September 22nd, 2022 by Oleg Afonin
Category: «Elcomsoft News», «Mobile»
iOS Forensic Toolkit 8.0 is officially released! Delivering forensically sound checkm8 extraction and a new command-line driven user experience, the new release becomes the most sophisticated mobile forensic tool we’ve released to date.
checkm8 Extraction
Released almost exactly three years ago, checkm8 came as a huge surprise. Exploiting a vulnerability in the bootloader of many Apple devices including several generations of iPhones, iPads, iPod Touch, Apple Watch and even Apple TV devices, checkm8 allows breaking into a device almost regardless of the version of iOS installed on these devices. The latest iPhone models that can be exploited include the iPhone 8, 8 Plus and iPhone X devices (up to and including iOS 15.7). For 32-bit devices the exploit can even be used to unlock devices with an unknown screen lock passcode.
Today, checkm8 is a common and widely accepted tool in the mobile forensic community. Multiple solutions exist, but none of them is perfect. We are yet to see a purely checkm8-based solution that does not borrow from checkra1n while offering repeatable extractions several times in a raw, so we developed our own implementation built from the ground up. As a result, there won’t be a trace left on the iPhone extracted with iOS Forensic Toolkit, not a single log entry and not even a changed timestamp. How did we make it possible?
checkm8 is ideal when it comes to forensic extractions. By its very nature, the exploit does not need to modify the file system; all modifications are performed on the fly in the device’s volatile memory. Our implementation works entirely in the RAM; it does not boot the OS installed on the device and does not modify the data or system partition. For that to work, during the extraction process you will need to download a matching copy of the original device firmware from Apple (the download link will be provided at the time of extraction).
Compatibility, System Requirements and Limitations
The initial release of iOS Forensic Toolkit 8.0 is available for macOS computers and can be launched on both x86 and Apple Silicon (M1/M2) computers. Linux and Windows editions are in the works.
Our implementation of checkm8 extraction is available for 76 Apple devices including a host of iPhone, iPad, iPod Touch, Apple Watch and Apple TV models. We support a number of major OS releases ranging from iOS 7 through iOS 15.7 (with limited iOS 16 support) in three different flavors (iOS, tvOS, and watchOS) for three different architectures (arm64, armv7, and armv7k). We support 18 different chips vulnerable to BootROM exploits, namely:
S5L8930, S5L8940, S5L8942, S5L8945, S5L8947, S5L8950, S5L8955, S5L8960, S5L8965, T7000, T7001, S8000, S8001, S8003, T8004, T8010, T8011, T8015
These chips include:
- 4 AppleTVs: AppleTV3,1 AppleTV3,2 AppleTV5,3 AppleTV6,2
- 40 iPads: iPad2,1 iPad2,2 iPad2,3 iPad2,4 iPad2,5 iPad2,6 iPad2,7, iPad3,1 iPad3,2 iPad3,3 iPad3,4 iPad3,5 iPad3,6 iPad4,1 iPad4,2 iPad4,3 iPad4,4, iPad4,5 iPad4,6 iPad4,7 iPad4,8 iPad4,9 iPad5,1 iPad5,2 iPad5,3 iPad5,4 iPad6,11, iPad6,12 iPad6,3 iPad6,4 iPad6,7 iPad6,8 iPad7,1 iPad7,11 iPad7,12 iPad7,2 iPad7,3, iPad7,4 iPad7,5 iPad7,6
- 25 iPhones: iPhone10,1 iPhone10,2 iPhone10,3 iPhone10,4 iPhone10,5 iPhone10,6, iPhone3,1 iPhone3,2 iPhone3,3 iPhone4,1 iPhone5,1 iPhone5,2, iPhone5,3 iPhone5,4 iPhone6,1 iPhone6,2 iPhone7,1 iPhone7,2 iPhone8,1 iPhone8,2 iPhone8,4 iPhone9,1, iPhone9,2 iPhone9,3 iPhone9,4
- 3 iPods: iPod5,1 iPod7,1 iPod9,1
- 4 Watches: Watch3,1, Watch3,2, Watch3,3, Watch3,4
In response to checkm8, Apple attempted to strengthen security of the latest vulnerable devices, the iPhone 7, 7 Plus, 8, 8 Plus and iPhone X range by hardening SEP protection. The increased security measures require removing the screen lock passcode before applying the exploit on the iPhone 8, 8 Plus and iPhone X models running iOS 14 through 15.7, yet we were able to overcome this protection for the iPhone 7 and 7 Plus.
iOS 16 support is limited. Days before the release of the final build of iOS 16 we were ready to roll out iOS Forensic Toolkit 8 with iOS 16 support on A11 devices. Apple’s last-minute change in the release version of iOS 16 included an unexpected SEP patch that broke checkm8 extraction completely. The patch effectively blocks the exploit from accessing the data if a passcode was ever configured on the device (even if subsequently removed). The new SEP hardening measures effectively prevent checkm8 extractions on the absolute majority of A11-based devices in circulation (the iPhone 8, 8 Plus, and iPhone X).
The complete compatibility matrix now looks as follows:
Passcode Unlock
checkm8 does not affect the Secure Enclave. It cannot be used to break the screen lock passcode, and without the passcode it cannot be used to decrypt most of the data in the file system (limited BFU mode access is still possible).
Having said that, we can still do the unlock for older Apple devices with no Secure Enclave by using checkm8 or another bootloader exploit. Such devices include the iPhone 4, 4s, 5, and 5c. For these iPhone models, our tool can do everything from recovering the passcode to bit-precise physical extraction. Note: the iPhone 4s requires an additional piece of hardware due to a specific USB controller (see checkm8: Unlocking and Imaging the iPhone 4s).
Unknown Passcode and BFU Extraction
As already mentioned, our solution can perform a limited BFU (Before First Unlock) extraction for 64-bit devices protected with an unknown screen lock passcode. In this mode, you can extract information that is not encrypted with a key derived from the screen lock passcode. This includes the call history log, account list, draft messages (SMS/iMessage) and attachments (drafts only!), as well as some geolocation data and some app data. In addition, WAL files (write-ahead logs) to many databases can also be extracted.
checkm8 vs. Advanced Logical Acquisition
Advanced logical acquisition is the easiest and most compatible extraction method that includes local backups, media files, crash logs and shared files. Advanced logical extraction often delivers just enough data to jump-start the investigation. What is not included with the advanced logical process are many types of data such as chats occurring in the most secure messaging apps such as Signal or Telegram, email messages, low-level system data, SQLite databases with their respective write-ahead logs, location data, and many system logs that may reveal every detail of device usage history. All of that and much more is readily available when you use checkm8 extraction.
checkm8 or checkra1n?
The first checkm8-based solutions in mobile forensics were built with checkra1n, a public, closed-source jailbreak that is based on the open-source checkm8 exploit. checkra1n extractions deliver the same amount of data as any other low-level extraction method. However, the use of checkra1n inevitably alters the content of the device, which impacts its use in mobile forensics.
Compared to checkra1n-based extractions, our checkm8 extraction process has the following differences:
- Repeatable, verifiable extractions
- Unaltered system and data partitions
- 100% of the patching occurs in the RAM
- Supports 76 devices, 3 different architectures, and several generations of iOS from iOS 7.0 through iOS 15.7 (with limited iOS 16 support)
- Passcode unlock available for armv7 devices (iPhone 4 through iPhone 5c)
- BFU (Before First Unlock) extraction supported
- Supports iPhone, iPad, iPod Touch, Apple Watch and Apple TV devices
The Command Line
iOS Forensic Toolkit 8.0 brings a new, advanced user experience built around the command line. The use of the command line enables full control over every step of the extraction workflow, allowing experts to stay in control of every step of the process. Thanks to the command line, experts can also build their own scripts to automate their specific routines.
Conclusion
With this update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iOS acquisition tool on the market. The toolkit now supports all possible acquisition methods including advanced logical, agent-based and checkm8-based low-level extraction.
bootloader, checkm8, EIFT, iOS, jailbreak, low-level extraction
REFERENCES:
Elcomsoft iOS Forensic Toolkit
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.