Speaking of mobile devices, especially Apple’s, “logical acquisition” is probably the most misused term. Are you sure you know what it is and how to properly use it, especially if you are working in mobile forensics? Let us shed some light on it.

Introduction

You have probably seen charts depicting and comparing the various acquisition methods for mobile devices, sometimes starting with “chip-off” (or even “micro-read”) and going all the way to manual extraction.

Logical acquisition is the simplest, most reliable, and compatible method that supports 99% of Apple mobile devices. If you follow our blog, you should know that this method it does not return the maximum amount of data compared to other methods. But due to its compatibility and simplicity it remains the most popular extraction method. There are a few tricks to learn that will help you make use of it in the most effective way.

What does it mean?

Speaking of Apple mobile devices (iPhone, iPad) and some gadgets (Apple Watch, Apple TV), “logical” is almost always a synonym to “backup”, but there are caveats.

First, neither Apple TV nor Apple Watch devices make full backups; only iPhones and iPads do.

Second, logical acquisition is not just about backups, but also includes media files available via AFC (Apple File Conduit) protocol, as well as diagnostics logs and shared files. Let’s elaborate.

Media files

Media files such as photos, videos and music are stored in a slightly different way that most other files. Even if a backup is password-protected, these files can be easily extracted. It’s not just the files, but also the metadata stored in special system databases; the metadata includes information on how these files were edited, what albums they belong to, objects and people recognized using built-in engines, thumbnails, EXIF data (including geolocations and timestamps), and more. Sometimes you can even get some information on deleted files, but this is outside the scope of this article.

Diagnostics logs

Do not underestimate device logs! They can be easily extracted using proper software (such as Elcomsoft iOS Forensic Toolkit), and they contain lots of timeline data.

Shared files

Some applications (such as Microsoft Office, some password managers etc.) allow sharing their data across the system; it is not sandboxed but accessible from the outside. Like with media files, you can get access to this data even if the backup is password-protected (again, using proper software).

Connecting and pairing the device

You may encounter the first obstacle right from the get go. Connecting the device to the computer may not immediately establish connection over the USB (Lightning) cable due to USB restrictions. We have an article on USB restricted mode that may help you work around this limitation. Note that simply unlocking the device with a passcode or biometrics turns off the restriction and re-enables USB connectivity.

Accessing any data on the device beyond basic information requires pairing the device to the computer, which requires entering the correct passcode on the device itself. There is currently no practical way around it as lockdown files are extremely short-lived.

Password-protected backups

Old backups (both local and cloud) may be everything you have access to. The backups have a value of their own, often containing evidence that was later deleted in the device itself.

A backup may have a password set, and this is a problem. As we explained, the backup password is a property of the device, and once it is set, you cannot just create another backup without a password. It does not matter which computer you connect the device to; all backups will be created with the same password, and there is no way to change it unless you know it – with a caveat.

Starting with iOS 10.2, you can run a brute-force attack on iTunes backups, albeit very slowly (just several passwords per second on a CPU, and a couple hundred p/s on a modern video card); even relatively short password cannot be cracked in a reasonable time.

Starting with iOS 11, Apple introduced a way to remove the backup password by resetting device settings (you’ll need to enter the device passcode to do that). Sounds simple? It is, but this operation has some negative consequences, as the device passcode is also being reset:

• Some user’s data is deleted (e.g. Apple Wallet transaction history)
• Microsoft Exchange mail (downloaded to the device)
• The data of some applications that require the passcode to be set
• Some keychain items are deleted
• iCloud tokens are deleted
• Login data for some applications and online services (including some messengers for example) is lost

The last item probably needs some explanation. If you have the device logged in to iCloud and that device has a passcode set (and you know that passcode), in most cases you can change the iCloud password without knowing the old one. That gives you full access to all iCloud data: the files stored on iCloud drive, iCloud backups, iCloud synced data (including “end-to-end encrypted” one. But once you reset device settings (and so the device passcode), this opportunity is lost.

Somewhat counterintuitively, if the backup password is not set, you should set it yourself. Password-protected backups contain a lot more data compared to unencrypted ones. This includes the device keychain, Health data, call logs, Safari browsing history, and more.

There is one more thing: sometimes you may be unable to reset device settings. At least two things may block the reset:

• MDM (Mobile Device Management) profile
• Screen Time password

Screen Time password is always for digits only, yet it is hard to crack. After several unsuccessful attempts, iOS enforces a one-hour delay before you can enter another passcode. Worst case scenario, it takes 10,000 hours, and this process cannot be accelerated.

The keychain

iOS keychain keeps user passwords and system authentication data such as keys and tokens. The keychain is included in both encrypted and unencrypted backups. However, if the backup is produced without a password, the keychain in that backup will be encrypted with a device-specific hardware key that is not accessible with logical acquisition. If you set a known backup password, you’ll be able to extract many keychain items.

Note that you cannot access some keys and tokens via logical acquisition regardless of the password. Also note that low-level extraction methods allow extracting the entire keychain as well as the original backup password.

iCloud backups

iCloud backups contain almost the same set of data as local (‘iTunes’) backups. Apple does not provide any way to download them; one can only restore new device. However, we have a tool for that: Elcomsoft Phone Breaker. Downloading an iCloud backup requires the user’s Apple ID and password plus access to the second authentication factor (trusted device or SIM card). See above how to reset the password.

Apart from the backups, there is usually a lot of synced data stored in the iCloud (including so-called “end-to-end encrypted” data), as well as files and documents. Wil proper credentials (device passcode or macOS system password), you can have access to all those.

This, however, is not usually called “logical acquisition” but fits into the “cloud acquisition” category.

Conclusion

We wrote about it many times but wanted to say it again: carefully learn how acquisition methods work, and do not blindly trust any forensic tool regardless of who it comes from. There are no simple ways in mobile forensics, and even the best software won’t do the job for you with a push of a button.