Since mid-2009, beginning with the iPhone 3G[s] release, Apple has shipped all iOS devices with a dedicated cryptographic chip, making hardware-accelerated encryption possible. Apple has incorporated this accelerated cryptography into the operating system, marketed as a feature named Data Protection. Data Protection combines hardware-accelerated encryption and an authenticated cryptographic scheme, allowing any file or piece of information to be encrypted or decrypted with a separate key.
Files protected with data protection are encrypted with a random file key, encrypted using a higher tier class key, and stored as a file tag with the file. Passwords (and other sensitive small data) are stored on the device, are encrypted using a similar approach, and are stored in the iOS keychain, a device key escrow mechanism built into the operating system.
Files and keychain elements are protected by one of several access control keys, which are also encrypted in a way that incorporates the user’s device passcode. The passcode must be known to decrypt the key hierarchy protecting these select files and keychain elements and disable the device’s GUI lock.
The implementation of Data Protection has been criticized for several design flaws and was originally exploited, as shown by Zdziarski in 2009. Due to the simplicity of four-digit PINs or short passwords, brute-forcing the device passcode is often a computationally feasible task. In many cases, brute-forcing a four-digit PIN has been shown to take at most 20 minutes.
Nevertheless, this encryption scheme poses significant challenges to the forensic investigator. The forensic examiner should be aware of these issues and the impact that this encryption has on any iOS-based device presented for examination. Supported devices include the iPhone 3GS and iPhone 4 (both GSM and CDMA models), first-gen iPad, and the latest releases of iPod Touch (3rd and 4th generation). All of these devices have the option to perform a remote wipe of data contained within them. When activated, the UID is destroyed, and 256 bits of the key are destroyed, leaving the examiner with an extremely complex decryption problem. To avoid such scenarios, it is recommended that radio communications are blocked or disabled before an examination and transportation to the lab for examination.
When data protection is active, the file key is obliterated when the file is deleted, leaving encrypted and generally unrecoverable file contents in unallocated space, rendering traditional carving techniques for deleted files useless. Data, however, can often be found residing inside allocated data containers (i.e., SQLite Tables) and should not be discounted or ignored as part of any examination. Recovery of such data can be challenging as SQLite data recovery may be somewhat automated (e.g., epilog); often, manual recovery may be the only option. Fortunately for the forensic investigator, a significant portion of user data is stored within allocated data containers, and garbage collection is not generally performed on these containers.
Apple also offers a feature to users to encrypt all backup data when using iTunes (iOS 4 and later). This option, when used, will only present encrypted files from some forensic extraction tools. These backups can be decrypted using a brute force attack. Tools exist to perform this attack using GPU acceleration to facilitate a faster brute force attack. The backup encryption feature only applies to data sent through the device’s backup service; however, many other services run on the device that provides clear text copies of data, even if backup encryption is active. If the acquisition tool can communicate to these other services, a significant amount of clear text data can be recovered, even if the backup password is not known.