Posts Tagged ‘checkm8’

Last month we introduced forensically sound low-level extraction for a range of iPhone devices. Based on the renowned checkm8 exploit, our solution supported devices ranging from the iPhone 5s through 6s/6s Plus/SE. Today, we are extending the range of supported devices, adding checkm8 extraction of the iPhone 7 and 7 Plus.

Installing the checkm8 exploit to perform forensically sound extractions with iOS Forensic Toolkit can be tricky, which is in part due to certain hardware peculiarities.  If you watch our blog, you might have already read the article on checkm8, checkra1n and USB hubs. We have some good news: we managed to fix some of the issues with or without the use of a USB hub.

Half a year ago, we started a closed beta-testing of a revolutionary new build of iOS Forensic Toolkit. Using the checkm8 exploit, the first beta delivered forensically sound file system extraction for a large number of Apple devices. Today, we are rolling out the new, significantly improved second beta of the tool that delivers repeatable, forensically sound extractions based on the checkm8 exploit.

The second beta of iOS Forensic Toolkit 8.0 has arrived, offering repeatable, verifiable extraction for a limited range of iOS devices. The new release introduces a brand-new user interface, which differs significantly from the selection-driven console we’ve been using for the past several years. This article describes the new workflow for performing forensically sound extractions with iOS Forensic Toolkit 8.0 beta2.

If you ever used the checkra1n jailbreak or the checkm8 acquisition method available in some mobile forensic products like iOS Forensic Toolkit, you know that the trickiest parts of the process are the first two: entering DFU, and using the exploit itself. Even if you have the right cables and enough experience, sometimes you may still bump into a weird issue or two. The device may not enter DFU whatever you do, or the exploit fails. How can you increase your success rate?

Switching the iPhone into DFU mode is frequently required during the investigation, especially for older devices that are susceptible to checkm8 exploit. However, switching to DFU requires a sequence of key presses on the device with precise timings. If the device is damaged and one or more keys are not working correctly, entering DFU may be difficult or impossible. In this guide, we offer an alternative.

Back in 2019, independent researcher axi0mX has developed a ground-breaking exploit. Targeting a vulnerability in the bootloader of several generations of iOS devices, checkm8 made it possible to obtain BootROM code execution and perform forensic analysis on a long list of devices running a wide range of iOS versions. In this article, we’ll talk about the forensic use of checkm8 with iOS Forensic Toolkit.

The previous publication talks about the basics of using the bootloader-level exploit for extracting iOS devices. In this article, we are posting a comprehensive step-by-step guide of using the new checkm8 capability of iOS Forensic Toolkit for performing forensically sound extractions of a range of Apple devices.

DFU Mode Cheat Sheet

January 14th, 2021 by Oleg Afonin

The Device Firmware Upgrade mode, or simply DFU, just got a second breath. The ability to image the file system, decrypt the keychain and even do passcode unlocks on some older iPhone models has been made possible thanks to the checkm8 exploit and the checkra1n jailbreak, both of which require switching the phone into DFU. The procedure is undocumented, and the steps are different for the various devices.

If you are familiar with iOS acquisition methods, you know that the best results can be obtained with a full file system acquisition. However, extracting the file system may require jailbreaking, which may be risky and not always permitted. Are there any reasons to use jailbreaks for extracting evidence from Apple devices?