Welcome to my first blog! Why did I decide to write this? I have been thinking about doing a blog for some time now and a good friend of me finally motivated me into writing about a current mobile forensics topic and I love DFIR, so writing about something you love is always easier. Having said that, I am an Apple iPhone aficionado however would not classify myself as an expert as I know a lot of people who probably know a lot more than I.
In the early days we could bypass iPhone 3GS and iPhone 4 locks at-will and it was exciting to see all the artifacts that we were able to recover. As time progressed and the demand by the users for more security on the device became louder, Apple responded by limiting digital forensic practitioner access to devices and began to encrypt the file systems. Now that encryption is common place and we think nothing of it. We as the DFIR community accepted the idea that a locked Apple iPhones was nothing more than expensive door stops. Many of nvestigations went cold as a simple 4 PIN passcode interfered in various types of investigations. Sure, minor fixes like the IP box came along, but those exploits were quickly patched by Apple.
Over the few past years, mobile forensic tools have been developed to assist the law enforcement community with the ability to access the locked and potentially forgotten devices. However the tools were expensive usually out the reach for most police agencies. As my boss once said you’re still a patrolman we don’t need this computer stuff so with that attitude why would they spend money on digital investigations?
Until recently, the most common way to conduct an extraction on a iPhone was with an iTunes backup. All forensic tools utilize an iTunes backup of some type to conduct the logical and advanced logical extractions on a passcode unlocked iPhone. (Yes for all you tech experts, some tools use other protocols but for this blog post KISS). The common iTunes backup has limitations and depending on the installed apps, a forensicator may not get all the application data when conducting an iTunes backup. Files related to Snapchat and Facebook instant messenger is missing from your common iTunes forensic tool backup extraction.
In the past several months a new jailbreak has emerged and once again has allowed the DFIR / LE community to regain access to protected areas within an unlocked iPhone. I have always been excited by bypassing locks and finding passcodes and figured the new checkra1n exploit would be a good entry into the world of jailbreaking. This jailbreak provides user with unrestricted access to once secured and unavailable forensic artifacts. The artifacts removed from the protected area during a full file system extraction of the iPhone will provide a large some awesome evidence that will either help prove or disprove the case being investigated.
So what is Checkra!n? Checkra1n is a recently released jailbreak exploit that will work on iOS devices ranging from iPhone 5s to iPhone X with operating system starting at 12.3 and up. Checkra1n utilizes an un-patchable bootrom that exploits a flaw with the A5 thru A11 chips on the listed devices. So my plan was to conduct a jailbreak on locked and unlocked devices and then conduct extraction on the devices to determine the differences in recovering artifacts. More to come later!
First, we are going to look at the process of utilizing checkra1n on an unlocked iPhone device. For this test I will using an iPhone 8 Plus rocking the 13.1 iOS. Yes, this process even works on many of the newest operating systems!
To lay the groundwork, there is a difference between locked and unlocked phones. Yes the obvious is that it’s locked but still utilizing the iTunes backup you are imitated on the data extracted. In technical terms, the device is placed into different modes with an additional level of security called after first unlock (AFU). In this example the iPhone is unlocked and open to full file system extraction while utilizing the Checkra1n jailbreak. The second and follow-up example is called before first unlock (BFU) as the iPhone is set into a mode that only allows for limited data extraction at a file system level. The BFU iPhone extraction will still provide a limited data set. It is inarguable that any data from the device (BFU) is better than no data from the device as the information extracted may be that nugget of goodness that you need to add value to your case.
The Checkra1n jailbreak requires the device to be placed into DFU mode which will cause the phone to be in the before first unlock mode limiting the amount of file system data obtainable from a locked device. The get the full file system extraction, knowing the passcode and performing the after first unlock extraction or having a device with no set pin code will be the ideal situation.
Forensic analysts can download the Checkra1n independently to JB the device and then utilize a tool to conduct a file system extraction but Cellebrite Universal Forensic Extraction Device (UFED) has made the process seamless by incorporating the jailbreak into the UFED Touch2/UFED 4PC extraction method.
The first step in the process is to check to see if the devices PIN is totally removed. In this example the pin was removed from the device prior to the extraction and checked to see if the hardware of the device met the requirements as listed above.
The next step is to find the correct phone within the UFED Touch2/UFED 4PC application. In this example, I used an unlocked/PIN removed iPhone 8 Plus (A1897) and was directed to place the device into DFU mode. DFU mode is Device Firmware Update mode and allows for the device to be restored from any state. While the device is in DFU mode Cellebrite or the Checkra1n will upload a bootROM and the exploit will be loaded causing the device to be jailbroken.
Here I selected my phone and decided to conduct the Full File System (checkm8).
The instructions to place the device in DFU are listed in the acquisition steps and will assist in placing the device into this mode (see below).
I found a slightly easier way to place the device into DFU mode:
- With your powered-up iPhone still connected to your computer with iTunes open, do the following steps.
- Quick-press the volume up button.
- Quick-press the volume down button.
- Press and hold the side button until the screen goes black.
- Release the side button once the screen blacks out, then …
- Quickly press and hold both the side and volume down buttons together for 5 seconds.
- After 5 seconds, release the side button without letting go of the volume down button.
Continue holding down the volume down button for at least 5 seconds.
With the device properly placed into DFU mode, the Cellebrite “continue” button should now be highlighted, however if it is not at this step, simply reseat the cord back into the computer and Windows and Cellebrite should recognize the device connection.
Once “continue” is selected on the UFED Touch2/UFED 4PC, the extraction bootROM will be uploaded to the phone and the phone will be jailbroken. The following screen will appear on the iPhone:
Cellebrite will begin to conduct a file system extraction on the device copying the files into a .DAR file. The DAR file is a Disk Archive file that is used for creating split-archives. This file cannot be directly imported into a lot of current software platforms.
While the extraction process is running, the following messages and progress bar will appear:
After the extraction is complete a UFD file will be generated that can be imported directly into Cellebrite Physical Analyzer (v. 7.28 or later) for processing.
It cannot be understated that the amount of additional files you will receive in a full file system will produce a vast amount of additional artifacts to review over and above an iTunes backup extraction.
I will be working on a followup blog to discuss the difference in files compared to the general Cellebrite Method 1 and Method 2. Personal testing is the best thing an examiner can do for self-improvement and validation. If you’d like to test this independently, use the method listed above to conduct a full file system extraction along with conducting a normal Cellebrite Method 1 and Method 2 prior to jailbreak. Then, use Beyond Compare to note the difference between the two methods of extractions and you will see that the difference in the amount of data extracted is incredible.
About the Author:
Douglas Kein is a Full-Time law enforcement officer with a major Chicagoland police department. Douglas has experience as SWAT officer, Firearms Instructor, Field Training Officer, Crime Scene Technician and High Tech Crimes Investigator. Douglas is currently assigned to the Investigations Division where he conducts computer/mobile digital examination and manages his departments forensics lab. He is a graduate of the National Computer Forensics Institute (NCFI) and is a member of the United States Secret Service’s Electronic Crimes Taskforce (ECTF). Douglas is an active member of the Cook County Internet Crimes Against Children Taskforce (ICAC) and has participated in hundreds of internet crimes against children investigations which culminated with successful prosecution within the local and federal court systems. Doug currently is a current member of HTCIA and holds multiple Certifications including the CFCE, EnCE and CCME.