Is it possible to find jailbroken traces of iOS 12.4.0 by a BlackBag tool in an iPhone XR? We not used BlackBag before.
If the device is still jailbroken, yes.
If it was reset to factory reset or firmware flashed, then no.
If it was just a sideload jailbrake, it is gone after reboot.
Please reformulate your question, maybe somebody might be able to help you )
First, there is no iOS 12.4 version; the latest is 12.1.4 (plus 11.2 beta 1/2).
Second, not sure what do you mean mean by jailbreaking in this context. There are known vulnerabilities for versions up to 12.1.2, plus some (not available to public) exploits for 12.1.3. Right now there are two jailbreaks unc0ver and rootlessJB, but first, they work on versions up to 12.1.2, and second, the do not support iPhone Xr yet.
Finally, as far as I know, BlackBag do not have their own tool for jailbreaking (or even file system acquisition) – they rely on GrayKey extractions. In the meantime, GrayShift do not disclosure what modifications to the file system are being done (in theory, some traces are left, but to find them you will have to jailbreak or GrayKey tool again).
ok, got it - my mistake iOS 12.1.4 (16D57), sorry
Its not about jailbreaking its about finding traces that the device was jailbroken. The info about sidechannel is fine. The question came up as we gave a device to Cellebrite Advanced Unlocking Services and wanted to know if they during unlocking had jailbreaking in use.
The term 'jailbreak' is actually fairly non-standard as it can mean different things.
When most people talk about a jailbreak, they talk about a public tool that removes or reduces restrictions placed by iOS. This usually installs software to the device in a detectable way.
Cellebrite uses a forensic process that avoids to any extent possible modification of the file system, and thus should not be recognizeable in post extraction analysis.
If it was just a sideload jailbrake, it is gone after reboot.
Whenever you got a CAS related question, the best is to ask Cellebrite, no ?! )
If the purpose of your post was to find out how CAS did the task, the answer is "Good question?!" or even better "Wizardry." )
Thank you for clarifying this, some of our customers asked this question as well before…
Shahar, toda raba