iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
iOS forensic is quite complex: in many cases, jailbreaking is the only way to gather all most information available in iOS devices.
Ok, logical acquisition is easy, safe and it always works: however, this kind of acquisition mostly gives you the same data you can get via iTunes: a simple backup (sometimes encrypted), media files and some logs.
Obviously there are much more data stored in the iPhone that can be accessed only with a more deeper acquisition process.
The BFU acquisition
Before First Unlock (BFU) is the worst case that a forensic analyst may face off: the iDevice is turned off, and once booted it will ask for the unlock code.
Mission impossible? Not really (currently)!
checkra1n: the turning point of iOS forensics
Jailbreaks always had limited compatibility through the iOS releases, but the new checkra1n jailbreak [1] supports a wide list of devices and versions of iOS and is also a jailbreak (the first since the iPhone 4) that can be installed on a locked device in BFU mode with an unknown password and then used to extract forensic data.
checkra1n exploits a bootrom vulnerability (dubbed checkm8 [4]) and is potentially compatible with all versions of iOS.
Furthermore, the exploited vulnerability is related to hardware and can be patched by Apple only on new devices, so it will remain compatible with new and upcoming iOS releases.
The list of supported devices includes:
- iPhone 5s
- iPhone 6
- iPhone SE
- iPhone 6s
- iPhone 7
- iPhone 7 Plus
- iPhone 8
- iPhone 8 Plus
- iPhone X
- Most iPads based on similar SoC
- Apple TV HD (ATV4)
- Apple TV 4K
- Apple Watch series 1, 2 and 3.
My own acquisition workflow
The initial version of checkra1n was available for macOS only.
Currently, there are also available Windows and Linux versions but, in my opinion, the MacOS build remains the most reliable.
Jailbreak with checkra1n
First, download and install the latest release of checkra1n [1].
Then, connect the device and put it into the DFU mode (instructions for various models available in references [3]).
Finally, open the Terminal and run the following commands:
cd /checkra1n.app/Contents/MacOS/ ./checkra1n_gui -
When command exits, the device is jailbroken.
Connection and acquisition
- Open a Terminal
- Execute the command
sudo iproxy <Local_Port> 44
- Open a new Terminal
- Now, you can download a single file using this command (use the same <Local_Port> used in the previous step):
sshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination
- For download a whole directory, you can use this command:
sshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder
Which files i need to collect?
Starting from the SANS FOR585: Advanced Smartphone Forensics Poster [2] I built this brief list of interesting databases and plist files:
| DATABASE | DESCRIPTION |
| /Library/CoreDuet/* | Device lock state (1=Locked, 0=Unlocked) |
| /Library/AggregateDictionary/ADDataStore.sqlitedb | Dictionary |
| /Library/BatteryLife/CurrentPowerLog.PLSQL | Battery life tracker, Application traces |
| /private/var/networkd/netusage.sqlite | Network artifacts |
| /Library/Health/healthdb.sqlite /Library/Health/healthdb_secure.sqlite | Activity, Personal information, more |
| /Library/Caches/com.apple.routined/cache_encrypted*.db /Library/Caches/com.apple.routined/StateModel*.archive | Frequent Locations |
| /Library/Caches/cache_encrypted*.db /Library/Caches/lockCache_encrypted*.db |
Cell and WiFi locations |
| /Applications/* | Examine relevant app directories to obtain additional data |
| /Library/BullitenBoard/ClearedSections.plist | Logs of cleared notifications |
| /Library/Keyboard/UserDictionary.sqlite | User created auto-correct |
| /Library/Accounts/Accounts3.sqlite | Accounts, user information, etc. |
| /Library/Databases/CellularUsage.db | SIMs used in device, including most recent |
| /Library/TCC/TCC.db | Applications permissions |
| /Library/Databases/Datausage.sqlite | Application traces |
| /Library/com.apple.itunesstored/itunesstored2.sqlitedb | Application traces |
| PLIST | DESCRIPTION |
| /Lockdown/device_values.plist | Activated state, BT address and more |
| /Preferences/com.apple.homesharing.plist | iCloud account information |
| /Preferences/com.apple.assistant.backedup.plist | Cloud sync settings |
| /Preferences/com.apple.coreduetd.plist | sync device |
| com.apple.commcenter.plist | Device phone number, Network carrier, ICCIDs and IMSIs |
| com.apple.identityservices.idstatuscache.plist | iCloud sync, Email, FaceTime, Email, more |
| com.apple.accountsettings.plist | Email accounts pushed to device |
| com.apple.Maps.plist | Last latitude and longitude, map search history |
| /Library/Maps/Bookmarks.plist | Maps bookmarks |
| com.apple.Maps/Maps | History.mapsdata (iOS 7) |
| com.apple.Maps/Maps | GeoHistory.mapsdata (iOS 8 - iOS 11) |
| com.apple.MobileBluetooth.devices.plist | Synced devices |
| CloudConfi gurationDetails.plist | Cloud configurations |
| /SystemConfi guration/com.apple.wifi.plist | WiFi |
| /SystemConfiguration/preferences.plist | WiFi and more |
| /Library/DataAccess/AccountInformation.plist | Email sync data |
| /Library/DataAccess/iCloud-[iCloud email account name]/* | iCloud Email account information and offline cache |
| FILES OF INTEREST | DESCRIPTION |
| /Library/Preferences/* | Examine plists for more information |
| /Library/DataAccess | Account information used to set up apps (Email, #, etc) |
| /var/mobile/Library/Keyboard | dynamic-text.dat |
In the next post i will explain how to analyze the collected data.