Cellebrite iOS Breakthrough
December 4, 2019 | By: Roey Arato | UFED Product Manager at Cellebrite
Every now and then, there is an iOS forensic breakthrough that is truly impactful. Using the new “checkm8” access point, forensic examiners will now be able to gain lawful access to iOS devices to extract more digital evidence.
This powerful access point applies to all iPhone models, from iPhone 4S through the iPhone X, and it occurs in some 85 percent of all active iPhones today. Even though it does not apply to the more recent iPhone XR/XS/11/Pro, it can be used for iPads and Apple TVs running A5-A11 SoCs.
This can be leveraged to develop a “jailbreak,” which is a solution used for removing restrictions imposed by the operating system in order to allow 3rd-party software to run with arbitrary permissions.
A few weeks ago, a group of researchers released the first version of a new jailbreak based on the checkm8 exploit, named “checkra1n.” Although the project is still in the beta stage, many users have reported success with it.
Full file system extraction can provide much more data than a logical extraction. This includes critical data such as full e-mails, 3rd party app data, as well as passwords, keys, and tokens stored in the “KeyChain.” Furthermore, a limited BFU (Before First Unlock) data set can be extracted from locked devices. This data can provide vital information to investigators.
The Cellebrite UFED team is working quickly to provide users with support for the above-mentioned scenario. This will be included with the launch of our iOS extraction agent in an upcoming release. The team is committed to providing a comprehensive, forensically-sound solution that adheres to Cellebrite’s high standards, is fully tested, and is admissible in court. This solution will not require any external computer and will directly apply checkm8, without needing a jailbreak or file system modifications.