An updated version of the free Magnet AXIOM Wordlist Generator tool is now available for download.
The long-standing roadblock to examiners when dealing with iOS devices, has been the device’s handset lock code. There are several types of passcodes that an examiner may come across when dealing with an iOS device including:
- 6-Digit Numeric Code
- 4-Digit Numeric Code
- Custom Numeric Code
- Custom Alphanumeric Code
When dealing with devices running 4 or 6 digit PINs, a standard brute-force style attack is usually feasible. In 4-digit codes you would be facing 10,000 possible combinations while 6-digit codes ramp the difficulty up to 1,000,000 combinations. The true test comes when devices are utilizing a custom numeric or alphanumeric passcode. In this case, users can specify how many characters they’d like to use.
Apple has more recently helped its users by “assisting” them in picking a more complex passcode. If a user tries to set a 1-3 digit custom numeric passcode, Apple warns the user that the passcode is too easy and will not allow them to set it. Once the user specifies a 4-digit passcode, it still recommends that the passcode could be easily guessed, but will allow the user to use it.
With the release of GrayKey, brute-forcing these custom numeric and alphanumeric passwords became possible to examiners again, however these tools require a good word list in order to be successful. Since AXIOM has the ability to generate wordlists from generated cases, we quickly realized how our recent partnership could take this one step farther to help out the forensic community.
With AXIOM Wordlist Generator 1.1, we can not only continue to export wordlists from generated AXIOM cases, but now can actually optimize those wordlists for use with the GrayKey device. The logic that it follows will walk through the wordlist and reorganize it, prioritizing on the words that meet the following criteria:
- Numbers only, 4-6 characters
- Letters and numbers only, 4-8 characters
- English dictionary words, 4-8 characters
- Everything else
This will allow user to target more likely possibilities first, but still eventually working their way through all of the words recovered from the AXIOM Wordlist Generator.
So how can we as examiners maximize the data we’re using? Simple. We think about how people use passcodes. Even a security-minded individual may use the same passcode or PIN on more than one service of site. Especially seeing as this key may need to be entered multiple times per day to unlock a device, users will likely choose something they can easily remember as well. In order to generate a great wordlist, examiners simply need to turn to the artifacts that AXIOM already handles! Some examples of great source data include:
- iOS Keychain Data
- Keychain data extracted from AFU or BFU devices make a GREAT wordlist piece as any saved passcodes from the device may be duplicated for the user’s lock code.
- Web Related Form/Login/Autofill Data
- Saved form data from modern browsers may contain valuable information about where our user logs in.
- Cloud-Stored Passcodes
- If an examiner can gain access to a user’s cloud account from the acquired keychain data using the GrayKey they may be able to extract all of the stored passwords as well.
- Users may keep passwords in documents or databases on their system as opposed to the old-school “sticky note” that could contain passwords or valuable dictionary words.
Simply put, run ANY available evidence in your case (computers, other mobile extractions, USB drives, cloud data, etc.) through AXIOM in order to generate as complete of a wordlist as possible.
To enable the AXIOM Wordlist Generator (or AWG as many examiners lovingly call it) functionality for GrayKey optimization, simply press the checkbox in the main interface. This will still pull all the recovered words out into a list, but will reorganize them by the logic previously mentioned above. This job runs at the end of the wordlist export, so it will add a small amount of time to the end of the AWG text file generation.
Once your text file is generated, simply load the list into the GrayKey interface and allow it to run through your wordlist! We hope this new functionality will continue to empower the community to gain access to devices when it is needed and look forward to hearing any feedback!