Regardless, it’s not really clear what’s meant by “Partial” for iPhones. The 404 article mentions Forbes, who say it includes “unencrypted files and some metadata, such as file sizes and folder structures”. Not clear to me what they mean by “unencrypted files” though.
Idk if “Full” necessarily means they can BF the device since they supported it for Pixel 8, and I think no one can BF Pixel 6+. It should refer to DE and CE.
NSFileProtectionCompleteUntilFirstUserAuthentication is used to protect the majority of things on a iPhone (sms, photos, all the good stuff). It seems they can retrieve iOS memory which explains why they have access to this data.
It’s mentioned in the iOS charts. bfu and afu extractions are not gonna be that much different from what we have already seen with the checkm8 exploit and you can just look at forensic experts explain what artificats are available in the different states. Of course as iOS adds more features the amount of data could change. https://www.ijcse.com/docs/INDJCSE24-15-03-045.pdf
AFU = damn near everything
BFU = basic os stuff, possibly a re used password in keychain that could be device passcode, insecure app data (snapchat).
The word “partial” should be taken with a grain of salt as Graykey has always used this term for the past years. It literally just means it’s not a full file system not that a significant amount of data can’t be grabbed.
Some thoughts on afu
They are able to go around apples usb restrictions and doing some sort of side channel attacks. Modern apple chips are by design prone to side channel attacks.
I imagine many lockscreen actions are happening without the need handling user password protected data. An exploit is anything where they can somehow get the key from ram so any action you can do from lockscreen that needs to handle user password protected data possibly makes that possible. Control center seems very vulnerable. Apple has to build around that by not requiring any action to handle encrypted data in the first place. Which is probably not possible for all you wanna do from lockscreen. There is one way from the encrypted to the lockscreen. Like widgets that get updated or notifications. Then there’s the other way around like taking a photo on the lockscreen that gets pushed to your photos. Does that happen while locked or does it get pulled from some place only after unlock? If you place interactive widgets in today view on lockscreen they can update but you can’t interact with them unless you unlock the iPhone. Siri requires authenticatiion to even attempt many actions.
All this could be circumvented by proper charge only usb restrictions?
How does iOS allow apps to have data available on bfu extraction outside NSFileProtectionCompleteUntilFirstUserAuthentication? How is snapchat data available? How to tell what apps handle it like Snapchat that can’t be default behavior
Is it likely that partial means afu not only bfu when on newer iPhones partial came available on newer iOS versions like from iOS 17.6 when before there was only consent in the graykey table?
iCloud backups are kinda useless. Most apps keep your data on their servers not locally. Photos and iMessages in the Cloud have their own thing. No one actually uses iCloud mail. Keychain is a golden ticket for forensic tools so shouldn’t be using it. iCloud drive??? These things are easily replaceable.
They also keep lots of forensic artifacts. This includes app data that may include cached messages/images, deleted imessages, other remenants of deleted data, and more. Make it a habit to delete icloud backups frequently after deleting data. Then if you want to continue using it turn it back on afterwards. Never restore a device from a iCloud backup if you care about that previous data being fully gone. Just sign in icloud, download your old apps and continue about your day,
Do you have sources for any of your claims or are you just spreading FUD?
You fundamentally misunderstand how Keychain works. Keychain is always E2EE so no, it isn’t “a golden ticket for forensic tools.” You also can’t actually avoid using keychain because what it stores includes all sort of encryption keys which the system needs. What you mean is disabling iCloud backups of the Keychain, which, as I mentioned above, are E2EE.
As does every Wi-Fi enabled computer ever. Please don’t make this out to be some secret evil that people need to be concerned about. How would your computer be able to connect to a Wi-Fi network if it didn’t store the credentials?
Everything I post relates directly to the title and no other purpose. In order to defend yourself from forensic tools you must know exactly what they are able to do. My sources come from legal documents and the people who use these tools on a daily basis whether it be public or private chats. I combine information from different sources to come up with strategies.
Now I go look at a case where Signal messages were recovered and immediately know the FBI got it by using incoming notifications remenants in the KnowledgeC and/or BIOME data. FBI recovers deleted texts showing chaos of bribe attempt in Feeding our Future trial | MPR News "But Thompson writes that even though investigators could not find the complete set of messages between Farah and Shariff, FBI digital forensics experts recovered notifications of incoming messages to Shariff’s phone from Farah. "
If your device is being extracted whatever tool they are using is the new “end” so end-to-end encryption won’t matter since they can locally get almost everything. This is why you must practice good data disposal techniques. Deleting apps frequently, factory resetting your phone to get rid of deleted data traces, deleting old icloud backups that contain deleted data, disappearing messages, etc.
Regarding the iOS keychain, it is most definitely a golden ticket for forensics . Some keychain entries can even be read on a cold device. That is one of the first things to get extracted lol. Obviously you can’t full avoid it. If you turn off the iCloud backups it still is in use locally. That’s why I say in my post don’t use it for passwords and to instead use a third party password manager that has good app security like bitwarden.
When I said "Keychain is a golden ticket for forensic tools so shouldn’t be using it. " This means you shouldn’t care about it being backed up to iCloud because you shouldn’t be willingly storing anything in it such as personal passwords or app pins that correlate to your other pins.
Very interesting I appreciate the in depth info. Is the recommendation then to use a third party password manager? I just use the default iCloud Keychain for everything honestly. How do you know if a third party password manager is storing everything properly?
I go by this rule. If there’s no public write-up of them doing it correctly, they aren’t doing it correctly. Your password manager should use the master password only and not biometrics. Then you should set the vault to auto lock in a very short timeframe. Why rely on your OS’s default password manager? That’s what the tools are attacking in the first place.
example: The credit karma app on iOS uses a weak data protection class and it’s app pin can be seen in a BFU keychain extraction (no password needed). If i also use this pin for my iphone unlock method congratulations I just gave the police all my data. What’s that saying, don’t put all your eggs in one basket
I still prefer 1password though. The travel mode feature is probably best privacy feature to exist.
For location caching, does clearing or disabling “Significant Locations” mitigate this?
For KnowledgeC and BIOME data – 28-to-30-day expiration it seems to me the only protection would be BFU. Would be interesting to know more of what is contained in that dataset, looks extensive.
Does disabling “text previews” in the app mitigate?
Cold how? As in BFU?
Can you be more specific about what is bad about iOS keychain? (Ability to extract in BFU)
Significant locations are derived from com.apple.routined/Cache.sqlite/ZRTCLLOCATIONMO. This is usually used to map where a suspect was (murder, robbery, etc.) I don’t think clearing significant locations would just wipe this entire database.
KnowledgeC and BIOME data contains user activity information stored in a specific file format. It is used to track and analyze how users interact with their devices, including app usage, screen time, location data, siri interactions, and other system activities. A quick google search will tell you more.
I can only vouch for Signal with “no name or content” notification setting. I’m not sure on the effectiveness of “hide previews” in iOS settings.
Cold device = BFU. BFU is the best bet for a iPhone. Deleted iMessages/SMS/MMS are written to a database independent of sms.db so it is important your password is strong enough to last the 28-30 days in which the biome data will auto clear.
Certain data from applications/system are available in a BFU state
Anything with kSecAttrAccessibleAlways can be seen BFU and will be extracted.
Anything with kSecAttrAccessibleAfterFirstUnlock can be seen in AFU extraction (most things).
Some apps apply additional protection to conceal sensitive data but with local access the opportunities are endless and you must practice the techniques I list to stay safe.
For stolen device protection, require security delay should be set to always.
Unlike GrapheneOS, iPhones are prone to shoulder surfing attacks. You should configure a mdm payload that forces you to change your passcode every x days and lower the max failed attempts to your liking.
We constantly have to type our passwords though. My face ID glitches so much in my pocket. Don’t forget some people re-use their 4-6 digit pins on apps within iOS itself. They should instead protect the app with the require face id option and leave it pinless. Keep the pins away from the keychain!!!
