Checkra1n Era - Ep 3 - Automating extraction "Before First Unlock" (aka "Give me a stupid bash script!")

In my previous post I described how to extract a single file or a folder from a locked iOS device, after chackra1n was applied to the device.

In this post I want to introduce a simple (and stupid) bash script, written and tested on Mac OS X.

The aim of the script is to automate the extraction by acquiring only relevant files and folders (or, better, by excluding not relevant ones!).


There is nothing secret or miraculous in this script, it simply uses already existing toolsThe script was tested on three devices where checkra1n was applied: an iPhone 5s, an iPhone 7 and an iPhone XUse it at your own risks and only on test deviceseThe script is provided as it is and I am not providing any support on how to use itThere are certainly better ways to write the script and it can be improved (for example, at the moment, it doesn't manage any kind of error). Suggestions on how to improve it are really welcome!DOWNLOAD THE SCRIPT The bash script is available in our GitHub account a…

Checkra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?")

In my previous post I started investigating which plist files and databases are available in an iOS Device "Before First Unlock". 

In this post I want to describe an easy way to extract those files by using a Mac OS computer.
We can then obtain a TAR file that we can describe as a sort of "Before First Unlock Triage".

Prerequisites on Mac OS X

Download the latest version of checkra1nDownload and install the latest version of libimobiledevice for Mac OS XDownload and install sshpass on OS XExtraction procedure

Apply checkra1n to the deviceOpen a TerminalExecute the command sudo iproxy <Local_Port> 44 and provide local computer password Open a new TerminalFor every file you want to download executesshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination

For every folder you want to download executesshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder

At the end of the process you can easily c…

Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?")

In my previous post I highlighted the new opportunities for "iOS Forensics" after the release of the checkm8 exploit and the checkra1n jailbreak.

I now want to try writing a series of posts about this new checkm8/checkra1n era.

I started investigating these questions, similar but from two different perspectives.
Forensic Perspective
Which file can be extracted from an iOS device when the passcode is not known?
User Perspective
Which personal information can be easily found by an attacker if an iOS device is lost or stolen? The first and most important aspect: once checkra1n is active on the device, you have "root" access.
It means that you can browse the file system and analyze file/folder name and timestamp

By simply browsing  you can identify, for example, media and email attachments: the file is encrypted in a way that depends on the passcode, but filename and timestamps are available.

In a similar way you can extract the list of WhatsApp contacts: the folder cont…

Checkm8, Checkra1n and the new "golden age" for iOS Forensics

My dear friend and fantastic professional partner Francesco Picasso always complains about me never posting on Reality Net's "Blog".
In fact, to be honest, we have never been very good at selling our "brand": in the world of digital forensics we are known by our personal accounts (@mattiaep and @dfirfpi) and not because of our blog.
Yes, we are also known as "The DFIR Mafia", but that is another funny story 😊
Indeed, Francesco is right: my last post on our blog is way back on June 3, 2015 and was titled "iOS 8.3: the end of iOS Forensics?". 

After the “first golden age” of iOS Forensics (iPhone 4 "bootrom" exploit dated 2010), most of the forensics techniques were based on Apple's bugs or "left open" doors.
Over the years we have explored and tried all the possible ways to extract data from an iOS device. We have relied on, and we still heavily rely on, iTunes backups. It's definitely a great way to get a huge amount …

Huawei backup decryptor

When doing Mobile Forensics the first and usually the hardest step is to get access to user's data. It depends on the case type, but the so called physical acquisition is the analyst object of desire.
The reason is simple: iOS and Android native backups, respectively adb and iTunes, contain a subset of user data, because they respect the various apps configurations where they can specify "you can't include me in backups". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups.
In the scenario where device is unlocked or the lock code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Almost totally man…

Brush up on Dropbox DBX decryption

Few weeks ago I was contacted about how to decrypt Windows Dropbox DBX files and the same topic appeared on SANS DFIR mailing list too. So I decided to create an Open Source toolkit and this post to brush up on the DBX files create by the Dropbox client on a Windows machine.

The Windows Dropbox client keeps its own files - user info, configuration, 'my dropbox' files sync status and even more - inside the user profile: on the Windows 7 and Windows 10 machines I used for test they reside in '\Users\%USERNAME%\AppData\Local\Dropbox\' and sub folders. Among them there are files with .DBXextension, which are the target of this post. When you take a raw look at them, you see garbage, noise... encryption is in place.

Without too much suspence, this is well-known. Nicolas Ruff and Florian Ledoux had a talk at hack.lu2012 on the topic, “A critical analysis of Dropbox software security” (here). They discovered that the encryption key used for DBX files is kept in the registry

Analysis of a Dridex maldoc pre-Locky

The latest trends on the security threat landscape have mainly been Ransomware distributed via infected websites, and Banking Trojans distributed via malicious documents attached to phishing emails. In particular, Dridex banking trojan has been one of the most active threats. Last week the two threats merged and Dridex began distributing Locky ransomware as well.
In this post we will go through the analysis of a malicious office document delivering Dridex banking Trojan, spreading just the day before it switched to Locky and we will the similarities between the two actors that make us believe the same is behind the two.

Introduction On Friday February 12th, we observed a big wave of phishing attempts, over 700, which looked like the following:
Attachment: Fixed Penalty Receipt.docm
MD5 Checksum: 50e1c94e43f05f593babddb488f1a2f9

Where XX are two random digits. Few days later, on Monday February 15th, we observed a second bigger wave, …

Windows ReVaulting

Windows Vaults and Credentials allow the user to store sensitive information such as user names and passwords , that can be later used to log on web site, services and computers. In this post it will be shown how such data is protected and how you can decrypt it offline.

This post is a very late debriefing of the talk I had at SANS DFIR Summit Prague 2015 and it's the first of two posts. You can download the slides from SANS Summit Archives or from SlideShare.

I've never used Vault/Credential facility on purpose, even if the system used it without my knowledge : it's worthwhile to know that Windows autonomously uses it almost every day. In any case, we can find sensitive information there, and this is the reason I started this research, as to have a little more strings to my ODI (Offensive Digital Investigations) bow.

Windows provides two utilities to manage such credentials, the graphical Credential Manager and the command line vaultcmd: you can see them in the n…