Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?")

In my previous post I highlighted the new opportunities for "iOS Forensics" after the release of the checkm8 exploit and the checkra1n jailbreak.

I now want to try writing a series of posts about this new checkm8/checkra1n era.

I started investigating these questions, similar but from two different perspectives.
  1. Forensic Perspective
    Which file can be extracted from an iOS device when the passcode is not known?
  2. User Perspective
    Which personal information can be easily found by an attacker if an iOS device is lost or stolen?
The first and most important aspect: once checkra1n is active on the device, you have "root" access.
It means that you can browse the file system and analyze file/folder name and timestamp

By simply browsing  you can identify, for example, media and email attachments: the file is encrypted in a way that depends on the passcode, but filename and timestamps are available.

In a similar way you can extract the list of WhatsApp contacts: the folder containing pictures and videos that were sent to or received from a contact is named as the phone number of the contact.

Starting from the SANS FOR585: Advanced Smartphone Forensics Poster, written by Heather Mahalik and Domenica Crognale for the SANS FOR585 - Advanced Smartphone Analysis course, I built a list of operating system and native applications databases and plist files not protected in a way that depends on the passcode

The amount of information, as I already mentioned in my previous post, is quite interesting.

I started analyzing some Third Party Applications and, so far, I found

  • WhatsApp Logs 
  • Viber account information 
[screenshots realized with Oxygen Forensics Detective].

The next post will contain a detailed list of Third-Pary Apps file available BFU.

Stay tuned!


Popular posts from this blog

Huawei backup decryptor

WhatsApp Forensics

Triaging modern Android devices (aka android_triage bash script)