Checkra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?")

By -
In my previous post I started investigating which plist files and databases are available in an iOS Device "Before First Unlock". 

 In this post I want to describe an easy way to extract those files by using a Mac OS computer.
We can then obtain a TAR file that we can describe as a sort of "Before First Unlock Triage".

 Prerequisites on Mac OS X

  1. Download the latest version of checkra1n 
  2. Download and install the latest version of libimobiledevice for Mac OS X
  3. Download and install sshpass on OS X
Extraction procedure

    • Apply checkra1n to the device
    • Open a Terminal
    • Execute the command sudo iproxy <Local_Port> 44 and provide local computer password
    • Open a new Terminal
    • For every file you want to download execute
    sshpass -p alpine scp -P <Local_Port> root@localhost:/path_to_file /path_to_destination


    • For every folder you want to download execute
    sshpass -p alpine scp -P <Local_Port> -rp root@localhost:/path_to_folder /path_to_folder


    • At the end of the process you can easily create a TAR file, that can then used for analysis
    I'm working on a simple bash script to automate the extraction process. Stay tuned!

    Comments

    Post a Comment

    Popular posts from this blog

    A first look at Android 14 forensics

    By -
    Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
    Keep reading

    Huawei backup decryptor

    By -
    When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
    Keep reading

    WhatsApp Xtract

    By -
    I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.
    Keep reading