iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

iOS forensic is quite complex: in many cases, jailbreaking is the only way to gather all most information available in iOS devices.

Ok, logical acquisition is easy, safe and it always works: however, this kind of acquisition mostly gives you the same data you can get via iTunes: a simple backup (sometimes encrypted), media files and some logs.
Obviously there are much more data stored in the iPhone that can be accessed only with a more deeper acquisition process.


The BFU acquisition

Before First Unlock (BFU) is the worst case that a forensic analyst may face off: the iDevice is turned off, and once booted it will ask for the unlock code.
Mission impossible? Not really (currently)!


checkra1n: the turning point of iOS forensics

Jailbreaks always had limited compatibility through the iOS releases, but the new checkra1n jailbreak [1] supports a wide list of devices and versions of iOS and is also a jailbreak (the first since the iPhone 4) that can be installed on a locked device in BFU mode with an unknown password and then used to extract forensic data.

checkra1n exploits a bootrom vulnerability (dubbed checkm8 [4]) and is potentially compatible with all versions of iOS.
Furthermore, the exploited vulnerability is related to hardware and can be patched by Apple only on new devices, so it will remain compatible with new and upcoming iOS releases.

The list of supported devices includes:

  • iPhone 5s
  • iPhone 6
  • iPhone SE
  • iPhone 6s
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 8
  • iPhone 8 Plus
  • iPhone X
  • Most iPads based on similar SoC
  • Apple TV HD (ATV4)
  • Apple TV 4K
  • Apple Watch series 1, 2 and 3.

My own acquisition workflow

The initial version of checkra1n was available for macOS only.
Currently, there are also available Windows and Linux versions but, in my opinion, the MacOS build remains the most reliable.

Jailbreak with checkra1n

First, download and install the latest release of checkra1n [1].

Then, connect the device and put it into the DFU mode (instructions for various models available in references [3]).
Finally, open the Terminal and run the following commands:

cd /checkra1n.app/Contents/MacOS/ 
./checkra1n_gui -

When command exits, the device is jailbroken.


Connection and acquisition

  • Open a Terminal
  • Execute the command
sudo iproxy <Local_Port> 44
  • Open a new Terminal
  • Now, you can download a single file using this command (use the same <Local_Port> used in the previous step):
sshpass -p alpine scp -P <Local_Port> [email protected]:/path_to_file /path_to_destination
  • For download a whole directory, you can use this command:
sshpass -p alpine scp -P <Local_Port> -rp [email protected]:/path_to_folder /path_to_folder

Which files i need to collect?

Starting from the SANS FOR585: Advanced Smartphone Forensics Poster [2] I built this brief list of interesting databases and plist files:

DATABASE DESCRIPTION
/Library/CoreDuet/*  Device lock state (1=Locked, 0=Unlocked)
/Library/AggregateDictionary/ADDataStore.sqlitedbDictionary
/Library/BatteryLife/CurrentPowerLog.PLSQL  Battery life tracker, Application traces
/private/var/networkd/netusage.sqlite  Network artifacts
/Library/Health/healthdb.sqlite  /Library/Health/healthdb_secure.sqlite  Activity, Personal information, more
/Library/Caches/com.apple.routined/cache_encrypted*.db /Library/Caches/com.apple.routined/StateModel*.archiveFrequent Locations
/Library/Caches/cache_encrypted*.db
/Library/Caches/lockCache_encrypted*.db
Cell and WiFi locations
/Applications/* Examine relevant app directories to obtain additional data
/Library/BullitenBoard/ClearedSections.plistLogs of cleared notifications
/Library/Keyboard/UserDictionary.sqliteUser created auto-correct
/Library/Accounts/Accounts3.sqliteAccounts, user information, etc.
/Library/Databases/CellularUsage.dbSIMs used in device, including most recent
/Library/TCC/TCC.dbApplications permissions
/Library/Databases/Datausage.sqliteApplication traces
/Library/com.apple.itunesstored/itunesstored2.sqlitedb Application traces
PLIST DESCRIPTION
/Lockdown/device_values.plistActivated state, BT address and more
/Preferences/com.apple.homesharing.plistiCloud account information
/Preferences/com.apple.assistant.backedup.plist  Cloud sync settings
/Preferences/com.apple.coreduetd.plistsync device
com.apple.commcenter.plistDevice phone number, Network carrier, ICCIDs and IMSIs
com.apple.identityservices.idstatuscache.plistiCloud sync, Email, FaceTime, Email, more
com.apple.accountsettings.plistEmail accounts pushed to device
com.apple.Maps.plistLast latitude and longitude, map search history
/Library/Maps/Bookmarks.plistMaps bookmarks
com.apple.Maps/MapsHistory.mapsdata (iOS 7)
com.apple.Maps/MapsGeoHistory.mapsdata (iOS 8 – iOS 11)
com.apple.MobileBluetooth.devices.plistSynced devices
CloudConfi gurationDetails.plistCloud configurations
/SystemConfi guration/com.apple.wifi.plistWiFi
/SystemConfiguration/preferences.plistWiFi and more
/Library/DataAccess/AccountInformation.plistEmail sync data
/Library/DataAccess/iCloud-[iCloud email account name]/*iCloud Email account information and offline cache
FILES OF INTEREST DESCRIPTION
/Library/Preferences/*Examine plists for more information
/Library/DataAccessAccount information used to set up apps (Email, #, etc)
/var/mobile/Library/Keyboarddynamic-text.dat

In the next post i will explain how to analyze the collected data.


References

  1. checkra1n
  2. SANS FOR585: Advanced Smartphone Forensics Poster
  3. DFU Mode – The iPhone Wiki
  4. https://github.com/axi0mX/ipwndfu

Related posts

  1. How secure and privacy-oriented is iOS?
  2. James Duffy: Demystifying iOS Data Security
  3. Weekly Tech Roundup #11
  4. Quick mount of iOS Apps documents on Linux, using iFuse and bash
  5. “Psychic Paper”: an amazingly simple iOS sandbox escape exploit