Extracting data from a damaged iPhone via chip-off technique – part 1
Quite often we got damaged smartphones for forensic examination. And, of course, chip-off technique is our best friend here. Yes, we physically remove the chip from the mobile device and use a reader to acquire data from it. Usually we use this technique for extracting data from damaged Android smartphones and classic mobile phones, but recently we have tried it for an iPhone.
It’s NAND consists of four parts, so we got four DMP files after data extraction. Each NAND page has 8 sectors with data, the 12 bytes identificator and 90 bytes ECC. The size of a page is 4224 bytes, the sector size is 524 bytes.
Here is the structure:
0-512;4096-12;
512-512;4096-12;
1024-512;4096-12;
1536-512;4096-12;
2048-512;4096-12;
2560-512;4096-12;
3072-512;4096-12;
3584-512;4096-12;
What is more, blocks are mixed in different parts of NAND, like in a RAID. To rebuild these four DMP files in one BIN file we used PC-3000 Flash:
We extracted the file system from the image, added it to a ZIP-archive, and imported it to Oxygen Forensic Analyst. Here are some deleted SMS-messages from sms.db:
As you can see, extracted data is successfully parsed with the tool. Anything is possible, even an iPhone chip-off.
Extracting data from a damaged iPhone via chip-off technique – part 2
Our first part have received mixed reviews from our readers.
Some wrote, that it’s impossible:
It doesn’t work.
ZombieKiller316 of reddit.com – we don’t know who is it, but we’re sure, he’s a computer forensics professional.
Others wrote, that the data in Apple devices is encrypted (Really? They thought, we didn’t know about it?):
I tried and they ALL ENCRYPTED, except iPhone 3G (very old one)
Sasha Sheremetov, Engineer, Rusolut
How was the decryption done? – Chip off is mostly done in the cases where data is otherwise inaccessible (phone locked, damaged) so the data in the chip would be encrypted and protected by secure enclave.
Harpreet Singh Dardi, Consultant – Computer Forensics & eDiscovery at PwC
Short Answer is it is impossible to Chip-Off anything above 4s due to Encryption being tied to UID and several other features.
There are some advanced NSA level attacks that can compromise a 4s/5/5c if you want to spend 500k + and hire a company to reverse engineer the silicon of the CPU decapping it with Acid/Ion Laser and probing it. A less risky attack would be using Infrared Laser Glitching. Another possible option would be discovering a side-channel attack that compromised the AES Crypto Engine or CPU in order to reveal the UID. In short it aint happening.
kyle_pc_terminator of reddit.com – man, thank you for this comment.
Okay. It’s time to tell you a bit more about what we can do.
About impossibility in principle of data recovery from damaged Apple devices
Some readers wrote us, that it’s impossible to extract data from any damaged iOS-device. But some iOS-devices, including iPhone 2G, iPhone 3G, don’t use hardware encryption. So it’s possible to use the chip-off technique for data extraction – it’s confirmed by our tests. Also, ACELab KB (Anwer Alkandri, thanks for the link) contains info about data recovery from iPhone 3G chip.
Figure 1. Information from ACELab KB
About encryption of Apple devices
Since the release of iPhone 3GS, Apple has built encryption into the hardware and firmware of its products to make user’s data even more secure. What is more, in top iOS devices some other encryption tricks are used. So, there is a number of encryption levels in iOS devices. For more information about software and hardware encryption, as well as Secure Enclave Compressor, you can read in open sources, for example, here.
So, if you image the partition with the user data, you’ll see the filesystem structure, but no file content – all files are encrypted.
Figure 2. A part of userdata partition structure
Figure 3. An encrypted JPG file
What should an examiner do?
There are two ways:
- Use brute force attack to decrypt data (but, as you remember, iOS-devices have a number of encryption levels).
- Find a way to get the keys.
Both ways are impossible, aren’t they?
About our chip-off technique
On the one hand, we can’t speak about the technique in details in order nobody can copy it, but, on the other hand, we can present it in general via this scheme:
Figure 4. The technique
The problem is that we can take a damaged iPhone and extract data from it. But how to show you that our technique works? We don’t know.
Now we want to answer our readers’ questions:
Q.: For which versions of iOS devices does your method work?
A.: For all up-to-date devices (we haven’t tested all of them, but the principle is the same).
Q.: What types of data can be extracted from a damaged iPhone?
A.: Calls, phone book, SMS, MMS, chats, images, videos, etc.
Q.: Can you recover deleted files?
A.: No (excluding deleted SQLite DB records).
Q.: Can you extract data from a locked iPhone?
A.: No, we’ll need the passcode (or lockdown files).
If the device is locked with Touch ID, we won’t be able to access it.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
