Fortunately, upgrading to beta at least requires a reboot.
iOS 8 devices can be upgraded to beta versions, which re-enable these encryption backdoors, and so if the investigating agent obtains the user's PIN or passcode, they could potentially dump all information from the device, even if backup encryption is enabled. This is why most agencies are now keeping devices powered on while it's transported back to forensics. Even though those "diagnostic services" *cough* have been closed, it's still possible to decrypt and harvest most third party application data with that pair record, so long as the device has not been power cycled since the PIN/passcode was last typed in. This is much more involved than it used to be, however, as iOS 7 and lower had a number of encryption backdoors that would allow someone to bypass the backup encryption on the device. If your device is seized at an airport along with your laptop, for example, the pair record on your desktop could be used to access data on your device. The hardware-accelerated AES crypto functions allow for very fast encryption and decryption of the entire hard disk making this technologically possible since the 3GS, however for no valid reason whatsoever, Apple decided not to properly encrypt the file system until iOS 8.Īdditionally, certain parts of the file system encryption can be unlocked using the escrowbag included with an iTunes pair record. Fast forward to iOS 8, and virtually the entire file system is using keys from lockers that *are* protected with the user's PIN. Because the PIN wasn't included in the crypto, anyone with root level access (such as Apple) could easily decrypt most of the file system contents (as most of Apple's app data was not using data protection at the time). Locker #4 (the class 4 key, also referred to as the class D key) was not encrypted with the user PIN and in previous versions of iOS (<8), was used to "encrypt" most of the file system. Each locker has a randomly generated encryption key in it, and that key is encrypted with a combination of a deducible unique hardware key for the device and the user's PIN. This is the portion that gets wiped when a device is erased, as this is the base of the key hierarchy.
#OXYGEN FORENSICS IOS 8 FILE LEVEL ACCESS SERIES#
Block 0 of the NAND is used as effaceable storage and a series of encryption "lockers" are stored on it.
0 kommentar(er)
