top of page

iOS Breakthrough Enables Lawful Access for Full File System Extraction

최종 수정일: 2020년 1월 27일


iOS Breakthrough Enables Lawful Access for Full File System Extraction


December 4, 2019    |   By: Roey Arato | UFED Product Manager at Cellebrite


Every now and then, there is an iOS forensic breakthrough that is truly impactful. This happened recently when an access point was discovered that will help examiners handle the complex challenge of full file system extraction. Using the new “checkm8” access point, forensic examiners will now be able to gain lawful access to iOS devices to extract more digital evidence.





What Is ‘Checkm8’?


Recently, researchers uncovered a flaw in numerous iOS chipsets, which has now been termed, “checkm8.” This powerful access point applies to all iPhone models, from iPhone 4S through the iPhone X, and it occurs in some 85 percent of all active iPhones today. Even though it does not apply to the more recent iPhone XR/XS/11/Pro, it can be used for iPads and Apple TVs running A5-A11 SoCs.

Checkm8 can be accessed in DFU mode only, affecting the phone’s “BootROM.” This component is part of the iPhone’s hardware as Read-Only Memory and cannot be updated or directly patched without replacing the iPhone itself. This means that the access point is applicable to past, current, and future iOS versions.


What’s The Difference Between ‘Checkm8’ And ‘Checkra1n’? 


You may have heard about both checkm8 and “checkra1n.” Checkm8 is the name of the access point, which can be utilized to gain maximum privileges on a running iPhone device. This can be leveraged to develop a “jailbreak,” which is a solution used for removing restrictions imposed by the operating system in order to allow 3rd-party software to run with arbitrary permissions.

A few weeks ago, a group of researchers released the first version of a new jailbreak based on the checkm8 exploit, named “checkra1n.” Although the project is still in the beta stage, many users have reported success with it.


What This Means For The Digital Forensics Community


Full file system extraction can provide much more data than a logical extraction. This includes critical data such as full e-mails, 3rd party app data, as well as passwords, keys, and tokens stored in the “KeyChain.” Furthermore, a limited BFU (Before First Unlock) data set can be extracted from locked devices. This data can provide vital information to investigators.

Most of the digital forensics tool vendors have been actively working to provide various degrees of support to extract checkra1n devices (using an additional macOS or Linux computer to apply the standard jailbreak infrastructure).


How UFED Users Benefit from This Discovery


The Cellebrite UFED team is working quickly to provide users with support for the above-mentioned scenario.  This will be included with the launch of our iOS extraction agent in an upcoming release. The team is committed to providing a comprehensive, forensically-sound solution that adheres to Cellebrite’s high standards, is fully tested, and is admissible in court. This solution will not require any external computer and will directly apply checkm8, without needing a jailbreak or file system modifications.

Stay tuned for updates!


Updated !




조회수 112회댓글 3개

최근 게시물

전체 보기

3 Comments


WB
WB
Feb 26

iOS 시스템을 뚫고 포렌식을 진행하는 것은 굉장한 영향력이 있습니다. 이는 Full File System 추출을 하기 위해서 접근점이 필요한데 이를 위해서는 조사관들이 iOS의 접근을 뚫어야하기 때문입니다.

이제 checkm8를 사용하면 포렌식 조사관이 법적효력이 있는 증거를 iOS 기기들에 접근하여 더 많은 양의 데이터를 추출할 수 있습니다.

Full File System 추출은 논리적 추출보다 더 많은 데이터를 제공합니다. 이것은 결정적인 키체인에 저장된 e-mail, 3rd party 앱 데이터, 비밀번호, key 값, 토큰과 같은 데이터를 포함하고 있습니다.

더 나아가 잠긴 기기들에서 한정된 BFU(Before First Unlock) 데이터를 추출할 수 있습니다.

Like

영아 김
영아 김
Aug 24, 2023

Checkm8: 액세스 포인트의 이름으로, 실행 중인 iphone 장비에서 최대 권한을 얻는 데 사용 할 수 있다.

UFED - 외부 컴퓨터가 필요하지 않으며 탈옥 또는 파일 시스템 수정 없이 checkm8을 직접 적용한다

Like

JM
JM
Apr 10, 2023

checkm8의 설명과 사용 시 얻게 되는 이점

Like
bottom of page