Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. iOS Forensics

Checkm8 / checkra1n acquisitions/extractions

Get up and running quickly with a platform to perform checkm8 based iOS extractions

PreviousMounting UFS VMDK from NetScaler/Citrix ADCNext13Cubed Linux memory forensics

Last updated 4 years ago

Was this helpful?

Checkm8 is a bootROM based vulnerability/exploit. Checkra1n is the tool to conduct a tethered jailbreak.

First, some light reading: &

This guide does not focus on the specific vulnerability being exploited, it provides a guide on how to perform a filesystem acquisition using checkra1n within a Linux environment. This article does not provide any guidance or insight into bypassing any security restrictions involving biometrics or personal credentials.

There are a few methods to get up and running quickly.

I personally prefer option 1. Most of us have a Kali ISO sitting around somewhere. One primary consideration needs to be the size of the data being acquired from the iOS device. You need to have a boot device which is large enough to acquire that data, or your host machine needs to accommodate another device. For me, I boot Kali off a standard USB and acquire data to an external SSD/HDD.

Using bootra1n or other pre-compiled tool sets does not give you the flexibility you require. I prefer to build an environment based on tools that I'm familiar with, and then roll that back into a live image to deploy on removable media.

You can try using a virtual machine to perform this, but mucking around with USB pass through is going to cause issues when entering/exiting DFU mode, exploiting the device, and may cause unexpected results and/or damage.

Create a bootable USB using your preferred tool. Rufus, balenaEtcher, Win32 Disk Imager are all good options. Here we'll use Win32 Disk Imager.

Write. Boot. Test it's working. You can run through the steps to enable encrypted persistence, however that's outside the scope of this article.

Now we have to add Checkra1n's repo to our sources.list so we can install the appropriate packages

echo "deb https://assets.checkra.in/debian /" | sudo tee -a /etc/apt/sources.list
sudo apt-key adv --fetch-keys https://assets.checkra.in/debian/archive.key
sudo apt update
sudo apt-get install checkra1n

Now is also a good time to install iproxy. iProxy is contained within libusbmuxd-tools

$ sudo checkra1n

The above command is for the following GUI. You can also run the following command for the CLI version

$ sudo checkra1n -c

Connect your iOS device to your host machine. "Trust" the computer, enter your PIN.

Select [Start] and follow the prompts to place the device into DFU mode.

Select [Next] and your iOS device will restart into restore mode.

Wait until this process completes. Once the device has booted (and checkra1n says it has completed), then proceed.

$ iproxy 4242 22

Run iproxy for libusbmuxd communication. This will allow you to SSH into your iOS device via USB.

Disable auto screen locking. When the screen locks, it will kill any SSH sessions. (iOS 14.2; Settings -> Display & Brightness -> Auto-Lock; set to Never)

Now we SSH into our device. Root password is alpine.

$ ssh root@127.0.0.1 -p 4242

If all you're seeking is user data, that is stored in /private/var and can be logically acquired using the following command (from your host machine, not within the bash prompt on your device)

$ ssh root@127.0.0.1 -p 4242 'tar -cf - /private/var/' > private-var.tar

From here, you can parse the tarball in your forensic tool of choice; MSAB XRY, Cellebrite UFED, Magnet AXIOM or even Autopsy.

For more information, please see these articles;

My working environment is typically a Windows environment with specific tasks performed inside a Linux VM or VPS, or within ). Although is great, it does not currently support USB devices, and as such, will not work with iproxy/libusbmuxd/checkra1n.

1) Download Kali, image to a boot USB, boot, add checkra1n repo, install checkra1n, run checkra1n 2) Download other Debian-based OS, add checkra1n repo, install checkra1n, run checkra1n 3) Download , image to USB, boot, run checkra1n

[1] [2] [3]

WSL
WSL
bootra1n
https://www.cellebrite.com/en/blog/a-practical-guide-to-checkm8/
https://blog.oxygen-forensic.com/everything-you-ever-wanted-to-ask-about-checkm8-and-checkra1n/
https://www.magnetforensics.com/blog/using-the-checkra1n-jailbreak/
https://checkra.in/
more info here