If you are doing Apple Watch forensics, I’ve got some bad news for you. The latest model of Apple Watch, the Series 7, does not have a hidden diagnostics port anymore, which was replaced with a wireless 60.5GHz module (and the corresponding dock, which is nowhere to be found). What does that mean for the mobile forensics, and does it make the extraction more difficult? Let’s shed some light on it.
What is the value of Apple Watch data? The Apple Watch not only save lives, but there are multiple cases like this one: Apple Watch Could Decide a Murder Case. There could be devices to extract the data from, but getting anything out of a locked iPhone may not be possible. In addition, the Apple Watch collects more data (such as heart rate), which can be important for digital forensics.
Extracting the Apple Watch has always been a headache. We covered this topic before:
In a nutshell, there are three ways to get something out of a smart watch:
Direct extraction requires an adapter connected to the diagnostics port. The Watch has no backup service running, just the AFC protocol (for media files), logs, device info and the list of apps installed, along with some metadata; there is no known workaround for watches locked with a passcode.
If you are extracting Watch data from the iPhone, expect very limited amounts of data. It’ll be mostly just the settings (as opposed to iPhone acquisition, where more methods can be used).
iCloud stores Apple Health data, but authentication credentials are required (and as far as Health data is “end to end encrypted”, you’ll need a passcode of one of the trusted devices as well).
The Watch itself is often the only source of data, like in the Assassination of Jamal Khashoggi case; that time some evidence was extracted from the cloud though.
Speaking of the Apple Watch connection, an adapter is always needed (or was required before Apple Watch S7). For a long time, the only adapters available were for the S1/S2/S3 series. The first generation IBUS adapters were unreliable, but later we discovered some better ones, covered in Apple Watch Forensics Reloaded.
The newer models such as the S4, S5, S6 and SE also use adapters; refer to Apple Watch Forensics: The Adapters for details. I took a picture of my table with some of those, and some Apple Watch (S2-S4) as a reference:
I have two personal favorites: the original Apple-built adapter (shown in the middle; extremely hard to find) because of the highest quality and compatibility; and MagicAWRT (top right), which is also high quality at fair price (and compatible with all watch models prior to S7). I haven’t had a chance to try the S-DOCK (bottom left), though it also looks solid (and the Lightning connector looks compatible with the serial cable, which is good for development).
Finally, what would you need for the acquisition? Elcomsoft iOS Forensic Toolkit to send the data over to the PC or Mac. We currently offer limited logical acquisition only, but we are working on checkm8 implementation for S2/S3. You can also use Elcomsoft Phone Breaker to extract the data from iCloud, including “end to end encrypted” categories.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.