You can’t get far on the internet these days, particularly in #DFIR circles, without hearing about checkra1n — and for good reason. What axi0mX introduced to the world back in September with his unpatchable BootROM exploit known as checkm8 (and the official beta release from the checkra1n team last month) is a game changer.
For iOS researchers, it means a perpetual working jailbreak for current and future versions of iOS. Indeed, nothing on this scale has ever been seen throughout the entire history of iOS.
Magnet Forensics Products Support Acquisition from iOS Devices Jailbroken with checkra1n
Some may have been surprised by how quickly vendors were announcing checkra1n support, including Magnet Forensics. This is because most tools already had support for privileged (root access) acquisition of jailbroken devices. Magnet ACQUIRE remains one of the few options that allow you to do it for free.
*Updated* Magnet Forensics products use SSH (secure shell) to retrieve files from jailbroken iOS devices. Since checkra1n enables SSH by default on port 44 (see the Checkra1n FAQ below) — we’re in business! For the time being, you will also need to install Cydia which can be accomplished very easily directly inside the checkra1n app. In the new year, we’ll be removing the Cydia requirement altogether.
The good news is, as of Magnet AXIOM 3.8, port 44 is something that is automatically looked for when acquiring iDevices. (Don’t worry, Magnet ACQUIRE got the update too.)
Still forthcoming from the folks at checkra1n is native Windows support. It’s on their roadmap, so only a matter of time. In the meantime, you’ll still need some form of macOS in order to run the exploit.
Forensically Sound? Weighing the Pros and Cons
But what about digital forensic examiners? It’s certainly another acquisition option at your disposal and does allow for a more comprehensive acquisition in the right circumstances. But for those in law enforcement, does it replace GrayKey or other iOS unlocking services? To answer this, we should first cover what is meant by forensically sound and how smartphones have evolved this definition.
Back in the day, hardware write blockers could be used on just about every acquisition. It was possible to establish mathematical certainty that digital evidence hadn’t changed throughout its time in custody. Of course, write blockers just aren’t an option with smartphones. Many extraction techniques require the device to be powered on during acquisition and the device memory will be changing by the millisecond.
And so, the core principles of digital forensics have necessarily adapted. Instead of “do not make any changes under any circumstances,” we now strive to make the minimum amount of changes, using established and proven techniques wherever possible and taking ample notes for each step we take along the way. We describe the adherence to these ideas as being “forensically sound” and do our best as experts to apply it from case to case.
checkra1n is being tested around the world yet currently remains closed source and beta. The official FAQ points out that while generally believed to be a safe procedure, no warranty is provided and backing up the device beforehand is recommended. Beyond these warnings intended for all checkra1n users, I’ve come up with some additional points from a forensic perspective to consider before employing the exploit:
- Running checkra1n necessitates rebooting the phone, potentially losing anything stored in-memory on the phone and landing you in BFU (Before First Unlock) state. In BFU, access to data will be limited to files that aren’t encrypted, which is an extremely limited subset of files/keychain and could impact the likelihood of success for brute forcing.
- By using checkra1n, you are subjecting the device to persistent changes and risk, up to and including the device becoming inoperable.
- The admissibility of evidence acquired using this technique could be called into question.
- checkra1n doesn’t impact the need for trust (lockdown), or USB Restricted Mode, meaning you’ll need to be on the same WLAN as your target in order to connect to it with SSH.
- Keychain extraction remains difficult. If you’re hoping to extract Wickr decryption keys for instance, you might be disappointed. Much of the publicly available info regarding keychain decryption of jailbroken devices is quite dated.
Despite these considerations, checkra1n is an exciting new development, especially for the purposes of research or perhaps corporate investigations where the passcode is known.
One last note, if you decide to attempt using checkra1n on an exhibit, please consider taking a logical acquisition first. Obtaining a logical is fast and certainly beats having to explain a bricked device and no data at all!