Devices can be seized under various circumstances, and situations, where digital examiners do not have the passcodes to access them, are not uncommon. Such devices may remain in a DFIR lab for years, concealing crucial evidence. However, you should not give up on them, as brute-force methods exist, allowing you to discover device passcodes, and these methods continue to evolve.
Brute-force is a trial-and-error technique used to guess unknown information like logins, passwords, passcodes, and so on. It involves generating a list of possible values and feeding them to the input field (or screen) one by one. The more characters in the value and the more varied they are (letters, numbers, symbols), the longer it may take to guess it. Long and intricate passwords can take thousands and millions of years to find, however, there is still a slight chance that the correct combination of characters is guessed sooner rather than later.
Apple devices have 6-digit passcodes by default and also let users set 4-digit passcodes or use custom numeric and alphanumeric values to secure their devices.
They also allow a limited number of login attempts. An iPhone or iPad gets disabled for one minute after six failed passcode attempts in a row. The seventh incorrect attempt locks the user out for five minutes, the eighth attempt for fifteen, and the tenth for an hour. If the eleventh attempt is unsuccessful, the device gets locked and can only be restored from an iTunes backup. For this reason, manual brute-force is rarely a viable option during a digital investigation.
Belkasoft offers a free brute-force tool that lifts the login attempt restriction and provides digital examiners with the ability to automatically guess passcodes on a number of Apple device models.
Consider the following caveats to make the most of its functionality:
- Belkasoft's brute-force algorithm supports standard 4-digit and 6-digit passcodes, and currently does not support custom numeric and alphanumeric ones; you can learn the type of passcode used by the device lock screen
- The brute-force functionality is powered by the checkm8 acquisition method; if it does not work as expected, review the checkm8 troubleshooting list for possible solutions
- The guessing speed of the tool may be different depending on the device state; the tool notifies you whether it uses the quick (3 passwords per second) or the slow (1 password per 8-9 minutes) mode when you start the process
- Be patient! Due to the complexity of the iOS device login mechanism and the nature of brute-force, recovering a 6-digit password may take from a few minutes to three days in the quick mode and up to 12 years in the slow mode.
- To accelerate the process, you can use the built-in passcode dictionary provided by Belkasoft. The dictionary contains all possible passcode combinations sorted by their popularity. Alternatively, you can create a custom dictionary with numbers that may hold significance for the device owner, such as birthdays, historical dates, road numbers, zip codes, and so on.
While demanding some time and attention to detail, the Belkasoft brute-force tool assists in circumventing intricate security measures on iPhones and iPads and can aid in unlocking crucial evidence. Request your free access on the brute-force tool page.