Every now and then, there is an iOS forensic breakthrough that is truly impactful. This happened recently when an access point was discovered that will help examiners handle the complex challenge of full file system extraction. Using the new “checkm8” access point, forensic examiners will now be able to gain lawful access to iOS devices to extract more digital evidence.

What Is ‘Checkm8’?

Recently, researchers uncovered a flaw in numerous iOS chipsets, which has now been termed, “checkm8.” This powerful access point applies to all iPhone models, from iPhone 4S through the iPhone X, and it occurs in some 85 percent of all active iPhones today. Even though it does not apply to the more recent iPhone XR/XS/11/Pro, it can be used for iPads and Apple TVs running A5-A11 SoCs.

Checkm8 can be accessed in DFU mode only, affecting the phone’s “BootROM.” This component is part of the iPhone’s hardware as Read-Only Memory and cannot be updated or directly patched without replacing the iPhone itself. This means that the access point is applicable to past, current, and future iOS versions.

What’s The Difference Between ‘Checkm8’ And ‘Checkra1n’?

You may have heard about both checkm8 and “checkra1n.” Checkm8 is the name of the access point, which can be utilized to gain maximum privileges on a running iPhone device. This can be leveraged to develop a “jailbreak,” which is a solution used for removing restrictions imposed by the operating system in order to allow 3rd-party software to run with arbitrary permissions.

A few weeks ago, a group of researchers released the first version of a new jailbreak based on the checkm8 exploit, named “checkra1n.” Although the project is still in the beta stage, many users have reported success with it.

What This Means For The Digital Forensics Community

Full file system extraction can provide much more data than a logical extraction. This includes critical data such as full e-mails, 3rd party app data, as well as passwords, keys, and tokens stored in the “KeyChain.” Furthermore, a limited BFU (Before First Unlock) data set can be extracted from locked devices. This data can provide vital information to investigators.

Most of the digital forensics tool vendors have been actively working to provide various degrees of support to extract checkra1n devices (using an additional macOS or Linux computer to apply the standard jailbreak infrastructure).

How UFED Users Benefit from This Discovery

The Cellebrite UFED team is working quickly to provide users with support for the above-mentioned scenario. This will be included with the launch of our iOS extraction agent in an upcoming release. The team is committed to providing a comprehensive, forensically-sound solution that adheres to Cellebrite’s high standards, is fully tested, and is admissible in court. This solution will not require any external computer and will directly apply checkm8, without needing a jailbreak or file system modifications.

Stay tuned for updates!