Hardening modern iPhone against forensic tools

You could also use Divest os if Graphene os has ended support for the pixel 4+ Devices and like many people if you’re on the Apple ecosystem then either the IPhone SE 3rd Gen or An IPad 10 Gen

I am not too familiar with Windows pre-boot chain. Does it employ anything to prevent brute forcing of the pin?

I totally agree. But it’s an attack vector people do need to be aware of. The guide given above ensures your iPhone becomes hard to penetrate, which means your PC is now the weakest chain in the security link. Maybe you can add recommendations for securing MacBooks or Windows laptops against it.

Sure. I was thinking more about if the phone is snatched from your hand before you can do anything. Then the only thing between general access to apps and attackers would be the FaceID right? Is there a way to use a pin to lock apps securely, separately from the device lock? Kinda like individual encryption passwords for each app?

And secure enclave exploits too right? I do remember reading secure enclave was broken once before. Maybe I’m misremembering.

Thanks again for answering, and the well detailed guide :slight_smile:

Yes it has anti hammering to prevent brute forcing the pin. If you have a 6 digit pin my estimate is it will take over 225 years to guess every option.

For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4,415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.

1 Like

Ah interesting then. I guess the pre-boot attack vectors left would be more complicated now and require physical tampering (bypassing the element throttling the pin attempts, social engineering, etc.). Still, makes me uncomfortable to attach iOS security (which is great) to desktop security (which is a lot more susceptible from hardware to user space). Thanks again for the answers!

Could you please upload the PDF again? It appears to be unavailable.

Here

Can we have a similar guide for stock Android?

1 Like

Updates 10/11/24:

-Turn on optimize storage for photos so that older media will offload data and only keep a thumbnail on the device. This may only occur when storage reaches it’s capacity but it’s random atp.

-Ensure recently deleted messages/photos are always cleared as soon as possible. When you delete a photo or message it goes to the Recently Deleted tab. You need to clear this or it can still be found in most cases.

Forgot about these two mdm payloads.

image

They found meh lol.

Also if you install the actions app then restart your phone you can make annoying shortcuts like this. Idk if shortcuts app can be locked or hidden but this will def be funny to annoy them lol.


There are tons of things that are directly and indirectly confirmed about the capabilities of forensic tools that typically are the goldmine in legal cases. The chats are just the source. My tutorial is the secret Lazza :roll_eyes: . The average joe thinks only big companies and schools can do MDM related things. But you can make your personal PC the new “IT” department in this tutorial getting rid of that IT department bypass and making MDM stronger.

Android is used by many phone brands so that would be very difficult since they each have their separate list of vulnerabilities even when you configure the security settings and MDM. The tutorial would probably still only apply to a Pixel device in which GrapheneOS is your best option.

1 Like

Interesting posts I came across :thinking:

Thank you. However, it appears that MDM may only hinder enterprise collection efforts. Unfortunately, despite the quality of your recommendations, it won’t be able to prevent an AFU collection by Cellebrite Premium or CAS according to Cellebrite Premium July 2024 documentation - GrapheneOS Discussion Forum

This guide turns your device into a enterprise device which will require enterprise collection. The Cellebrite support matrix doesn’t imply they unlocked or extracted a device with proper roadblocks in place. The average joe isn’t using the roadblocks I mentioned. Don’t take my word for it take it from Cellebrite themselves. We disabled control center access on lock screen which was mentioned by a cellebrite YouTube channel to be a prerequisite for afu extraction. This could have changed though. Additionally, AFU exploits are only possible because most apps use the ProtectedUntilFirstUserAuthentication data protection class which doesn’t remove the decrypted class key from memory until a reboot.

Interesting old CVE I found. The extra mdm payloads I listed would still defeat this though like allowAppInstallation. Lockdown mode also blocks configuration profiles from being configured too. Keep your device up-to-date (model and iOS).

What would you suggest for the Pixel? I have several, not all are using Graphene OS right now. I want to switch but have other pressing privacy concerns that take priority

Why not recommend storing in a password manager instead

Cellebrite Enterprise utilizes the iOS backup service for extraction, which is blocked by MDM. In contrast, Cellebrite Premium and CAS employ zero-day exploits for extraction, meaning they do not depend on the iOS backup service and are likely unaffected by MDM.

I’ve seen the same control center video. However, I believe the reference to the control center is simply to distinguish between AFU and DFU for those who may not be familiar with the terms, and it doesn’t necessarily indicate a bug within the control center itself. It’s more probable that the issue lies with the USB controller, specifically a bug that bypasses USB restricted mode and another LPE bug that allow access to the file system.

That’s correct. However, very few apps utilize NSFileProtectionComplete, which would prevent AFU extraction. Even Signal employs NSFileProtectionCompleteUntilFirstUserAuthentication for its database, allowing AFU to extract the entire chat history from Signal.

Additionally, https://grapheneos.social/system/media_attachments/files/112/462/760/076/651/069/original/abb6bfdb2d3cbc6a.png reveals that Cellebrite Premium features IPR (Instant Passcode Recovery). This indicates that Cellebrite possesses a zero-day exploit to extract RAM data, allowing it to not only circumvent MDM but also access NSFileProtectionComplete files, because the clear text passcode can be retrieved directly from RAM. Fortunately, the effectiveness of the IPR capability is limited by the time since the last passcode entry, likely because of RAM being overwritten.

Wonderful! seems like the most comprehensive and practical guide I’ve recently seen. Can you also write one for Android phones? Other than about graphene OS, which is limited to pixel phones.

All FFS extractions on A12+ require sideloading an agent (app) to to the device. This applies to all forensic vendors and can be easily verified by reading here. That app cannot be installed if you follow this tutorial.


This tutorial is mainly for BFU/FFS. Putting your phone in BFU is the easiest thing ever to do. Your phone is literally always on your person. AFU has too many unknowns about it. If AFU/BFU still requires sideloading that “agent” than this tutorial defeats it. If it doesn’t then turning off your phone is mandatory to prevent sensitive data from being extracted. Unless there is a new undisclosed jailbreak on the lose. Keep in mind, these forensic companies have lot’s of money and hiring a well known jailbreak dev (like Cellebrite did) and keeping them hush wouldn’t be hard.

This is why I personally like the modern iPhone + GrapheneOS combo. Use iPhone for casual texting, business stuff, gmail, apps not supported by Graphene. Use GrapheneOS for social media, password managers, proton suite, etc.

I thought iPhones were already resistant to extraction in BFU, and FFS requires them to be unlocked already