Checkra1n Era - Ep 3 - Automating extraction "Before First Unlock" (aka "Give me a stupid bash script!")

In my previous post I described how to extract a single file or a folder from a locked iOS device, after chackra1n was applied to the device.

In this post I want to introduce a simple (and stupid) bash script, written and tested on Mac OS X.

The aim of the script is to automate the extraction by acquiring only relevant files and folders (or, better, by excluding not relevant ones!).

DISCLAIMERS

  1. There is nothing secret or miraculous in this script, it simply uses already existing tools
  2. The script was tested on three devices where checkra1n was applied: an iPhone 5s, an iPhone 7 and an iPhone X
  3. Use it at your own risks and only on test devicese
  4. The script is provided as it is and I am not providing any support on how to use it
  5. There are certainly better ways to write the script and it can be improved (for example, at the moment, it doesn't manage any kind of error). Suggestions on how to improve it are really welcome!
DOWNLOAD THE SCRIPT
The bash script is available in our GitHub account and in particular at this link


The script was written and tested only on Mac OS X.

DEPENDENCIES
The script uses two external tools:

  1. The libimobiledevice library
  2. The sshpass utility
Instructions on how to install these tools on a Mac OS X computer are available in their websites.

BEFORE EXECUTING THE SCRIPT

Before using the script you need to "checkra1n" the iOS device

Then you can open a Terminal and execute the command 

sudo iproxy 22 44


Place the script in the folder where you want to save the extracted data (for example, "Desktop") 

Make the script executable (chmod +x ios_bfu_triage.sh)

Execute the command ssh root@localhost and provide the iOS root password ("alpine") and add [localhost] to the list of known hosts


EXECUTING THE SCRIPT

Execute the script (./ios_bfu_triage.sh)

The script will start executing some "ideviceinfo -s" commands to identify the connected device.


In the first step the script asks if you want to execute some live commands on the device
The commands executed by the script on the device are:
    • date
    • sysctl -a
    • hostname
    • uname -a
    • id
    • df
    • df -ah
    • ifconfig -a
    • netstat -an
    • mount
    • ps -ef
    • ps aux
    The result is saved in a folder named "DeviceName.Timestamp/DeviceName_live"
    Each executed command generates a separate TXT file.


    In the second step the script asks if you want to create a triage image of /private/ folder.
    The script executes this command on the device and redirects the output to your computer.

    tar -cf - /private --exclude=/private/var/containers/Bundle --exclude=/private/var/MobileAsset


    Basically, the script skips:
    • Operating System files and folders
    • Native Applications bundles
    • Third-Party Applications bundles
    If you are interested in extracting also these files and folders you can simply change the command in this way
    tar -cf - /

    The result is  saved in a folder named "DeviceName.Timestamp/DeviceName_acquisition".
    In particular, two files are created during the process:
    • DeviceName.tar, containing the extracted files in a TAR file
    • DeviceName_acquisition_log.txt, containing a log of the TAR command, including the list of files where the "Operation is not permitted" (aka, protected with the passcode) and the sha1 hash of the generated TAR file
    In the third step the script asks if you want to execute a "find /private" command, to extract the complete list of files and folders names from the device. 


    The result will be saved in a file named "DeviceName.Timestamp/DeviceName_find/DeviceName_find.txt

    The file contains the list of all files and folders on the device, including those not available in the TAR file created during step 2.


    As you can see the result on a locked iPhone X is a 3.3 GB TAR file that was extracted in about 10 minutes and on a device where the passcode was not known.

    Once the acquisition is done you can import the TAR file in commercial forensics tools. 
    Here some screenshot of the acquisition processed with UFED Physical Analyzer, Magnet AXIOM and Oxygen Forensics Detective.






    In our tests, the script worked well also when the device passcode is known. 
    In this case, after applying checkra1n, you need to:
    1. Unlock the device with the passcode 
    2. On the iPhone in General -> Display & Brightness, set Auto-Lock to Never
      (We are not 100% sure at the moment if this is a requirement or not, but for this first release we suggest to do in this way)
    In the next blog post I will provide some ideas on how to parse the data extracted BFU with already existing open source tools and scripts.

    Comments

    Popular posts from this blog

    A first look at Android 14 forensics

    Huawei backup decryptor

    Dissecting the Android WiFiConfigStore.xml for forensic analysis