Extracting data from a damaged iPhone via chip-off technique – Part 2
Our last article, “Extracting data from a damaged iPhone via chip-off technique”, have received mixed reviews from our readers.
Some wrote, that it’s impossible:
It doesn’t work.
ZombieKiller316 of reddit.com – we don’t know who is it, but we’re sure, he’s a computer forensics professional.
Others wrote, that the data in Apple devices is encrypted (Really? They thought, we didn’t know about it?):
I tried and they ALL ENCRYPTED, except iPhone 3G (very old one)
Sasha Sheremetov, Engineer, Rusolut
How was the decryption done? – Chip off is mostly done in the cases where data is otherwise inaccessible (phone locked, damaged) so the data in the chip would be encrypted and protected by secure enclave.
Harpreet Singh Dardi, Consultant – Computer Forensics & eDiscovery at PwC
Short Answer is it is impossible to Chip-Off anything above 4s due to Encryption being tied to UID and several other features.
There are some advanced NSA level attacks that can compromise a 4s/5/5c if you want to spend 500k + and hire a company to reverse engineer the silicon of the CPU decapping it with Acid/Ion Laser and probing it. A less risky attack would be using Infrared Laser Glitching. Another possible option would be discovering a side-channel attack that compromised the AES Crypto Engine or CPU in order to reveal the UID. In short it aint happening.
kyle_pc_terminator of reddit.com – man, thank you for this comment.
Okay. It’s time to tell you a bit more about what we can do.
About impossibility in principle of data recovery from damaged Apple devices
Some readers wrote us, that it’s impossible to extract data from any damaged iOS-device. But some iOS-devices, including iPhone 2G, iPhone 3G, don’t use hardware encryption. So it’s possible to use the chip-off technique for data extraction – it’s confirmed by our tests. Also, ACELab KB (Anwer Alkandri, thanks for the link) contains info about data recovery from iPhone 3G chip.
Figure 1. Information from ACELab KB
About Apple devices encryption
Since the release of the iPhone 3GS, Apple has built encryption into the hardware and firmware of its iPhones and iPads to make user’s data even more secure. What is more, in top iOS-devices some other encryption tricks are used. So, there are a number of encryption levels in iOS-devices; about software and hardware encryption, Secure Enclave you can read in open sources, for example, here.
So, if you image the partition with the user data, you’ll see the filesystem structure, but no file content – all files are encrypted.
Figure 2. A part of userdata partition structure
Figure 3. An encrypted JPG file
What should an examiner do?
There are two ways:
- Use brute force attack to decrypt data (but, as you remember, iOS-devices have a number of encryption levels).
- Find a way to get the keys.
Both ways are impossible, aren’t they?
About our chip-off technique
On the one hand, we can’t speak about the technique in details in order nobody can copy it, on the other hand, we can present it in general via this scheme:
Figure 4. The technique
The problem is – we can take a damaged iPhone and extract data from it. But how to show you that our technique works? We don’t know.
Now we want to answer our readers’ questions:
Q.: For which versions of iOS-devices does your method work?
A.: For all devices released to date (we haven’t tested all of them, but the principle is the same).
Q.: What types of data can be extracted from a damaged iPhone?
A.: Calls, phone book, SMS, MMS, chats, images, videos, etc.
Q.: Can you recover deleted files?
A.: No (excluding deleted SQLite DB records).
Q.: Can you extract data from a locked iPhone?
A.: No, we’ll need the passcode (or lockdown files).
If the device is locked with Touch ID, we need your finger (only joking, we just won’t extract data from such device).
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics