Hardening modern iPhone against forensic tools

Could you please upload the PDF again? It appears to be unavailable.

Here

Can we have a similar guide for stock Android?

Updates 10/11/24:

-Turn on optimize storage for photos so that older media will offload data and only keep a thumbnail on the device. This may only occur when storage reaches it’s capacity but it’s random atp.

-Ensure recently deleted messages/photos are always cleared as soon as possible. When you delete a photo or message it goes to the Recently Deleted tab. You need to clear this or it can still be found in most cases.

Forgot about these two mdm payloads.

image658×183 9.42 KB

They found meh lol.

image1084×424 44.9 KB

Also if you install the actions app then restart your phone you can make annoying shortcuts like this. Idk if shortcuts app can be locked or hidden but this will def be funny to annoy them lol.

image834×1613 72.2 KB

image1290×2619 135 KB

There are tons of things that are directly and indirectly confirmed about the capabilities of forensic tools that typically are the goldmine in legal cases. The chats are just the source. My tutorial is the secret Lazza . The average joe thinks only big companies and schools can do MDM related things. But you can make your personal PC the new “IT” department in this tutorial getting rid of that IT department bypass and making MDM stronger.

image1053×125 20 KB

Android is used by many phone brands so that would be very difficult since they each have their separate list of vulnerabilities even when you configure the security settings and MDM. The tutorial would probably still only apply to a Pixel device in which GrapheneOS is your best option.

Interesting posts I came across

IMG_00621290×402 113 KB

IMG_00631290×229 107 KB

Thank you. However, it appears that MDM may only hinder enterprise collection efforts. Unfortunately, despite the quality of your recommendations, it won’t be able to prevent an AFU collection by Cellebrite Premium or CAS according to Cellebrite Premium July 2024 documentation - GrapheneOS Discussion Forum

This guide turns your device into a enterprise device which will require enterprise collection. The Cellebrite support matrix doesn’t imply they unlocked or extracted a device with proper roadblocks in place. The average joe isn’t using the roadblocks I mentioned. Don’t take my word for it take it from Cellebrite themselves. We disabled control center access on lock screen which was mentioned by a cellebrite YouTube channel to be a prerequisite for afu extraction. This could have changed though. Additionally, AFU exploits are only possible because most apps use the ProtectedUntilFirstUserAuthentication data protection class which doesn’t remove the decrypted class key from memory until a reboot.

image1369×123 24.8 KB

Interesting old CVE I found. The extra mdm payloads I listed would still defeat this though like allowAppInstallation. Lockdown mode also blocks configuration profiles from being configured too. Keep your device up-to-date (model and iOS).

What would you suggest for the Pixel? I have several, not all are using Graphene OS right now. I want to switch but have other pressing privacy concerns that take priority

Why not recommend storing in a password manager instead

Cellebrite Enterprise utilizes the iOS backup service for extraction, which is blocked by MDM. In contrast, Cellebrite Premium and CAS employ zero-day exploits for extraction, meaning they do not depend on the iOS backup service and are likely unaffected by MDM.

I’ve seen the same control center video. However, I believe the reference to the control center is simply to distinguish between AFU and DFU for those who may not be familiar with the terms, and it doesn’t necessarily indicate a bug within the control center itself. It’s more probable that the issue lies with the USB controller, specifically a bug that bypasses USB restricted mode and another LPE bug that allow access to the file system.

That’s correct. However, very few apps utilize NSFileProtectionComplete, which would prevent AFU extraction. Even Signal employs NSFileProtectionCompleteUntilFirstUserAuthentication for its database, allowing AFU to extract the entire chat history from Signal.

Additionally, https://grapheneos.social/system/media_attachments/files/112/462/760/076/651/069/original/abb6bfdb2d3cbc6a.png reveals that Cellebrite Premium features IPR (Instant Passcode Recovery). This indicates that Cellebrite possesses a zero-day exploit to extract RAM data, allowing it to not only circumvent MDM but also access NSFileProtectionComplete files, because the clear text passcode can be retrieved directly from RAM. Fortunately, the effectiveness of the IPR capability is limited by the time since the last passcode entry, likely because of RAM being overwritten.

Wonderful! seems like the most comprehensive and practical guide I’ve recently seen. Can you also write one for Android phones? Other than about graphene OS, which is limited to pixel phones.

All FFS extractions on A12+ require sideloading an agent (app) to to the device. This applies to all forensic vendors and can be easily verified by reading here. That app cannot be installed if you follow this tutorial.

image1362×227 31.6 KB

image1281×180 23.4 KB

This tutorial is mainly for BFU/FFS. Putting your phone in BFU is the easiest thing ever to do. Your phone is literally always on your person. AFU has too many unknowns about it. If AFU/BFU still requires sideloading that “agent” than this tutorial defeats it. If it doesn’t then turning off your phone is mandatory to prevent sensitive data from being extracted. Unless there is a new undisclosed jailbreak on the lose. Keep in mind, these forensic companies have lot’s of money and hiring a well known jailbreak dev (like Cellebrite did) and keeping them hush wouldn’t be hard.

This is why I personally like the modern iPhone + GrapheneOS combo. Use iPhone for casual texting, business stuff, gmail, apps not supported by Graphene. Use GrapheneOS for social media, password managers, proton suite, etc.

I thought iPhones were already resistant to extraction in BFU, and FFS requires them to be unlocked already

Yeah but no auto reboot like GrapheneOS has and honestly how often do you turn your phone off.

Edit: iPhones now have auto reboot since iOS 18.1.

Given the extensive chat log, could you please specify where it mentions that 1. an agent is necessary and 2. that MDM can prevent the installation of such an agent, even when using Cellebrite Premium or CAS? I contend that MDM is merely a UI block and can be easily circumvented by Cellebrite Premium or CAS. They can evidently bypass the USB restricted mode and bypass the manual approval required to trust an enterprise or side-loaded app, which is typically needed in the user interface if installed normally.

I believe Cellebrite possesses several local privilege escalation (LPE) zero-day vulnerabilities that allow them to gain AFU access. While they may not be able to achieve a complete jailbreak with these zero-days, they can obtain enough privileges to access the file system.

I completely agree. My responses are not intended as a criticism of your hardening recommendations; in fact, I think they are excellent. My comments are aimed at the overall security of the iPhone. Based on the evidence, I believe that no amount of hardening can fully prevent Cellebrite Premium or CAS. However, this hardening does effectively protect against Cellebrite Enterprise, Cellebrite UFED, and similar tools.

Yeah, but this guide doesn’t make them resistant to AFU extraction, so you still have to turn off your phone

It’s because AFU states are insecure by definition. Honestly, turning off your phone is almost always possible in any case unless you suddenly get shot from police, etc.