Apple iOS File System Extraction Via Checkm8 In Oxygen Forensic Detective

Presented in September 2019, checkm8 is a SecureROM exploit that uses a vulnerability in an iOS device to grant administrative access to the device. Please note, this vulnerability is permanent and cannot be patched by software updates.

Checkm8 allows investigators to perform a tethered jailbreak, which only permits access for a single boot. This means that once the device is turned off and restarted, all indications that the device was jailbroken will be gone. There are several jailbreaks that are based on the checkm8 exploit, most notably, checkra1n.

Oxygen Forensic® Detective offers full file system extractions using the checkm8 vulnerability from Apple iOS devices running iOS up to and including 14.2. The supported devices extend from Apple’s A7 to A11 SoC, which includes iPhone 5s through iPhone X and the corresponding iPad devices.

To extract a device, click “iOS Advanced extraction” in Oxygen Forensic® Extractor. In the opened window, check if the device model is supported and click the “Checkm8 acquisition” option.

As the instructions indicate, users will need to put a device in DFU (Device Firmware Update) mode and connect it to a PC.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Once the device is connected successfully, the software will automatically apply the vulnerability and perform all the other actions required for data acquisition. Investigators will be asked to enter the device passcode to extract the full file system from a device.  A full file system extraction includes all user data, such as apps, deleted records, complete keychain, and detailed system files.

If the passcode is unknown, Oxygen Forensic® Detective will automatically extract device data in BFU (Before First Unlock) mode. This mode will not give investigators access to the entire file system. With BFU mode, most files will remain encrypted until the correct passcode is entered. Therefore, the software will conduct a partial extraction which will include some app logs, caches, the list of Wi-Fi connections, media files, geo points, and a number of unencrypted SQLite databases.

Please note, the second option on the “iOS Advanced extraction” screen allows investigators to connect Apple iOS devices that have already been jailbroken via SSH by various jailbreaks, including the latest checkra1n and unc0ver. The software will correctly recognize the jailbreak state of a connected device and extract the full file system from it.

Selective reading

Whether investigators use the checkm8 vulnerability or connect an already jailbroken Apple iOS device, the software will prompt the option to select the necessary artifacts.

This feature is a great time saver as it allows investigators to quickly extract critical evidence. In addition, when the scope of a criminal search warrant only allows particular evidence to be extracted, this selective method will allow compliance.

Important artifacts

In comparison with a standard logical extraction via iTunes, a full file system extraction gives investigators access to more user data on supported Apple iOS devices. Let’s have a look at some artifacts that can only be extracted using our iOS Advanced Extraction method.

  • In a full file system extraction, investigators will find all the apps that are never included in an iTunes logical extraction, such as Twitter, Facebook, Instagram, Google Mail, or Default Email Client, to name a few. Unlike a logical extraction that recovers limited deleted records, a full file system Advanced extraction will recover all available deleted records from all apps.
  • Investigators will have full access to the keychain as well as encryption keys that are used in secure apps. Thanks to this, our software will decrypt Signal, Wickr Me, ChatSecure, Snapchat, Facebook secret chats, and other secure apps.
  • Investigators will gain access to many of the system artifacts that are grouped in the “OS Artifacts” section. For example, users can view the complete history of changes that occurred to the device, such as locked/unlocked states, Airdrop, Bluetooth, Camera, Airplane Mode history, and many other parameters.
  • A lot more geodata will be available in the “Wireless Connections” section. Under Locations, users will find Cell Tower, Wi-Fi, and GPS locations with the corresponding geo-coordinates and time stamps.

Want to try out this feature or any of our other tools included in Oxygen Forensic Detective? Ask for a demo license!

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...