Bypassing Locked Devices: Q&A from Cellebrite’s webinar

{195d00af-385d-48ae-8c04-032a86166edf}_bypassing_webinar_header

Last month we hosted two webinar sessions on “Bypassing Locked Devices”, led by Mr. Yuval Ben-Moshe, Cellebrite’s Senior Director for Forensic Technologies. In these sessions, Yuval presented the challenges and solutions to bypassing locked devices, including Cellebrite’s proprietary boot loaders among other methods used to tackle locked devices.

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog—including some that we didn’t have time to answer during the webinar.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Basics of mobile device user lock bypass

Q: Using the UFED, can you gain access to the phone where the wrong passcode has been entered too many times and is now locked?

A: This depends on the device and the locking mechanism used by it. If the device is supported by a boot loader or JTAG, than the data can be extracted regardless of any locking mechanism or the number of times a wrong password was used.

Q: How far off is user lock bypass support for iPhone 5 and Blackberry devices?

A: Forensic extraction of data from iPhone 5 is achievable using of the .plist file from the paired computer. With locked Blackberry, at this point in time, examiners must rely mainly on chip-off or JTAG methods for specific models.

Q: If the element file is deleted, will it affect the function of the original pattern passcode?

A: This question refers to a method called disabling. The device will remain in a lock disabled mode until a new password can be configured via the device’s set-up menus.

Q: If an extraction fails or is interrupted, can I still parse the extracted content if it is incomplete?

A: A physical extraction that was interrupted cannot be decoded, because a full binary image is required in order for the decoding to reconstruct the full file system.

Q: Can the UFED bypass iOS 7+ with a user lock and a SIM lock?

A: Bypassing locked devices depends on the device hardware and not the iOS version running on it. That is, if iOS 7 is running on iPhone 4, physical extraction is achievable; however, if iOS 7 is running on iPhone 4s or a newer model, than a .plist file is required to enable data extraction.

Q: If a device employs a biometric lock, how does the UFED tackle the lock?

A: Bypassing a biometric lock depends on the device model. For example, for the iPhone 5, the UFED can bypass the biometric lock using the .plist file.

Sync devices and .plist files

Q: The webinar presents the paired computer method for iOS devices showing the Windows 7 path on a PC. Is there a specific location path for Apple MAC computers?

A: The path for the .plist file on Mac computers is: ~/Library/Application Support/MobileSync/Backup/

Q: Does the .plist appear on the user’s iCloud?

A: The .plist file is used for the communication between the device and the computer; hence, it does not appear in the user’s iCloud data.

Q: How do you employ the .plist file?

A: The process of using the .plist file is very simple: UFED will automatically detect the iOS device as being locked and request the .plist file.

Boot loaders and clients

Q: Will injecting a client or boot loader lead to evidence tampering?

A: The boot loader is uploaded onto the device’s RAM and is then deleted when the device powers off or restarts. Therefore, it is does not tamper with the evidence. In contrast, a client may write some data onto the device’s flash memory, yet it is still considered a forensically sound process if the investigator specifically documents what was written and on which partition/folder.

Q: If an extraction fails, is the client left on the device?

A: In some cases, when the extraction is interrupted abruptly, the UFED may not have enough time to uninstall the client, and some files may be left on the device. In this case, UFED provides a specific function to delete the client. This capability is under the UFED ‘Device Tools’ menu.

Q: Does the UFED Classic include the boot loader function?

A: The UFED Classic is also capable of tackling locked devices. However, it may not support the latest modern devices due to technical limitations with hardware. It is highly recommended to trade up the UFED Classic for a more advanced model, such as the UFED Touch or UFED 4PC.

User locks on prepaid devices

Q: Can the UFED bypass disabled data ports in burner phones?  JTAG/chip-off are options, but unlocking with a manufacturer code is possible. Can you support unlocking burner phones?

A: The UFED is able to bypass the locking mechanism for many low-end phones, a.k.a “burner phones” using a boot loader. While JTAG and chip-off are valid options, we recommend you first try unlocking the device with a UFED, since these methods are more complicated, time-consuming, potentially destructive, and expensive.

Q: How does the UFED bypass a prepaid phone with a locked data port?

A: Bypassing a user lock depends on the device itself.  If the data port is disabled, then the JTAG or chip-off methods are applicable here.

View the full webinar below:

Leave a comment if you have a question that was not answered above, or in the webinar itself!