Checkra1n Era - Ep 5 - Automating extraction and processing (aka "Merry Xmas!")

After my third post on how to automate an extraction BFU, my great friend, colleague and fellow citizen Giovanni 'sug4r' Rattaro, Tsurugi Linux team leader and core developer, wrote me a message saying: "Belin Mattia! You had a great idea! But we can quickly improve your script!" And I answered: "Yes, why not. How is it going for you in the next couple of weeks? Do you have time?". And Giovanni: "No, I have to deliver the newest version of Tsurugi before Christmas. But still, we can do it!". And I said: "I am also very busy. But yes, we can do it!".

Starting from my original idea, we completely redesigned and organized the script, both in terms of "user interface" (thanks Giovanni for the idea of using ncurses menu!) and functions.

Still, our script is a PoC and must be used just for testing, studying, developing and learning purposes. It is not meant to be a "forensic tool", but we decided in any case to create log files and calculate hashes.

The script has been tested only on Mac OS X, but we plan to test it on Linux and integrate it in Tsurugi Linux in the Mobile Forensics section.

It is opensource and we will be pleased to receive any kind of feedback on how to improve it, add new features or bug fix.

In this post we will explain script's features, basic requirements and we provide instructions on how to use it.

Features

The script has a main menu with 9 options.

Option 1 - Collect device information

This option executes the 'ideviceninfo -s' tool and collects basic information about the connected iOS device (name, model, UDID, iOS version and so on).


The result is stored in two files, in TXT and PLIST format.

Option 2 - Execute live commands

This option executes live commands on the device.
The actual version executes the following commands:
  • date
  • sysctl -a
  • hostname
  • uname -a
  • id
  • df
  • df -ah
  • ifconfig -a
  • netstat -an
  • ltop
  • mount
  • ps -ef
  • ps aux
  • ioreg
It takes about 15 seconds to complete.


The result is stored in a separate TXT file for each executed command.

Option 3 - Execute 'find' commands

This option executes 7 'find' commands to extract relevant file/folder names and specifically:
  • find /private/var/mobile/Library/DataAccess -type d -name "*IMAP-*"
  • find /private/var/mobile/Library/Mail -type f -name "*.pdf" -ls
  • find /private/var/mobile/Library/Mail -type f -name "*.doc*" -ls
  • find /private/var/mobile/Library/Mail -type f -name "*.xls*" -ls
  • find /private/var/mobile/Containers -type d -name "*@s.whatsapp.net*"
  • find /private/var/mobile/Containers -type d -name "*@g.us*"
  • find /private/var -ls
The execution should take about 5 to 10 minutes, depending on the amount of files stored on the device.


The result is stored in a separate TXT file for each executed 'find' command.

Option 4 - Acquire a 'BFU relevant files' image

This option extracts relevant files available BFU and creates a TAR file.
The execution should take about 5 minutes, also when executed AFU.


The result is stored in a TAR file and extracted files are also available in the 'extracted_files' subfolder

Option 5 - Acquire a triage image

This option creates a TAR file of '/private' folder, excluding application Bundles and MobileAsset. 
When in BFU state, the execution should take about 10 to 15 minutes
When in AFU state, the amount of time depends on the total file size and can reach several hours
In our tests the average speed is about 25 GB per hour


The result is stored in a TAR file 

Option 6 - Acquire a full image

This option creates a TAR file of the full file system
When in BFU state, the execution should take about 30 minutes
When in AFU state, the amount of time depends on the total file size and can reach several hours
In our tests the average speed is about 25 GB per hour

The result is stored in a TAR file 

Option 7 - Extract and process relevant files

This option extracts relevant files and parse them with Sysdiagnose scripts, Mobile Installation Logs Parser and APOLLO.

This option can be used both BFU or AFU. When BFU not all the files can be extracted, because some of them are available only AFU. The script uses only the available ones and process them.

The execution should take about 5 to 10 minutes.


The result is stored in a separate subfolder fo each executed script.

 

Requirements

The script has some mandatory requirements and some optional requirements.

Mandatory requirements

  • A "checkra1ned" iOS device with and SSH connection on localhost port 22. We didn't test the script with other jailbreaks, but it should work on any device where an SSH connection is available on port 22 and the 'root' user has the default password ('alpine').
  • libimobiledevice
  • sshpass
  • dialog

Optional requirements

Configuration

  • Download the "ios_bfu_triage.sh" script on our GitHub account
  • Save the script in the same folder where you want to store the extractions
  • NOTE: Keep in mind that a full file system acquisition can be quite big. Be sure to have enough space on your disk. The script can also be saved and executed from an external devices.
  • Make the script executable (chomod +x ios_bfu_triage.sh)
  • Download Sysdiagnose scripts, Mobile Installation Logs Parser and APOLLO
  • Extract and stores these scripts in the same folder where you stored the ios_bfu_triage.sh
  • Strictly use the following folder naming schema (see also the following picture)
    • sysdiagnose
    • mib
    • apollo
  • When you know the passcode (aka, you can be in an AFU condition) make sure to keep the phone unlocked by setting "Auto Lock" to never. In this way, options 5, 6 and 7 will be able to extract all the files. In fact, if you are in an AFU condition but the phone is locked at the time of acquisition, all the files in a protection class "ProtectionComplete" cannot be extracted!

Conclusions

Download and test the script!
The generated TAR file (with options 4, 5 and 6) should work once imported in commercial Mobile Forensics tools!

In the meanwhile, Merry Christmas and Happy New Year!!

Comments

Popular posts from this blog

A first look at Android 14 forensics

Huawei backup decryptor

Dissecting the Android WiFiConfigStore.xml for forensic analysis