iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

iOS forensic is quite complex: in many cases, jailbreaking is the only way to gather all most information available in iOS devices.

Ok, logical acquisition is easy, safe and it always works: however, this kind of acquisition mostly gives you the same data you can get via iTunes: a simple backup (sometimes encrypted), media files and some logs.
Obviously there are much more data stored in the iPhone that can be accessed only with a more deeper acquisition process.

The BFU acquisition

Before First Unlock (BFU) is the worst case that a forensic analyst may face off: the iDevice is turned off, and once booted it will ask for the unlock code.
Mission impossible? Not really (currently)!

checkra1n: the turning point of iOS forensics

Jailbreaks always had limited compatibility through the iOS releases, but the new checkra1n jailbreak [1] supports a wide list of devices and versions of iOS and is also a jailbreak (the first since the iPhone 4) that can be installed on a locked device in BFU mode with an unknown password and then used to extract forensic data.

checkra1n exploits a bootrom vulnerability (dubbed checkm8 [4]) and is potentially compatible with all versions of iOS.
Furthermore, the exploited vulnerability is related to hardware and can be patched by Apple only on new devices, so it will remain compatible with new and upcoming iOS releases.

The list of supported devices includes:

  • iPhone 5s
  • iPhone 6
  • iPhone SE
  • iPhone 6s
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 8
  • iPhone 8 Plus
  • iPhone X
  • Most iPads based on similar SoC
  • Apple TV HD (ATV4)
  • Apple TV 4K
  • Apple Watch series 1, 2 and 3.

My own acquisition workflow

The initial version of checkra1n was available for macOS only.
Currently, there are also available Windows and Linux versions but, in my opinion, the MacOS build remains the most reliable.

Jailbreak with checkra1n

First, download and install the latest release of checkra1n [1].

Then, connect the device and put it into the DFU mode (instructions for various models available in references [3]).
Finally, open the Terminal and run the following commands:

cd / 
./checkra1n_gui -

When command exits, the device is jailbroken.

Connection and acquisition

  • Open a Terminal
  • Execute the command
sudo iproxy <Local_Port> 44
  • Open a new Terminal
  • Now, you can download a single file using this command (use the same <Local_Port> used in the previous step):
sshpass -p alpine scp -P <Local_Port> [email protected]:/path_to_file /path_to_destination
  • For download a whole directory, you can use this command:
sshpass -p alpine scp -P <Local_Port> -rp [email protected]:/path_to_folder /path_to_folder

Which files i need to collect?

Starting from the SANS FOR585: Advanced Smartphone Forensics Poster [2] I built this brief list of interesting databases and plist files:

/Library/CoreDuet/*  Device lock state (1=Locked, 0=Unlocked)
/Library/BatteryLife/CurrentPowerLog.PLSQL  Battery life tracker, Application traces
/private/var/networkd/netusage.sqlite  Network artifacts
/Library/Health/healthdb.sqlite  /Library/Health/healthdb_secure.sqlite  Activity, Personal information, more
/Library/Caches/*.db /Library/Caches/*.archiveFrequent Locations
Cell and WiFi locations
/Applications/* Examine relevant app directories to obtain additional data
/Library/BullitenBoard/ClearedSections.plistLogs of cleared notifications
/Library/Keyboard/UserDictionary.sqliteUser created auto-correct
/Library/Accounts/Accounts3.sqliteAccounts, user information, etc.
/Library/Databases/CellularUsage.dbSIMs used in device, including most recent
/Library/TCC/TCC.dbApplications permissions
/Library/Databases/Datausage.sqliteApplication traces
/Library/ Application traces
/Lockdown/device_values.plistActivated state, BT address and more
/Preferences/ account information
/Preferences/  Cloud sync settings
/Preferences/ device phone number, Network carrier, ICCIDs and IMSIs sync, Email, FaceTime, Email, more accounts pushed to device latitude and longitude, map search history
/Library/Maps/Bookmarks.plistMaps bookmarks (iOS 7) (iOS 8 – iOS 11) devices
CloudConfi gurationDetails.plistCloud configurations
/SystemConfi guration/
/SystemConfiguration/preferences.plistWiFi and more
/Library/DataAccess/AccountInformation.plistEmail sync data
/Library/DataAccess/iCloud-[iCloud email account name]/*iCloud Email account information and offline cache
/Library/Preferences/*Examine plists for more information
/Library/DataAccessAccount information used to set up apps (Email, #, etc)

In the next post i will explain how to analyze the collected data.


  1. checkra1n
  2. SANS FOR585: Advanced Smartphone Forensics Poster
  3. DFU Mode – The iPhone Wiki

Related posts

  1. iLEAPP: an iOS logs, events, and plists parser
  2. iOS Forensics: how to perform a logical acquisition with libimobiledevice
  3. How smartphones reacts to IMSI catching attacks?
  4. How many data are shared by iOS and Android telemetry?
  5. iOS Forensic: full disk acquisition using checkra1n jailbreak