![]() The interplay between exploit chains, extended development timelines, and lagging support for iOS updates from vendors of forensic software poses significant challenges for both security experts and forensic specialists.ĭata extraction stands as a primary stage of any forensic investigation. In an era defined by rapid technological advancements, the battle between digital security and forensic experts who seek legal access to incriminating evidence grows increasingly complex. Stay tuned! Escalating complexity in iOS forensics The next planned update will include iOS 16.4 support and keychain decryption for the entire iOS 16.0 – 16.4 range. Secure messaging platforms, in particular, often necessitate specific keychain information for successful extraction. We are working hard to improve the extraction agent with additional features and expanded supported OS range. All corresponding iPad models including iPad Air 5 and iPad Pro 5 (Apple M1), iPad Pro 6 (Apple M2)Ĭoming soon: keychain decryption and iOS 16.4 supportĬertain data remains inaccessible without the complete chain of exploits.A15: iPhone 13, iPhone 13 Mini, iPhone 13 Pro, iPhone 13 Pro Max, iPhone SE (3rd gen), iPhone 14, iPhone 14 Plus.A14: iPhone 12, iPhone 12 Mini, iPhone 12 Pro, iPhone 12 Pro Max. ![]() ![]() A13: iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, iPhone SE (2nd gen).A12: iPhone Xr, iPhone Xs, iPhone Xs Max.Currently, we do not support keychain decryption for these versions of iOS, but an update is coming soon. We’ve been able to fully escape the sandbox and gain access to previously inaccessible types of data, which includes the full file system. We are proud to release an update to iOS Forensic Toolkit with full file system extraction support for iOS/iPadOS 16.0 through 16.3.1. Now: full file system extraction for iOS 16.0-16.3.1 Obviously, that approach left many kinds of data out, so we continued our research that lead us to today’s release. As a result, we’ve been only able to offer access to parts of the file system, mostly with data of third-party apps. When we initially used that exploit, we’ve been unable to fully escape the sandbox, as some protective mechanisms were still in place. When one was finally discovered, it turned to be a weak exploit that was not quote up to the task of enabling full access to the file system, let alone decrypt the keychain. For the most part, the exploits used in the extraction agent are kernel-level exploits allowing full sandbox escape with low-level access to the file system and keychain records.įor a long time, no usable exploit was available for any version of iOS 16. Technically, the extraction agent is an app that, when installed on an iOS device, attempts privilege escalation by attempting to exploit one or more vulnerabilities in the operating system. IOS Forensic Toolkit comes with a custom low-level extraction agent. We are also working on iOS 16.4 support.īefore: partial file system extraction for iOS 16.0-16.1.2 We are working on bringing full keychain decryption support, which is scheduled for one of upcoming releases. The new extraction process enables low-level access to the file system, which includes access to sandboxed app data, system databases and other information available in the file system. We pushed this release as forensic experts do have a backlog of Apple devices with iOS 16.3.1 and older. iPhone Xs/Xr and newer devices are supported, including the iPhone 14 and 14 Pro range as well as iPad models based on the latest M1 and M2 chips. The enhanced process now delivers full unrestricted file system extraction (currently without a keychain) for a set of devices with iOS/iPadOS 16.0 through 16.3.1. The previously announced partial file system extraction mechanism that, at the time, allowed low-level access to third-party app data for devices running iOS 16.0 through 16.1.2, has been refined. Today, we are introducing a new, enhanced low-level extraction mechanism that enables full file system extraction for the iOS 16 through 16.3.1 on all devices based on Apple A12 Bionic and newer chips. We’ve been working to improve the process, slowly lifting the “partial” tag from iOS 15 devices. The process we called “partial extraction” relied on a weak exploit that, at the time, did not allow a full sandbox escape. A while ago, we introduced an innovative mechanism that enabled access to parts of the file system for latest-generation Apple devices.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |