It has been a week because Apple has introduced iOS 14.2
from web site
IOS 14.2, iOS 12.4.9, the Upgraded checkra1n 0.12 Jailbreak and File System Extraction
It's been a week since Apple has introduced iOS 14.2 as well as iOS 12.4.9 for older devices. Only a couple days after, the programmers updated the checkra1n jailbreak with support for new devices and iOS versions. What exactly does that mean for iOS forensics? Let us have a look; we have done some testing, and our discoveries are favorably consistent with our expectations. Just one exception: to our surprise, Apple didn't spot the long-lasting vulnerability in iOS 12.4.9 that leaves the door open to full file system extraction and keychain acquisition minus jailbreaking.
iOS 14.2
Over 100 new emoji, that's the deal! intrix jailbreak On a critical note, iOS 14.2 brings a great deal of repairs and improvements; please pay attention to the security content.
At this time, there are no known vulnerabilities or publicly accessible exploits in iOS 13.5.1 and newer. For devices running those versions, you simply have the following choices:
Extended logical purchase (backups, media files, shared files, diagnostics logs)
Cloud acquisition
Checkra1n jailbreak, followed with the complete file system and keychain acquisition
We have successfully analyzed Elcomsoft iOS Forensic Toolkit (extended logical acquisition) and Elcomsoft Phone Breaker (cloud acquisition) using the new iOS 14.2. No problems found, all the information has been extracted successfully.
In terms of the checkra1n, the devil is in the details, please continue reading. But a bit on yet another iOS upgrade .
iOS 12.4.9
As you know, iPhone 5s and iPhone 6 (there are still millions of those devices in the marketplace ) did not get iOS 14 as well as iOS 13. For these devices, Apple continues maintaining the iOS 12 branch, thus releasing iOS 12.4.9. No noteworthy improvements were discovered, but have a cautious look in iOS 12.4.9 safety content. intrix jailbreak Our biggest surprise was that this iOS discharge does not patch any of this system vulnerabilities that allowed us to execute the file system extraction and keychain acquisition without jailbreaking for iPhone 5s and iPhone 6, which makes our tool covering many iOS versions these device can run (see iOS Extraction With no Jailbreak: Ultimately, Zero-Gap Coverage for iOS 9 via iOS 13.5 on All Devices).
The biggest news is not iOS updates however, but the newest checkra1n release.
Despite how the checkm8 tap is a hardware-based one and"can't be patched by Apple" as numerous forensic sellers really like to state, iOS 14 partly fixed itmore info here.
Still, checkra1n developers were able to employ full iOS 14 service for iPhone 6s and iPhone SE (first generation). And the Most Recent version of checkra1n 0.12 beta has the following major improvements:
Official support for iOS 14.1 and 14.2
Official support for A10/A10X devices on iOS 14. x
Restricted support for A11 devices on iOS 14.x (Alternatives > Skip A11 BPR check)
Confused about A10/A11 and also the way the SoC names are linked to iPhone and iPad models? Consult to our Apple Mobile Devices Cheat Sheet.
Quite simply: checkra1n now also fully supports not only the iPhone 6s and iPhone SE, but also iPhone 7 and 7 Plus, as well as some iPad versions (6th and 7th gen and iPad Pro 2nd gen). All that, including iOS 14.1 and 14.2 which were just released.
What about the iPhone 8 (8 Plus) and iPhone X? dragonvale cheats without jailbreak They received only partial support. More on this below.
MacOS issues
Before we move further, please be aware that the checkra1n jailbreak is only available for macOS and Linux. IOS Forensic Toolkit also works more reliably and contains extended functionality on macOS, even though we've got the Windows version also. Two major features that are not available in the Windows version:
iPhone 5/5c passcode cracking
Agent setup utilizing non-developers accounts
We advocate using macOS 10.13 (High Sierra) or 10.14 (Mojave) for iOS Forensic Toolkit. The application is compatible with macOS 10.15 (Catalina) and 11.0 (Big Sur) as well, but there is one extra step from the product installation: you have to clear the quarantine flag in the iOS Forensic Toolkit picture before installation. Also, there are a few nuances on utilizing the lockdown/pairing documents for prolonged logical acquisition of locked devices. Please read the Installing and using iOS Forensic Toolkit on macOS 10.15 Catalina before calling our technical support stating"hello, it does not work".
BFU acquisition (and iPhone X issues)
Noted the Restricted support for A11 devices on iOS 14.x from checkra1n 0.12 release notes? It applies to both iPhone 8 and iPhone X (no more iPads predicated on such an SoC, btw). Meaning that you can only install checkra1n on devices that do not have the passcode setup, that has the following forensic consequences:
If you understand the passcode, then you need to remove it first to carry out the file system extraction and keychain acquisition. Notice that removing the passcode has some significant consequences; see The Worst Mistakes in iOS Forensics
If the passcode isn't understood and you want to do BFU acquisition, you're out of luck.
In case if you are not familiar with BFU: it signifies"Before First Unlock", and this expression isn't official. BFU acquisition is designed for the case once the telephone is locked with an unknown passcode. Thanks to checkra1n, you can still extract some info in the device, including account info, list of installed apps, message drafts, a few media documents, as well as parts of the keychain, view BFU Extraction: Forensic Analysis of Locked and Disabled iPhones. Additionally, some iOS programs leave their data intercepted (and so accessible BFU style ), detailed in Snapchat -- A False Sense Of Security? By James Duffy.
Another thing. Should you perform BFU acquisition, please do not forget to put the port number (from the iOS Forensic Toolkit script) to 44 rather than 22. Speaking technically, by the time once the checkm8 exploit finished its work and the user interface is mounted (however Cydia isn't set up, so no OpenSSH), only the DropBear SSH client is busy around the devices. For some reason, it opens SSH on port 44 instead of this default 22.
We've tested iOS Forensic Toolkit on these configurations:
IPhone 7 (A1778), iOS 14.2, BFU (passcode isn't known)
iPhone 7 (A1778), iOS 14.2, AFU (passcode entered)
IPhone X (A1901), iOS 14.2, AFU (passcode isn't set)
We spent considerable time testing the new iOS builds and the new version of checkra1n to make sure that everything works as intended on both the Windows and macOS, the extracted files available successfully in Elcomsoft Phone Viewer and Forensic Forensic Detective, also there are no further openings.
As noted above, for your iPhone 7 it is still possible to perform BFU extraction of devices locked having an unknown passcode. In cases like this, you do not obtain the complete file system (as a solid portion of it is encrypted), but something is far better than nothing. On our evaluation device, we obtained 12 GB of information (counting the system files though) in BFU mode, compared to about 40 GB of the complete file system picture. In the event if you curious, standard (iTunes-style) backup takes about 17 GB (no system files there).
For your iPhone 8 along with iPhone X, even the restricted extraction is no longer possible. If the device is running 14.0 into 14.2 and the passcode isn't known, there is nothing we could do. However, checkra1n is quite practical for these devices as it allows to carry out the file system and keychain acquisition of unlocked devices.
To summarize, we got the results we had been hoping for. From time to time, checkra1n did not work from the first try (though we followed the checkra1n Installation Tips & Tricks attentively ). We had to reboot MacBook and the device sometimes (differently iOS Forensic Toolkit failed to link, and it isn't clear it that that was a issue of macOS or our applications ).
If you are a forensic expert, you might be hoping to get a step-by-step guide covering all possible combinations of devices and operating systems. For instance, we haven't covered the USB limited mode issues; fortunately, the brand new checkra1n still ignores USB limitations, allowing to perform the partial acquisition or locked and handicapped devices. We're working on a guide like that. For now, we know the following:
In case the device is unlocked (passcode known or not set), utilize Agent acquisition if possible; this is the most secure, simple and forensically sound system available.
If Agent acquisition is not available or the passcode is not known, use checkra1n (BFU/AFU)
If neither Agent nor chechra1n are compatible with your device, you are confined to extended logical acquisition.
If the passcode isn't understood and the device isn't vulnerable to the checkm8 exploit, all you can do is cloud acquisition (or ask the information in Apple). You may receive even more information than counted over.
It's been a week since Apple has introduced iOS 14.2 as well as iOS 12.4.9 for older devices. Only a couple days after, the programmers updated the checkra1n jailbreak with support for new devices and iOS versions. What exactly does that mean for iOS forensics? Let us have a look; we have done some testing, and our discoveries are favorably consistent with our expectations. Just one exception: to our surprise, Apple didn't spot the long-lasting vulnerability in iOS 12.4.9 that leaves the door open to full file system extraction and keychain acquisition minus jailbreaking.
iOS 14.2
Over 100 new emoji, that's the deal! intrix jailbreak On a critical note, iOS 14.2 brings a great deal of repairs and improvements; please pay attention to the security content.
At this time, there are no known vulnerabilities or publicly accessible exploits in iOS 13.5.1 and newer. For devices running those versions, you simply have the following choices:
Extended logical purchase (backups, media files, shared files, diagnostics logs)
Cloud acquisition
Checkra1n jailbreak, followed with the complete file system and keychain acquisition
We have successfully analyzed Elcomsoft iOS Forensic Toolkit (extended logical acquisition) and Elcomsoft Phone Breaker (cloud acquisition) using the new iOS 14.2. No problems found, all the information has been extracted successfully.
In terms of the checkra1n, the devil is in the details, please continue reading. But a bit on yet another iOS upgrade .
iOS 12.4.9
As you know, iPhone 5s and iPhone 6 (there are still millions of those devices in the marketplace ) did not get iOS 14 as well as iOS 13. For these devices, Apple continues maintaining the iOS 12 branch, thus releasing iOS 12.4.9. No noteworthy improvements were discovered, but have a cautious look in iOS 12.4.9 safety content. intrix jailbreak Our biggest surprise was that this iOS discharge does not patch any of this system vulnerabilities that allowed us to execute the file system extraction and keychain acquisition without jailbreaking for iPhone 5s and iPhone 6, which makes our tool covering many iOS versions these device can run (see iOS Extraction With no Jailbreak: Ultimately, Zero-Gap Coverage for iOS 9 via iOS 13.5 on All Devices).
The biggest news is not iOS updates however, but the newest checkra1n release.
Despite how the checkm8 tap is a hardware-based one and"can't be patched by Apple" as numerous forensic sellers really like to state, iOS 14 partly fixed itmore info here.
Still, checkra1n developers were able to employ full iOS 14 service for iPhone 6s and iPhone SE (first generation). And the Most Recent version of checkra1n 0.12 beta has the following major improvements:
Official support for iOS 14.1 and 14.2
Official support for A10/A10X devices on iOS 14. x
Restricted support for A11 devices on iOS 14.x (Alternatives > Skip A11 BPR check)
Confused about A10/A11 and also the way the SoC names are linked to iPhone and iPad models? Consult to our Apple Mobile Devices Cheat Sheet.
Quite simply: checkra1n now also fully supports not only the iPhone 6s and iPhone SE, but also iPhone 7 and 7 Plus, as well as some iPad versions (6th and 7th gen and iPad Pro 2nd gen). All that, including iOS 14.1 and 14.2 which were just released.
What about the iPhone 8 (8 Plus) and iPhone X? dragonvale cheats without jailbreak They received only partial support. More on this below.
MacOS issues
Before we move further, please be aware that the checkra1n jailbreak is only available for macOS and Linux. IOS Forensic Toolkit also works more reliably and contains extended functionality on macOS, even though we've got the Windows version also. Two major features that are not available in the Windows version:
iPhone 5/5c passcode cracking
Agent setup utilizing non-developers accounts
We advocate using macOS 10.13 (High Sierra) or 10.14 (Mojave) for iOS Forensic Toolkit. The application is compatible with macOS 10.15 (Catalina) and 11.0 (Big Sur) as well, but there is one extra step from the product installation: you have to clear the quarantine flag in the iOS Forensic Toolkit picture before installation. Also, there are a few nuances on utilizing the lockdown/pairing documents for prolonged logical acquisition of locked devices. Please read the Installing and using iOS Forensic Toolkit on macOS 10.15 Catalina before calling our technical support stating"hello, it does not work".
BFU acquisition (and iPhone X issues)
Noted the Restricted support for A11 devices on iOS 14.x from checkra1n 0.12 release notes? It applies to both iPhone 8 and iPhone X (no more iPads predicated on such an SoC, btw). Meaning that you can only install checkra1n on devices that do not have the passcode setup, that has the following forensic consequences:
If you understand the passcode, then you need to remove it first to carry out the file system extraction and keychain acquisition. Notice that removing the passcode has some significant consequences; see The Worst Mistakes in iOS Forensics
If the passcode isn't understood and you want to do BFU acquisition, you're out of luck.
In case if you are not familiar with BFU: it signifies"Before First Unlock", and this expression isn't official. BFU acquisition is designed for the case once the telephone is locked with an unknown passcode. Thanks to checkra1n, you can still extract some info in the device, including account info, list of installed apps, message drafts, a few media documents, as well as parts of the keychain, view BFU Extraction: Forensic Analysis of Locked and Disabled iPhones. Additionally, some iOS programs leave their data intercepted (and so accessible BFU style ), detailed in Snapchat -- A False Sense Of Security? By James Duffy.
Another thing. Should you perform BFU acquisition, please do not forget to put the port number (from the iOS Forensic Toolkit script) to 44 rather than 22. Speaking technically, by the time once the checkm8 exploit finished its work and the user interface is mounted (however Cydia isn't set up, so no OpenSSH), only the DropBear SSH client is busy around the devices. For some reason, it opens SSH on port 44 instead of this default 22.
We've tested iOS Forensic Toolkit on these configurations:
IPhone 7 (A1778), iOS 14.2, BFU (passcode isn't known)
iPhone 7 (A1778), iOS 14.2, AFU (passcode entered)
IPhone X (A1901), iOS 14.2, AFU (passcode isn't set)
We spent considerable time testing the new iOS builds and the new version of checkra1n to make sure that everything works as intended on both the Windows and macOS, the extracted files available successfully in Elcomsoft Phone Viewer and Forensic Forensic Detective, also there are no further openings.
As noted above, for your iPhone 7 it is still possible to perform BFU extraction of devices locked having an unknown passcode. In cases like this, you do not obtain the complete file system (as a solid portion of it is encrypted), but something is far better than nothing. On our evaluation device, we obtained 12 GB of information (counting the system files though) in BFU mode, compared to about 40 GB of the complete file system picture. In the event if you curious, standard (iTunes-style) backup takes about 17 GB (no system files there).
For your iPhone 8 along with iPhone X, even the restricted extraction is no longer possible. If the device is running 14.0 into 14.2 and the passcode isn't known, there is nothing we could do. However, checkra1n is quite practical for these devices as it allows to carry out the file system and keychain acquisition of unlocked devices.
To summarize, we got the results we had been hoping for. From time to time, checkra1n did not work from the first try (though we followed the checkra1n Installation Tips & Tricks attentively ). We had to reboot MacBook and the device sometimes (differently iOS Forensic Toolkit failed to link, and it isn't clear it that that was a issue of macOS or our applications ).
If you are a forensic expert, you might be hoping to get a step-by-step guide covering all possible combinations of devices and operating systems. For instance, we haven't covered the USB limited mode issues; fortunately, the brand new checkra1n still ignores USB limitations, allowing to perform the partial acquisition or locked and handicapped devices. We're working on a guide like that. For now, we know the following:
In case the device is unlocked (passcode known or not set), utilize Agent acquisition if possible; this is the most secure, simple and forensically sound system available.
If Agent acquisition is not available or the passcode is not known, use checkra1n (BFU/AFU)
If neither Agent nor chechra1n are compatible with your device, you are confined to extended logical acquisition.
If the passcode isn't understood and the device isn't vulnerable to the checkm8 exploit, all you can do is cloud acquisition (or ask the information in Apple). You may receive even more information than counted over.
