Checkra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?")

In my previous post I started investigating which plist files and databases are available in an iOS Device "Before First Unlock". 

In this post I want to describe an easy way to extract those files by using a Mac OS computer.
We can then obtain a TAR file that we can describe as a sort of "Before First Unlock Triage".

Prerequisites on Mac OS X

  1. Download the latest version of checkra1n 
  2. Download and install the latest version of libimobiledevice for Mac OS X
  3. Download and install sshpass on OS X
Extraction procedure

    • Apply checkra1n to the device
    • Open a Terminal
    • Execute the command sudo iproxy <Local_Port> 44 and provide local computer password
    • Open a new Terminal
    • For every file you want to download execute
    sshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination


    • For every folder you want to download execute
    sshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder


    • At the end of the process you can easily create a TAR file, that can then used for analysis
    I'm working on a simple bash script to automate the extraction process. Stay tuned!



    Comments

    Popular posts from this blog

    A first look at Android 14 forensics

    Huawei backup decryptor

    Dissecting the Android WiFiConfigStore.xml for forensic analysis