ZENA FORENSICS

In my previous post I described how to extract a single file or a folder from a locked iOS device, after chackra1n was applied to the device.

In this post I want to introduce a simple (and stupid) bash script, written and tested on Mac OS X.

The aim of the script is to automate the extraction by acquiring only relevant files and folders (or, better, by excluding not relevant ones!).

DISCLAIMERS

There is nothing secret or miraculous in this script, it simply uses already existing toolsThe script was tested on three devices where checkra1n was applied: an iPhone 5s, an iPhone 7 and an iPhone XUse it at your own risks and only on test deviceseThe script is provided as it is and I am not providing any support on how to use itThere are certainly better ways to write the script and it can be improved (for example, at the moment, it doesn't manage any kind of error). Suggestions on how to improve it are really welcome!DOWNLOAD THE SCRIPT The bash script is available in our GitHub account a…

In my previous post I started investigating which plist files and databases are available in an iOS Device "Before First Unlock". 

In this post I want to describe an easy way to extract those files by using a Mac OS computer.
We can then obtain a TAR file that we can describe as a sort of "Before First Unlock Triage".

Prerequisites on Mac OS X

Download the latest version of checkra1nDownload and install the latest version of libimobiledevice for Mac OS XDownload and install sshpass on OS XExtraction procedure

Apply checkra1n to the deviceOpen a TerminalExecute the command sudo iproxy <Local_Port> 44 and provide local computer password Open a new TerminalFor every file you want to download executesshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination

For every folder you want to download executesshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder

At the end of the process you can easily c…

In my previous post I highlighted the new opportunities for "iOS Forensics" after the release of the checkm8 exploit and the checkra1n jailbreak.

I now want to try writing a series of posts about this new checkm8/checkra1n era.

I started investigating these questions, similar but from two different perspectives.
Forensic Perspective
Which file can be extracted from an iOS device when the passcode is not known?
User Perspective
Which personal information can be easily found by an attacker if an iOS device is lost or stolen? The first and most important aspect: once checkra1n is active on the device, you have "root" access.
It means that you can browse the file system and analyze file/folder name and timestamp. 

By simply browsing  you can identify, for example, media and email attachments: the file is encrypted in a way that depends on the passcode, but filename and timestamps are available.

In a similar way you can extract the list of WhatsApp contacts: the folder cont…