Cellebrite Full Fil...
 
Notifications
Clear all

Cellebrite Full File System - New Release - UFED 7.28  

  RSS
cs1337
(@cs1337)
Member

For all the Cellebrite users out here….

I'm curious on how everyone is handling workflow with the recent release of Cellebrite Full File System compatibility using Checkm8 exploit.

In testing it can take 8 hours or more to run (depending on iPhone size) so performing an extraction like this while on-site doesn't seem feasible (especially if the client is waiting to get the phone back)

Also I noticed it is only compatible with certain iOS versions of 12+.

Are you all updating the iOS after your collection and re-collecting? Are you manually jailbreaking the devices?

Quote
Posted : 27/01/2020 7:09 pm
the_Grinch
(@the_grinch)
Active Member

I know we would definitely not update the phone to a supported version of iOS. Could only imagine trying to defend that on the stand…

ReplyQuote
Posted : 27/01/2020 9:35 pm
cs1337
(@cs1337)
Member

I know we would definitely not update the phone to a supported version of iOS. Could only imagine trying to defend that on the stand…

exactly i was thinking the same thing. i'm curious if people are jailbreaking the phones on their own.

ReplyQuote
Posted : 27/01/2020 11:09 pm
armresl
(@armresl)
Community Legend

That is assuming that it makes it to that point.

Anything you do which you know how to do and the intricacies of can be explained to a judge, jury, detective, investigator, prosecutor, attorney.

In addition, to that, you may be finding exculpatory evidence which someone else who didn't want to take that step wouldn't find.
Or you may find proof of fact which may sink the case.

I know we would definitely not update the phone to a supported version of iOS. Could only imagine trying to defend that on the stand…

ReplyQuote
Posted : 28/01/2020 3:56 am
grizzlydigital
(@grizzlydigital)
New Member

@cs1337

I posted this on Linkedin on Sunday, here are my notes so far

Had first chance using the new checkm8 Advanced Logical Full File System acquisition of an iPhone.

-IPhone 8 - 64 GB capacity running OS 13.1.3
-Available space 48.49 GB
-Yes i had access to the phone PIN passcode

As you can see if the photo included below, the phone shows 40.74 GB extraction as it’s in progress. In total the Physical checkm8 collected a .dar that was 19.8 GB.

I ran Logical Method 1 in Physical Analyzer
Ran Logical Method 2 in Physical Analyzer
Opened Physical Analyzer and loaded Method 1 and Method 2, generated UFDR report.

Next i took same test phone and opened UFED 4PC and went to Advanced Logical then Full File System Checkm8.
Put phone in DFU mode
When it finished, loaded in Physical Analyzer and generated UFDR report.

Here is what was collected

Logical Method #1 .tar - 4.55 GB
Logical Method #2 .tar - 3.46 GB
Physical checkm8 .dar - 19.8 GB

Here are photos of comparison.

On the left is combined Logical Method 1 & Method 2. On the right is Full File System using UFED. What a difference -50,000 more images, web history, and…it picked up email.

Also ran same test on an iPhone 6, with similar results. Will post once i have time to do more testing on other phones.

Checkm8 will aid forensic examiners using Cellebrite in getting access to low level storage, log files, and history that has previously been unavailable for collection. Still cannot access unallocated space as @Rasmus mentioned in linkedin thread.

Have not tested on a locked phone yet - they discuss in detail in link below. Link also contains the different iPhone models and iOS that can be exploited by checkm8.

This helped me get started
https://www.cellebrite.com/en/blog/a-practical-guide-to-checkm8/

Rory

Tried posting pics but wont load properly, so here is link to photos I discussed.
https://www.linkedin.com/posts/rory-montez-543850118_ufed-checkm8-axi0mx-activity-6627110338984841216-qpiQ

ReplyQuote
Posted : 28/01/2020 7:37 am
Rich2005
(@rich2005)
Senior Member

Are you all updating the iOS after your collection and re-collecting? Are you manually jailbreaking the devices?

No and no.

ReplyQuote
Posted : 28/01/2020 8:50 am
cs1337
(@cs1337)
Member

thank you for the info grizzlydigital!

ReplyQuote
Posted : 28/01/2020 3:20 pm
mjpetersen
(@mjpetersen)
New Member

I am curious, how did you add the dar file into PA? Did you just select the ufd file or select the dar artifact? Did you break the dar file into chunks or keep it as a flat file?

I created a dump from the UFED touch to a USB and made the files into 2GB chunks. When I brought it into UFED PA, i had to carve to get the data.

Thanks

ReplyQuote
Posted : 28/01/2020 5:32 pm
mjpetersen
(@mjpetersen)
New Member

Regarding the dar files and UFED PA if your interested. Do not make the target USB FAT32. By default, the USB drive that I used was a brand new, 128GB FAT32 drive, plugged into the Cellebrite UFED Touch2 with 7.28.2 installed. The Touch extracted the files to the drive, however the files were broken into 2GB chunks. When I opened UFED PA, and selected the ufd file from the extraction, it only processed the 1st dar file, (Examination of the udr file noted all the dar parts, however it only examined the 1st dar file), giving you less than expected results.

I re-acquired the iPhone using the UFED Touch, but this time to another PC (Windows 10 as noted from Cellebrite), to which I had a 18GB flat dar file. Opening the file using the UFED PA, parsed the data beautifully. I went back and formatted the drive, exFAT and re-performed the extraction, and viola, an 18GB dar extraction. Lesson learned.

When I re-examined the flat 18GB extraction, no problem. I have notified Cellebrite of this issue.

This is why, when a new tool comes out, to test your software on test material rather than be in a position where your test is the real thing. Yes, this was a test case.

ReplyQuote
Posted : 30/01/2020 2:45 pm
jadams951
(@jadams951)
New Member

Anyone had issues using the checkma8 exploit using Cellebrite to get the full file system extraction? Have a 6+ that it gets to about 13% then goes no higher. Shows still running but never gets past 8.69GB after several hours. Left it running when I left work so I hope it gets passed whatever is holding it up.

ReplyQuote
Posted : 31/01/2020 1:22 am
Rich2005
(@rich2005)
Senior Member

Anyone had issues using the checkma8 exploit using Cellebrite to get the full file system extraction? Have a 6+ that it gets to about 13% then goes no higher. Shows still running but never gets past 8.69GB after several hours. Left it running when I left work so I hope it gets passed whatever is holding it up.

Just in case, the iOS version above 12.3, yeah?

ReplyQuote
Posted : 31/01/2020 8:52 am
jadams951
(@jadams951)
New Member

Anyone had issues using the checkma8 exploit using Cellebrite to get the full file system extraction? Have a 6+ that it gets to about 13% then goes no higher. Shows still running but never gets past 8.69GB after several hours. Left it running when I left work so I hope it gets passed whatever is holding it up.

Just in case, the iOS version above 12.3, yeah?

Yes, it was 13.3. When I got in to work it had finished.

ReplyQuote
Posted : 01/02/2020 1:57 am
grizzlydigital
(@grizzlydigital)
New Member

@mjpetersen

I am curious, how did you add the dar file into PA? Did you just select the ufd file or select the dar artifact? Did you break the dar file into chunks or keep it as a flat file?

I created a dump from the UFED touch to a USB and made the files into 2GB chunks. When I brought it into UFED PA, i had to carve to get the data.

Go into the bottom folder of your acquisition folder and find the FullFileSystem1.dar file; next to it should be a UFED Dump file. Click on the UFED dump to load the .dar into PA.

I took some screen shots for you, cant figure out how to add them to this reply - please PM your email and I will send right over.

Cheers

Rory

ReplyQuote
Posted : 01/02/2020 2:05 am
grizzlydigital
(@grizzlydigital)
New Member

This weekend I did more testing with the new Checkm8 exploit, this time with an iPhone 6s, iPhone 7 Plus, and iPhone XR. I will post notes on 6s in future; there is no Checkm8 option for the iPhone XR currently (see below), even after updating iOS from 12.1.2 to 13.3.1.

So below I will cover the test iPhone 7 Plus.

-iPhone 7 Plus Model A1661
running iOS 13.3
- 32 GB capacity
-Available space 11.52 GB
-I tried both with and without access to the phone passcode

I ran Logical Method 1 in Physical Analyzer; it collected a 13.9 GB .tar
Ran Logical Method 2 in Physical Analyzer; it collected a 17.7 GB .tar
Opened Physical Analyzer and loaded Method 1 and Method 2.

Opened Physical Analyzer and loaded Method 1 & Method 2.

Next I took same test phone and opened UFED 4PC
Plug in phone and auto detect; check model in phone’s settings to confirm correct; select
Advanced Logical then Full File System Checkm8*.
Put phone in DFU mode**
When it finished, loaded in Physical Analyzer.

*This will only be an option if the phone is within the models and iOS ranges described here. When I tried an iPhone XR, the “Advanced Logical Full File System” menu item did not appear in UFED as an option.

**The iPhone 7 Plus was no problem, but it took me numerous attempts to get the iPhone 6s into DFU mode. It was finally accomplished with the help of this video (753)

https://www.youtube.com/watch?v=d7Li7HIGaOs

Same for iPhone 8 timing is tricky so practice, this one helped me

https://www.youtube.com/watch?v=a70jiFqMGX0

Checkm8 will run (see pics) and you will be prompted on your machine for phone’s passcode.
Phone showed 73.28 GB extraction as it was in progress.

Advanced Logical Full File System Checkm8 acquisition with passcode collected a 35.8 GB .dar

Opened Physical Analyzer and loaded Advanced Logical Full File System Checkm8 acquisition.

Comparison photos – same as last time, on the left is the combined Logical Method 1 & Method 2 using PA. On the right is Advanced Logical Full File System Checkm8 using UFED. Also posted cropped together photos showing all data sets pulled. The results speak for themselves.

Also included photos of when the Checkm8 exploit starts and the extraction screen. Photos available here

https://www.linkedin.com/posts/rory-montez-543850118_ufed-checkm8-axi0mx-activity-6629985909955788800-AGT3

I tried following the guide I linked to above to obtain a partial file system (Before-First-Unlock) with no passcode. I changed the passcode and then did not enter the correct passcode again. After several tries and poking around for forums & articles, and a million failed attempts and reboots, I called it a night but will try again. If anyone can share their method or any good articles/guides/forum posts on checkra1n/ Checkm8 BFU, it would be greatly appreciated. Interested in seeing what it collects.

Rory

ReplyQuote
Posted : 03/02/2020 6:44 am
Authoxic
(@authoxic)
New Member

@grizzlydigital I've searched for this everywhere and I feel like this post is the most informational and could help me out. You mentioned that Checkm8 allowed you to pull emails. Did you mean that you can now extract emails from accounts logged in to the Apple mail app or any 3rd party mail app? Would it be possible to pull emails from an specific email app such as Yahoo Mail app or Gmail app using UCEF method 1 and 2? Or will Method 1 and 2 not pull emails at all? Thanks.

ReplyQuote
Posted : 16/09/2020 3:22 am
Share: