Extracting Evidence from iPhone Devices: Do I (Still) Need a Jailbreak?

November 23rd, 2020 by Vladimir Katalov
Category: «Mobile», «Tips & Tricks»
  • 3
  • 9
  •  
  •  
  •  
  •  
  •  
  •  
    12
    Shares

If you are familiar with iOS acquisition methods, you know that the best results can be obtained with a full file system acquisition. However, extracting the file system may require jailbreaking, which may be risky and not always permitted. Are there any reasons to use jailbreaks for extracting evidence from Apple devices?

In the time of the iPhone 4, jailbreaks were never needed. It was always possible to create a perfect bit image of the device, even if it was locked. One could easily break the passcode (in most cases) and decrypt most of the data even if the passcode was not cracked. Apple officially provided this service to the government.

There were two game changers: the iPhone 5s equipped with Secure Enclave and iOS 8 that seriously improved iOS data protection. Since iOS 8, only a very limited amount of data remained unencrypted. Since then, Apple stopped offering data extraction services for LEA.

We concentrated on a slightly easier yet very important task in mobile forensics: the full file system extraction from unlocked devices. At the time we started our work, it was only possible with a jailbreak. We implemented full file system and keychain extraction from jailbroken devices:

That, is in fact, is not the true physical extraction, but you get the full copy of the file system, so it’s very close (and it is only a question of terminology). Also, we extract the keychain; you don’t normally get it when pulling the file system alone.

Earlier this year, we developed and implemented a new acquisition method that does not require jailbreaking, see iPhone Acquisition Without a Jailbreak published in February. The method is easy, fast, forensically sound, and absolutely safe to the device. Later we added support for other versions of iOS, currently covering all devices from the iPhone 5s to iPhone 11 Pro Max, and all iOS versions from iOS 9.0 to 13.5.

Are there still reasons to jailbreak to perform data acquisition? Yes, there are, and we did our best to count them all.

Old devices and iOS versions

Old iPhones are still being used! Just a couple of days ago we received a request to break an iPhone 4 (we have full physical acquisition for this model). For the iPhone 5 and 5c, we can currently only break the passcode, although jailbreak-free data acquisition is on the way. The iPhone 4s will be supported soon, but currently the file system acquisition of iPhone 4s/5/5c is only possible through jailbreaking. Also, we did not bother implementing support for iOS 7 and 8 on iPhone 5s and 6, so jailbreaking is also needed.

BFU extraction

If the iPhone is locked with an unknown passcode, you are limited to BFU (Before First Unlock) extraction, which it returns a very limited amount of data. In this case, you desperately need a jailbreak, see BFU Extraction: Forensic Analysis of Locked and Disabled iPhones for more details. With the latest checkra1n, you can perform BFU acquisition of the following devices:

  • iPhone 5s, iPhone 6: iOS 12.3 to iOS 12.4.9
  • iPhone 6s, iPhone SE (1st gen), iPhone 7: iOS 12.3 to iOS 14.2.1
  • iPhone 8, iPhone X: iOS 12.3 to iOS 13.7

iOS 14 support

There is currently no iOS 14 support in our agent-based acquisition, so if you need to extract the file system and/or keychain from the device running iOS 14, you will need checkra1n. Supported models include devices from the iPhone 5s to iPhone X, and supported iOS versions range from iOS 12.3 to 14.2.1. You will only need a jailbreak for iOS 14.x, as for iOS 12 and 13 agent-based acquisition returns similar results with lesser footprint. At the time of this writing, agent-based extraction is supported on iOS versions up to iOS 13.5 only, but support for other iOS 13.x (up to 13.7) is on the way.

checkra1n alternative(s)

Instead of checkra1n, you can use checkm8-based extraction available in some forensic tools. The device/iOS compatibility is the same or worse than with checkra1n itself (from iOS 12.3 and up). Most vendors claim that their extraction method is forensically sound; this is not quite true, as the extraction still requires modifying certain system files and installing additional software on the device. Still, it is a slightly safer (and much more expensive) way than using checkra1n.

The budget

If you are on a budget, jailbreaking is still a viable choice. By installing a jailbreak and establishing an SSH connection to the device, you can extract the file system. What you cannot extract (or, rather, decrypt without additional commercial software) is the keychain, which may contain credentials to get further access to the owner’s accounts (mail, social networks, clouds, Web sites etc.)

Conclusion

The choice of jailbreaking the device or not is yours. In some cases, there is simply no alternative, and you’ll have to jailbreak if you need the most complete extraction.


  • 3
  • 9
  •  
  •  
  •  
  •  
  •  
  •  
    12
    Shares

REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »