Hardening modern iPhone against forensic tools

GrapheneOS seems to resist AFU extraction

The usb bypass is possible due to apple not actually doing what is advertised unlike GrapheneOS. They likely still allow some sort of connection that these “adapters” can spoof themselves as. My Magic Keyboard still works BFU+ Lockdown Mode but I don’t know if that’s intended or not. These screenshots also back up this theory.


Hopefully we find more AFU limitations in the future and apple fixes its lousy usb restricted mode.

Just from the screen shot it isn’t clear if that iPhone is in BFU or AFU. Also unknown if it has USB restricted mode enabled or if the unlock attempt was ever eventually successful.

We do know Major Adam’s phone remains locked. :person_shrugging:

Not necessarily. It’s pretty much always going to be less secure but not inherently insecure.

Not always going to be possible especially if you’re in distress. GrapheneOS has an auto reboot feature for this reason; it just needs to hold out in AFU long enough for auto reboot to kick in.

“Also using Graykey 5.2.0 and it doesn’t even recognize that a device gets plugged into it to even
do a BFU or an initial device identify.”

He got DM’s stating that he needs a new adapter from people with direct knowledge about these tools not internet scavengers like me.

Considering the usb setting is enabled by default on newer iOS, chances are like 80/20 that it was enabled.

This screenshot from a Cellebrite employee makes me wonder if USB-C added some limitations to their capabilities because it seems like the lightning connectors gave them no issue at all. The police officer also says Cellebrite Inseyets UFED documents refer to “locked USB-C” devices as unsupported but this has never been a problem before.

I suspect that the challenge lies more with Cellebrite’s engineering. Since Cellebrite CAS can bypass the USB-C restricted mode and perform AFU without any problems, I think they are simply delayed in implementing and rolling out this exploit across their Cellebrite Premium boxes, especially given the different variants of Cellebrite Premium boxes they need to support. Essentially, even the USB-C iPhone can be AFU extracted; it’s only a matter of time before all Cellebrite Premium boxes are capable of doing the same.

Thank you for your meticulous post. Do you think about converting it to a blog post, maybe?

iOS 18 and higher introduced a inactivity reboot timer that sends your device back to BFU after a certain amount of days. This is why keeping your phone up to date is important!
Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops

2 Likes

I kinda just keep replying to this with new info I gather

3 Likes

Video of iPhone running iOS 18.2 beta 2 rebooting after 72 hours of not being unlocked.

Update on inactivity reboot by Magnet Forensics

1 Like

Apparently Graykey support matrix has been leaked. Standing by for now…

Is access to control center still a requirement for afu extraction?

I’m not sure. On my phone I turn off everything from showing on lock screen in case any of the settings are vulnerable.

2 Likes

This is the most sensible approach. We can/will never know the complete capabilities of all actors.

As I suggested earlier, Graykey support matrix leaked.

iPhone: Graykey-iPhone.xlsx - Google Sheets

Iphone (Backup): https://files.catbox.moe/pal7dn.xlsx

Android: Graykey-Android.xlsx - Google Sheets

Android (Backup): https://files.catbox.moe/fsinh5.xlsx

I don’t get it. There is full, consent, partial, partial bfu and none.

Full means they can get all data encrypted with the user password in afu, probably parts from bfu diagnostics and brute force. They can possibly extract data in any state. Does full mean full data in any state including bfu? They have full for the iPhone 12 series up to early versions of iOS 17. That would mean they can extract full data from these even with the device powered off. They also have full for old iPhones vulnerable to jailbreaking. For these iPhones full for sure means also with the device powered off bfu and full data.

Consent probably means with user password or some kind of authorization? They have consent for iPhone 14 models on versions before iOS 17.6. They don’t have consent on iPhone 15 models from 17.3.1. Does that mean they can’t even extract data with the user password? Or is consent some kind of authorization? What does consent mean? With the user password, full data is accessible. Does that mean they didn’t develop their tool to do an extraction on these versions?

They have partial on iPhone 14 models from 17.6 as well as partial on iPhone 15 models from 17.3.1 until 18.0.1 only from 18.1 which just came out they don’t have anything for any device. Probably they will have partial. What is partial? Pre boot diagnostics or more? Is it different per device and version? What more? They also list partial bfu on some older devices so is there a difference between partial and partial bfu. Is partial more than partial bfu or is it the same data they can get with partial, only they can get it in bfu? Or does partial even mean it’s not full but only a part of it like only afu no bf? What is partial? Partial data extracted without being able to get into the user password encrypted data or only a part of full methods?

1 Like

My guess is this

Full = AFU, BFU, Bruteforce Support, Can Bypass Almost All Countermeasures
Full + AFU = Full + AFU can obtain a near full file system extraction from lockscreen.
Partial = No bruteforce, BFU/AFU capable
Partial AFU = Access to files with Access to files with NSFileProtectionCompleteUntilFirstUserAuthentication protection level (pretty much everything) and access to keychain files with kSecAttrAccessibleAlways/kSecAttrAccessibleAfterFirstUnlock.
Partial BFU = System data, general device info, OS files, files protected with NSFileProtectionNone class, random thumnbnails, access to keychain files with kSecAttrAccessibleAlways.
Consent = No data without passcode

But it only says partial in the table no matter if they can get user password encrypted data afu or only system data bfu. That’s a huge difference. That makes the table pretty confusing and doesn’t really tell

I didn’t look at the android table

Shouldn’t they always be able to get some diagnostics system data like apple does? Is that partial bfu? If yes you wouldn’t wanna have partial in the table there but consent when they can’t get any meaningful data. Why even have partial there if all they are able to do is run apple diagnostics and get some system data? That’s misleading

Can you explain what you wrote in partial afu? NSFileProtectionCompleteUntilFirstUserAuthentication What exactly does this? Does it leave parts of the file system unencrypted when locked? It should still be encrypted unless they can get hold of the keys in ram. And then they can do full file system extraction of everything thats encrypted with the user password. Where did you get that from?

Guess NSFileProtectionCompleteUntilFirstUserAuthentication is the user password encrypted data. This is pretty much everything except health data and probably significant locations. For app data it depends on the encryption level the developer has set