iOS forensic is quite complex: in many cases, jailbreaking is the only way to gather all most information available in iOS devices.



Ok, logical acquisition is easy, safe and it always works: however, this kind of acquisition mostly gives you the same data you can get via iTunes: a simple backup (sometimes encrypted), media files and some logs.
Obviously there are much more data stored in the iPhone that can be accessed only with a more deeper acquisition process.


The BFU acquisition

Before First Unlock (BFU) is the worst case that a forensic analyst may face off: the iDevice is turned off, and once booted it will ask for the unlock code.
Mission impossible? Not really (currently)!


checkra1n: the turning point of iOS forensics

Jailbreaks always had limited compatibility through the iOS releases, but the new checkra1n jailbreak [1] supports a wide list of devices and versions of iOS and is also a jailbreak (the first since the iPhone 4) that can be installed on a locked device in BFU mode with an unknown password and then used to extract forensic data.

checkra1n exploits a bootrom vulnerability (dubbed checkm8 [4]) and is potentially compatible with all versions of iOS.
Furthermore, the exploited vulnerability is related to hardware and can be patched by Apple only on new devices, so it will remain compatible with new and upcoming iOS releases.

The list of supported devices includes:

  • iPhone 5s
  • iPhone 6
  • iPhone SE
  • iPhone 6s
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 8
  • iPhone 8 Plus
  • iPhone X
  • Most iPads based on similar SoC
  • Apple TV HD (ATV4)
  • Apple TV 4K
  • Apple Watch series 1, 2 and 3.


My own acquisition workflow

The initial version of checkra1n was available for macOS only.
Currently, there are also available Windows and Linux versions but, in my opinion, the MacOS build remains the most reliable.

Jailbreak with checkra1n

First, download and install the latest release of checkra1n [1].

Then, connect the device and put it into the DFU mode (instructions for various models available in references [3]).
Finally, open the Terminal and run the following commands:

cd /checkra1n.app/Contents/MacOS/ 
./checkra1n_gui -

When command exits, the device is jailbroken.


Connection and acquisition

  • Open a Terminal
  • Execute the command

sudo iproxy <Local_Port> 44

  • Open a new Terminal
  • Now, you can download a single file using this command (use the same <Local_Port> used in the previous step):

sshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination

  • For download a whole directory, you can use this command:

sshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder

Which files i need to collect?

Starting from the SANS FOR585: Advanced Smartphone Forensics Poster [2] I built this brief list of interesting databases and plist files:

DATABASE DESCRIPTION
/Library/CoreDuet/*  Device lock state (1=Locked, 0=Unlocked)
/Library/AggregateDictionary/ADDataStore.sqlitedb Dictionary
/Library/BatteryLife/CurrentPowerLog.PLSQL  Battery life tracker, Application traces
/private/var/networkd/netusage.sqlite  Network artifacts
/Library/Health/healthdb.sqlite  /Library/Health/healthdb_secure.sqlite  Activity, Personal information, more
/Library/Caches/com.apple.routined/cache_encrypted*.db /Library/Caches/com.apple.routined/StateModel*.archive Frequent Locations
/Library/Caches/cache_encrypted*.db
/Library/Caches/lockCache_encrypted*.db
Cell and WiFi locations
/Applications/* Examine relevant app directories to obtain additional data
/Library/BullitenBoard/ClearedSections.plist Logs of cleared notifications
/Library/Keyboard/UserDictionary.sqlite User created auto-correct
/Library/Accounts/Accounts3.sqlite Accounts, user information, etc.
/Library/Databases/CellularUsage.db SIMs used in device, including most recent
/Library/TCC/TCC.db Applications permissions
/Library/Databases/Datausage.sqlite Application traces
/Library/com.apple.itunesstored/itunesstored2.sqlitedb Application traces

PLIST DESCRIPTION
/Lockdown/device_values.plist Activated state, BT address and more
/Preferences/com.apple.homesharing.plist iCloud account information
/Preferences/com.apple.assistant.backedup.plist  Cloud sync settings
/Preferences/com.apple.coreduetd.plist sync device
com.apple.commcenter.plist Device phone number, Network carrier, ICCIDs and IMSIs
com.apple.identityservices.idstatuscache.plist iCloud sync, Email, FaceTime, Email, more
com.apple.accountsettings.plist Email accounts pushed to device
com.apple.Maps.plist Last latitude and longitude, map search history
/Library/Maps/Bookmarks.plist Maps bookmarks
com.apple.Maps/Maps History.mapsdata (iOS 7)
com.apple.Maps/Maps GeoHistory.mapsdata (iOS 8 - iOS 11)
com.apple.MobileBluetooth.devices.plist Synced devices
CloudConfi gurationDetails.plist Cloud configurations
/SystemConfi guration/com.apple.wifi.plist WiFi
/SystemConfiguration/preferences.plist WiFi and more
/Library/DataAccess/AccountInformation.plist Email sync data
/Library/DataAccess/iCloud-[iCloud email account name]/* iCloud Email account information and offline cache

FILES OF INTEREST DESCRIPTION
/Library/Preferences/* Examine plists for more information
/Library/DataAccess Account information used to set up apps (Email, #, etc)
/var/mobile/Library/Keyboard dynamic-text.dat

In the next post i will explain how to analyze the collected data.


References

  1. checkra1n
  2. SANS FOR585: Advanced Smartphone Forensics Poster
  3. DFU Mode - The iPhone Wiki
  4. https://github.com/axi0mX/ipwndfu