iOS exploits and their impact on digital forensics

Last September, the iOS hacking community got a big surprise when a security researcher named axi0mX released a ‘game changing’ exploit called ‘checkm8’.  What makes checkm8 so unique is that unlike previous exploits, it is a Boot ROM exploit. This means that on affected devices, there is no way for Apple to patch it via software updates.

To be clear, this exploit is not a remote threat, as the physical device must be tethered to a computer. Further, it does not allow someone to bypass your PIN or Touch/FaceID. The exploit is also non-persistent.  Meaning that once the device is rebooted, the exploit is removed.

The affected devices are and iPhone and other iOS models such as iPad running Apple’s A11 chip or earlier.  Which basically means, any iOS device before and including the iPhone X. The iPhone XR, XS, 11, and Pro models are not included in this exploit.

How can this new exploit help us in digital forensics? 

The checkm8 exploit now allows us to obtain an entirely new level of device data extraction which, up to this point, was impossible. Previously, on Phones newer than the iPhone 4, we were essentially only able to get what equates to an iTunes backup of the device. In many cases, this is fine.  However, over the years Apple has made it increasingly difficult to recover deleted information from chat databases and other application data by using a vacuum-like function that cleans up databases more frequently than earlier iOS versions.

Checkm8 allows a forensics examiner to exploit the device, collect the file level decryption keys and then extract the entire active file system of the device including the keychain and other valuable data previously unattainable by earlier extraction methods. Previously, we were only able to get parts of the data which were approved to be included in iTunes backups. The aforementioned non-persistence is great because no user level data is altered, and we no longer even have to boot the device into the native iOS.

For example, below are the results from a test iPhone in our lab on which we performed two separate extractions: Advanced Logical vs Checkm8.   The first screenshot from Cellebrite Physical Analyzer shows what was retrievable via the traditional Advanced Logical extraction, about 8.5 gigabytes of data.

The next screenshot, below, shows the data which resulted from the checkm8 full file system extraction of the exact same iPhone:

The difference in readable data obtained is staggering! The full file system extraction pulled approximately 36 GB of data, vs the 8.5 GB obtained via the advanced logical method. With Chat messages alone we were only able to obtain 251 messages and 9 deleted messages via the old method. With the exploited method we recovered 3228 messages and 75 deleted messages.

Another key area is that the phone stores logs that are usually inaccessible to the users. These logs store massive amounts of data related to how a user interacts with a device as well as tons of extra location data.  There is a treasure trove of information that we are still just discovering.

Think about the implications of this extra data in a criminal investigation or traffic accident cases.