Showing posts from 2019

Checkra1n Era - Ep 3 - Automating extraction "Before First Unlock" (aka "Give me a stupid bash script!")

In my previous post I described how to extract a single file or a folder from a locked iOS device, after chackra1n was applied to the device.

In this post I want to introduce a simple (and stupid) bash script, written and tested on Mac OS X.

The aim of the script is to automate the extraction by acquiring only relevant files and folders (or, better, by excluding not relevant ones!).


There is nothing secret or miraculous in this script, it simply uses already existing toolsThe script was tested on three devices where checkra1n was applied: an iPhone 5s, an iPhone 7 and an iPhone XUse it at your own risks and only on test deviceseThe script is provided as it is and I am not providing any support on how to use itThere are certainly better ways to write the script and it can be improved (for example, at the moment, it doesn't manage any kind of error). Suggestions on how to improve it are really welcome!DOWNLOAD THE SCRIPT The bash script is available in our GitHub account a…

Checkra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?")

In my previous post I started investigating which plist files and databases are available in an iOS Device "Before First Unlock". 

In this post I want to describe an easy way to extract those files by using a Mac OS computer.
We can then obtain a TAR file that we can describe as a sort of "Before First Unlock Triage".

Prerequisites on Mac OS X

Download the latest version of checkra1nDownload and install the latest version of libimobiledevice for Mac OS XDownload and install sshpass on OS XExtraction procedure

Apply checkra1n to the deviceOpen a TerminalExecute the command sudo iproxy <Local_Port> 44 and provide local computer password Open a new TerminalFor every file you want to download executesshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination

For every folder you want to download executesshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder

At the end of the process you can easily c…

Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?")

In my previous post I highlighted the new opportunities for "iOS Forensics" after the release of the checkm8 exploit and the checkra1n jailbreak.

I now want to try writing a series of posts about this new checkm8/checkra1n era.

I started investigating these questions, similar but from two different perspectives.
Forensic Perspective
Which file can be extracted from an iOS device when the passcode is not known?
User Perspective
Which personal information can be easily found by an attacker if an iOS device is lost or stolen? The first and most important aspect: once checkra1n is active on the device, you have "root" access.
It means that you can browse the file system and analyze file/folder name and timestamp

By simply browsing  you can identify, for example, media and email attachments: the file is encrypted in a way that depends on the passcode, but filename and timestamps are available.

In a similar way you can extract the list of WhatsApp contacts: the folder cont…

Checkm8, Checkra1n and the new "golden age" for iOS Forensics

My dear friend and fantastic professional partner Francesco Picasso always complains about me never posting on Reality Net's "Blog".
In fact, to be honest, we have never been very good at selling our "brand": in the world of digital forensics we are known by our personal accounts (@mattiaep and @dfirfpi) and not because of our blog.
Yes, we are also known as "The DFIR Mafia", but that is another funny story 😊
Indeed, Francesco is right: my last post on our blog is way back on June 3, 2015 and was titled "iOS 8.3: the end of iOS Forensics?". 

After the “first golden age” of iOS Forensics (iPhone 4 "bootrom" exploit dated 2010), most of the forensics techniques were based on Apple's bugs or "left open" doors.
Over the years we have explored and tried all the possible ways to extract data from an iOS device. We have relied on, and we still heavily rely on, iTunes backups. It's definitely a great way to get a huge amount …

Huawei backup decryptor

When doing Mobile Forensics the first and usually the hardest step is to get access to user's data. It depends on the case type, but the so called physical acquisition is the analyst object of desire.
The reason is simple: iOS and Android native backups, respectively adb and iTunes, contain a subset of user data, because they respect the various apps configurations where they can specify "you can't include me in backups". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups.
In the scenario where device is unlocked or the lock code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Almost totally man…