Apple iOS file system extraction via checkm8

Data extraction via checkm8 vulnerability

Presented in September 2019, checkm8 is a SecureROM exploit that uses a vulnerability in an iOS device to grant administrative access to the device. Please note, this vulnerability is permanent and cannot be patched by software updates.

Checkm8 allows investigators to perform a tethered jailbreak, which only permits access for a single boot. This means that once the device is turned off and restarted, all indications that the device was jailbroken will be gone. There are several jailbreaks which are based on the checkm8 exploit, most notably, checkra1n.

Oxygen Forensic® Detective offers full file system extractions using the checkm8 vulnerability from Apple iOS devices running iOS up to and including 14.2. The supported devices extend from Apple’s A7 to A11 SoC, which includes iPhone 5s through iPhone X and the corresponding iPad devices.

To extract a device, click “iOS Advanced extraction” in Oxygen Forensic® Extractor. In the opened window, check if the device model is supported and click the “Checkm8 acquisition” option.

As the instructions indicate, users will need to put a device in DFU (Device Firmware Update) mode and connect it to a PC.

Once the device is connected successfully, the software will automatically apply the vulnerability and perform all the other actions required for data acquisition. Investigators will be asked to enter the device passcode to extract the full file system from a device.  A full file system extraction includes all user data, such as apps, deleted records, complete keychain, and detailed system files.

There is a known issue that on iPhones 7, 7 plus, 8, 8 plus, and X running iOS 14.0-14.3 an investigator must first turn off the passcode before performing a full file system and keychain extraction. However, once the passcode is turned off:

  1. Apple Pay cards will be deleted as they always require a password to be set.
  2. It will not be possible to reset the Apple ID password by entering the screen lock password.

Therefore, we do not recommend turning off the passcode unless it’s the only way to extract full data from these particular Apple iOS devices.

If the passcode is unknown, Oxygen Forensic® Detective will automatically extract device data in BFU (Before First Unlock) mode. This mode will not give investigators access to the entire file system. With BFU mode, most files will remain encrypted until the correct passcode is entered. Therefore, the software will conduct a partial extraction which will include some app logs, caches, the list of Wi-Fi connections, media files, geo points and a number of unencrypted SQLite databases.

Please note, the second option on the “iOS Advanced extraction” screen allows investigators to connect Apple iOS devices that have already been jailbroken via SSH by various jailbreaks, including the latest checkra1n and unc0ver. The software will correctly recognize the jailbreak state of a connected device and extract the full file system from it.

Selective reading

Whether investigators use the checkm8 vulnerability or connect an already jailbroken Apple iOS device, the software will prompt the option to select the necessary artifacts.

This feature is a great time saver as it allows investigators to quickly extract critical evidence. In addition, when the scope of a criminal search warrant only allows particular evidence to be extracted, this selective method will allow compliance.

Important artifacts

In comparison with a standard logical extraction via iTunes, a full file system extraction gives investigators access to more user data on supported Apple iOS devices. Let’s have a look at some artifacts that can only be extracted using our iOS Advanced Extraction method.

1. In a full file system extraction, investigators will find all the apps that are never included in an iTunes logical extraction, such as Twitter, Facebook, Instagram, Google Mail, or Default Email Client, to name a few. Unlike a logical extraction that recovers limited deleted records, a full file system Advanced extraction will recover all available deleted records from all apps.

2. Investigators will have full access to the keychain as well as encryption keys that are used in secure apps. Thanks to this, our software will decrypt Signal, Wickr Me, ChatSecure, Snapchat, Facebook secret chats, and other secure apps.

3. Investigators will gain access to many of the system artifacts that are grouped in the “OS Artifacts” section. For example, users can view the complete history of changes that occurred to the device, such as locked/unlocked states, Airdrop, Bluetooth, Camera, Airplane Mode history, and many other parameters.

4. A lot more geo data will be available in the “Wireless Connections” section. Under Locations, users will find Cell Tower, Wi-Fi, and GPS locations with the corresponding geo coordinates and time stamps.

Want to try out this feature or any of our other tools included in Oxygen Forensic Detective? Ask for a demo license!

2 Replies to “Apple iOS file system extraction via checkm8”

Leave a Reply

Your email address will not be published. Required fields are marked *