We first added checkm8 acquisition from iOS devices in Oxygen Forensic® Detective v.12.6 in July of 2020. Not surprisingly, many things have changed since then. That being the case, we updated our tool several times over the last few months to remain industry leaders in mobile forensics and provide investigators with the best solution on the market.
According to Wikipedia, iOS 15 is the fifteenth and current major release of the iOS mobile operating system developed by Apple for its iPhone and iPod Touch lines of products. It was announced at the company’s Worldwide Developers Conference on June 7, 2021, as the successor to iOS 14, and released to the public on September 20, 2021. On February 10th, 2022 iOS version 15.3.1 containing bug fixes came out.
In Oxygen Forensic® Detective v.14.3, we have updated our checkm8 acquisition method, adding support for devices operating on iOS versions 15-15.3.1: iPhone 6s, iPhone 6S Plus, iPhone SE, iPhone 7 Plus, iPhone 7, iPhone 8, iPhone X, iPhone 8 Plus, iPad 5 Gen, iPad 6 Gen, and iPad 7 Gen.
Please note that the extraction process for devices with these iOS versions differs. Previously, the device had to be put in DFU mode and then connected. With iOS versions 15-15.3.1, the device has to first be put in recovery mode for the detection of an installed iOS version. After the iOS version and device model are defined, the device has to be switched to DFU mode. The remaining steps of the data extraction process are left unchanged, as well as the data extraction process from iOS devices with iOS version lower than 15.
The reason for the need to put the device in recovery mode first lies in the security changes brought by iOS versions 15-15.3.1. Starting with iOS 15, the changes in the system partition lead to the device not operating in normal mode. In order to minimize the risk of permanently damaging the device, we had to develop a solution that does not modify any device data. Contrary to other iOS versions, in iOS 15 and higher the executable files are put in RAMDisk that loads in recovery mode. With RAMdisk loading to RAM, the system partition remains unchanged.
Extraction of Keychain from devices with iOS 15 and higher has been altered as well. The method used for iOS devices with their version below 15 cannot be applicable for iOS 15+ devices because the device is loaded into our own environment from RAMDisk, which bypasses the standard boot protocol. Thus, we had to implement the decryption of Keychain data directly, without using the standard phone environment.
In the updated checkm8 extraction method, we do not use the API of the operating system, but parse and decrypt all the Keychain entries on the Oxygen Forensic® Device Extractor side, using the device only to overcome the protection with hardware keys. Therefore, a new Keychain Dumper has been developed to extract Keychain records from iOS 15+ devices.
Interested in trying our new checkm8 support capability for iOS 15 but don’t have an Oxygen Forensic® Detective license? Request a free, fully-equipped, 20-day trial by clicking here.
