup password recovery tool such as Elcomsoft’s Phone Password Breaker to retrieve the password from the iOS device or from a backup located on a synced computer. Please visit the ElcomSoft Phone Password Breaker product webpage for software capabilities and device-specific limitations.
This screenshot shows the iTunes encrypted backup option. To set or change the password, select the Change Password… button. The encryption setting and the password are both written to the iOS device.
To import an iOS backup folder into BlackLight, in the ‘Component List,’ to the right of the ‘Devices’ section, select the green Add button and select ‘Add iOS Backup’ from the contextual menu.
An ‘Evidence Selection’ window appears.
To the left of the encrypted iOS Backup, activate the checkboxes, select the desired processing options, and select the Add button.
If an iOS backup is encrypted, an ‘iOS Password Needed’ dialog window appears.
To proceed with the encrypted backup import, attach ANY iOS device running iOS 4.2 or later to the analysis machine (this does not need to be the actual source iOS device). Enter the known password (or passphrase) in the Password text field, and select the Confirm Password button.
BlackLight imports the encrypted backup folder and the folder data is available for analysis.
For comprehensive iPhone, iPad, and iPod touch forensics information and best practices, please consider enrolling in one of our upcoming classes. For more information about our BlackLight forensic analysis software, please visit the BlackLight product page.
As always, please feel free to contact our support team with any additional questions you may have.