We have been tasked with testing Elcomsoft’s iOS Toolkit for the Burlington Police Department. We are going to be testing the software on an iPhone 3GS, iPhone 4, and iPhone 5. iOS Forensic Toolkit is a tool that performs an acquisition of user and/or file system data store in iPhone, iPads, and iPod devices running almost any version iOS, iOS 6.x is not yet supported. We are currently working with an iPhone 3GS, which, when provided to us, had iOS 6.1.2 from a previous project the LCDI used it for. Our first task was trying to downgrade to iOS 3.1.3. There are dozens of tutorials online about how to downgrade your iPhone to an earlier version, but none of them were helpful to us.
- Set a passcode – 1234
- Made calendar events – June 8th 2013 – my birthday; May 27 2013 – C’s birthday
- Set reminders – June 7th 10:00 2013 – work on Elcomsoft project; July 3rd 2013 – work on cell phone lab
- Sent emails – email sent to firstname.lastname@example.org – subject: “Hi”, message: “What’s up Sent from my iPhone”; email sent to email@example.com – subject: “Hello”, message: “Spaghettios Sent from my iPhone”; received emails from Facebook, twitter, LinkedIn, TextMe
- Set alarms – 8:00 every Thursday: “That thing’, 8:30 every Thursday: “That other thing”6.
- Add photos, music, videos – took two pictures of: polar seltzer can and Cheetos bag – added three pictures from computer: kitten, puppies, cheese; took video of J and C – added two videos from YouTube: chocolate rain, all your base are belong to us; added two song downloaded from SoundCloud.
- Downloaded apps – chrome, find my iPhone, TextMe 2, Facebook, twitter, Instagram, SnapChat, LinkedIn
- Made Calls (through TextMe 2) – made call to 555-555-1234; received call from 555-555-1234
- Sent Texts (through TextMe 2) – sent text to 555-555-1234 – “hello — sent by xxxx via textme.us”; received text from 555-555-1234 – “Test”
- Sent MMS (through TextMe 2) – sent picture message to 555-555-1234 – picture of a keyboard; sent mms message from 555-555-1234– did not receive
- Generated internet Activity (connected to WiFi – “test”)
- Safari – linkedin.com; gmail.com; twitter.com; reddit.com; i.imgur.com; youtube.com;
- Chrome – reddit.com; m.totalfilm.com; imgur.com; i.imgur.com; failblog.org; google.com – searched “computer forensics”;
- Used Apps –
- YouTube app: iGun rampage, Harlem Shake
- Find my iPhone: logged in using apple id, location seems accurate
- Facebook – took picture of keyboard for profile picture; made status “hello world”
- SnapChat – made a video sent to myself
- twitter – sent tweet “hello world”
- Instagram – shared picture of keyboard, shared on Facebook and twitter
- LinkedIn – Made profile
- TextMe – see above in send text/mms section
- Turned location services on – twitter, Instagram, camera, weather, maps
After We did this We made another Physical Extraction of the 3GS using Cellebrite.
The next step was trying to get the phone to downgrade to iOS3. After careful consideration we decided to scrap that idea and just concentrate on downgrading to iOS4. This task proved to be just as difficult as it was to downgrade from iOS6 to iOS3. After several dozen attempts at downgrading to iOS4, using the above tools/resources, We failed again. After a whole slew of the same error codes and new error codes We decided to scrap this idea as well. A quick Google search showed that most people are at least at iOS5 or above so for the purposed of this project, iOS5 and 6 will have to work.
The next step is updating to the newest iOS6. We uninstalled iTunes 10.6 and updated to the newest version (126.96.36.199). Simply updating the 3GS turned into a nightmare. After messing around with it for a while we decided to check the host file, again; Low and behold the IP address for gs.apple.com was different, again. We changed it to what it was supposed to be and tried updating again and it worked. We backup up the phone in iTunes and captured a Physical Extraction of the 3GS again. Then we generated more data on the 3GS. I followed the above steps to generate data. After we generated all of the data we backed up and captured a Physical Extraction of the 3GS a final time. Now we just need the software to start testing it out.