ElcomSoft Implements BFU Keychain Extraction from Locked and Disabled iPhones
ElcomSoft Co. Ltd. updates iOS Forensic Toolkit, the company’s mobile forensic tool for extracting data from a range of Apple devices. Version 5.21 adds partial extraction of iOS Keychain from select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Partial keychain extraction is now possible from disabled and locked iPhones in BFU (Before First Unlock) state even if the screen lock password is not known.
BFU keychain extraction is available on select Apple devices and requires installing the checkra1n jailbreak. Supported devices range from the iPhone 5s all the way up to the iPhone X, iPad models from iPad mini 2 to iPad Pro 10.5 and the new iPad (2018).
The BFU stands for “Before First Unlock”. BFU devices are phones that have been powered off or rebooted and have never been subsequently unlocked, not even once, by entering the correct screen lock passcode.
In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is required by Secure Enclave to produce the encryption key, which in turn is used to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.
It is the “almost” part of the “everything” that’s being targeted by ElcomSoft iOS Forensic Toolkit. The company has discovered certain parts of data being available in iOS devices even before the first unlock. In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock to allow the iPhone to start up correctly before the user punches in the passcode.
Partial Keychain Extraction from BFU iPhones
For the first time, iOS Forensic Toolkit 5.21 enables forensic extraction of iOS Keychain from BFU (Before First Unlock) devices, as well as for locked devices with unknown screen lock passcode.
Compared to unlocked extraction, the new BFU extraction mode can only unlock a limited number of keychain records. In particular, records with authentication credentials for some email accounts and a number of authentication tokens can be extracted.
Accessing the keychain in BFU mode requires installing the checkra1n jailbreak that targets vulnerabilities in Apple bootrom. The jailbreak is installed via DFU mode and is available for all compatible devices regardless of their lock state of BFU/AFU status.