Adding an iOS device to BlackLight is an easy task, once all requirements are met as set forth by Apple. The following article contains instructions to logically acquire and examine an iOS 7 or later device using BlackLight. Currently, newer iOS devices (i.e., iPhone 4 and later, iPad 2 and later) have enhanced hardware and software security requiring either the device's PIN code or passphrase to be unlocked, or the analyst to possess the specific pairing certificate for the device. There is no bypass for these security features (unless the device has been previously jailbroken, which is outside the scope of this article). From a forensics standpoint, knowing the PIN code/passphrase is the easiest path to gleaning the most information from a device, but the examiner may also gain access to many data points if a pairing certificate for the specific iOS device can be located.
Requirements for a successful iOS device acquisition include:
- A computer running Mac OS X 10.7.0 or later (Windows 7 or later)
- iTunes 11.0.1 or later
- QuickTime 7.6.9 or later
The most up-to-date version of iTunes is always recommended (especially for iOS 7 and later).
iOS Device Security Warning
One issue that is of crucial importance to the examiner is iOS devices losing power and being restarted. The reason for this will be discussed below with pairing certificates. In short, do not let an iOS device power off. Keep it charged at all times for the greatest possibility of data access. Consider as a part of your device-securing methodology to also attach an external battery to the iOS device for greater power-on time.
1. With the above requirements met, unlock the iOS device using the PIN code/passphrase. If it is not known, see below for information about pairing certificates.
2. With access to the device, verify that it has been placed in Airplane Mode. This step insures that data will not change on the iOS device from any external source. Airplane Mode can be toggled on or off through the Settings app. With iOS 7 and later, one may be able to use the Control Center to place a locked iOS device in Airplane Mode. Control Center is accessed by swiping up from the bottom of the screen. Access to the Control Center is enabled on the Lock Screen by default, though this feature may be purposely disabled by the device owner.
3. Next, connect the device to the USB port on the computer. When the connection has been established, the device, if running iOS 6 or earlier, will pair with the computer. However, an iOS 7 or later device will present the examiner with a dialogue box that reads, "Trust the currently connected computer?"
4. The examiner must select the Trust option in order to allow for data communication to and from the device. iOS 7 and later adds an extra layer of protection to the Trust, forcing the user to approve data communication. iOS 6 and earlier creates a trust relationship in the background, without user interaction.
5. Once trust has been established with the computer, launch BlackLight. Next, create a new case or open a pre-existing case. Once a case file has been opened, add the iOS device by selecting [Add USB Attached Apple iOS Device] from the [File] menu, or by selecting the green Add button in the ‘Devices’ section of the ‘Component List.’
BlackLight will scan for all attached iOS devices and present the ‘Evidence Selection’ window. The iOS device of interest will be shown in the upper portion of the window, along with a specific UDID and a checkbox to select the device for acquisition.
If the device appears in light gray without a checkbox, the trust relationship has not been properly established. In such cases, repeat the above steps to attempt to correct the trust issue.
6. BlackLight offers three preset options for intake of the iOS device. To ensure the most complete data acquisition, the best practice is to select [Comprehensive (Slow - Full Processing)] from the drop-down menu. This option will gather and process all pictures, videos, audio files, third-party application data, and other specific data points. In addition, this option will place each of the data points into the appropriate BlackLight tab. If time is a concern, the examiner may choose to selectively import data and process only certain data points. Any BlackLight processing option can always be run at a later date. However, it is advisable to keep all import options checked, as the device may not be available at a later time to pull the unselected items.
7. With the specific data inputs selected, choosing the Add button will begin the data acquisition and selected processing of the device. The iOS device will immediately show in the ‘Devices’ section of the ‘Component List,' but it will remain in light gray text until the parsing of data has completed. When the iOS device name and icon change from light gray to black, the initial results may be viewed within BlackLight. However, data processing may still be continuing, in which case not all BlackLight tabs will be filled with data. Once processing has fully completed, all appropriate BlackLight panes are populated with results. In this screenshot example, the iOS device is fully parsed, as its icon and device name are shown in black under 'Devices.' The Summary tab screen is shown, which displays the specifics of the imported device.
When a Pairing Certificate Is Available
As noted earlier, iOS devices and computers must form a trust relationship before data exchange can occur. This trust creates a file on the local computer called a pairing certificate. The pairing certificate file is specific to the iOS device. However, it is not specific to the computer. As a result, it is possible to copy the pairing certificate from one computer to another and gain access to files on the iOS device. When a locked iOS device is encountered, it becomes imperative that the pairing certificate file is located in order to process the secured data. This file can be found in the following locations, depending on the computer's operating system:
- /private/var/db/lockdown/ - all versions of OS X
- \Documents and Settings\username\Application Data\Apple Computer\Lockdown\ - Windows XP
- \Users\username\AppData\Roaming\Apple Computer\Lockdown\ - Windows Vista
- \Program Data\Apple\Lockdown - Windows 7 and later
Notice that the folder name "lockdown" is common amongst all operating systems. This makes for an easy search regardless of the platform being analyzed. Once a pairing certificate is located, it may be copied to the same appropriate location on the analysis workstation. As an example, copying a pairing certificate from "\Program Data\Apple\Lockdown\" on a Windows 7 computer to "/private/var/db/lockdown/" on an OS X analysis Mac will give the examiner a trust relationship with the specific iOS device.
Once the pairing certificate has been copied and placed into the proper location on the analysis workstation, the examiner may resume with step 2 in the above 'Procedure' section.
Additional Security Considerations
When an iOS device first powers on, if a PIN code or passphrase has been applied, the device will be in a state termed "Protected Until First Authentication." This can be loosely defined such that the device must be unlocked one time before full computer-to-device communication can occur. If an iOS device is located in this state, the pairing certificate will have little or no value depending on which version of iOS is running. Because of this state, it is of critical importance to keep the device from losing power and having to be restarted, particularly if the PIN code/passphrase is not known and the examiner is trying to use a pairing certificate. An iOS device must be unlocked once after each power-on before full communication occurs. This can be witnessed with one's personal iOS device and iTunes. After a device restart, iTunes will note that the iOS device must be unlocked before a sync can occur. However, after the first unlock, subsequent locks will not affect the pairing certificate and the ability to perform a logical acquisition.
Adding an iOS Device to Mobilyze
For acquiring and examining iOS devices, examiners now have the additional option of using Mobilyze, the new mobile data triage tool from BlackBag Technologies. Mobilyze is versatile, extraordinarily easy to use, and fast for situations where time is of the essence. To add an iOS device to Mobilyze, the examiner should follow steps 1 - 4 as outlined in the above 'Procedure' section prior to launching the Mobilyze app. It should also be noted that examiners have the option of importing Mobilyze cases directly into BlackLight (i.e., importing without having to perform another collection) if more comprehensive analysis is deemed necessary.
There are a few other situations in which a pairing certificate may not grant access to data on the iOS device. If you are experiencing any troubles after following the above guidelines, please feel free to reach out to us at firstname.lastname@example.org.