It’s been almost three and a half months since independent researcher axi0mX has made public the groundbreaking “checkm8” exploit. Our recent blog, “iOS Breakthrough Enables Lawful Access for Full File System Extraction”, provided an introduction to the basics. In this blog, we’ll focus on the digital forensic use of checkm8 and introduce the first comprehensive implementation of the exploit in the digital intelligence world, provided in the Cellebrite UFED solution.

How Digital Intelligence Currently Uses checkm8 and checkra1n

The first use of checkm8 in digital intelligence started shortly after November 10th, when a group of researchers released the first jailbreak to utilize the checkm8 exploit, named checkra1n. This new jailbreak was quickly adopted and used by examiners to get file system extractions from ‘jailbroken’ iOS devices.

To use checkra1n, some devices required the installation of additional services, such as Cydia or AFC2 (Apple File Conduit 2), while others worked directly using SSH protocol. checkra1n was a great achievement however its introduction had little impact on the majority of examiners for the main three reasons:

  1. Jailbreak-based methods are considered to be ‘less’ forensically sound
  2. The examiner needed a macOS workstation to apply the 3rd party checkra1n tool
  3. Under the time-sensitive schedule of the examiner, the multi-stage (and sometimes error-prone) process made it less appealing

UFED 7.28 Allows checkm8 To Do Full File System Extractions

In order to benefit from the checkm8 exploit, typical examiners expect an easy-to-use, all-in-one solution, tried and tested by experts. This is why Cellebrite introduced Cellebrite UFED 7.28—a new UFED version that fully integrates checkm8. (The solution is available in Cellebrite UFED 4PC and Cellebrite Touch 2  platforms.)

Cellebrite UFED now supports full file system extractions, which also include the keychain extraction from unlocked iOS devices (known passcode or none set), and a partial file system (Before-First-Unlock) from locked devices with an unknown passcode. The table below shows the supported devices and iOS versions:

Supported devices and iOS versions – Cellebrite UFED 7.28

Device (SoC)

Minimum iOS version

Latest iOS version*

iPhone 5S (A7)

12.3

12.4.4

iPhone 6 | iPhone 6 +(A8)

12.3

12.4.4

iPhone 6S | iPhone 6S + (A9)

12.3

13.3

iPhone SE (A9)

12.3

13.3

iPhone 7 | iPhone 7+ (A10)

12.3

13.3

iPhone 8 | iPhone 8+ (A11)

12.3

13.3

iPhone X (A11)

12.3

13.3

*Latest iOS version verified in UFED

In the future, the latest iOS-supported version will be updated on an ongoing basis.

In order to avoid confusion with the terms “full file system” and “partial file system” (BFU), and to clarify what can be done on each device using Cellebrite UFED, we suggest using the decision flow diagram below. For locked devices with an unknown passcode, contact Cellebrite for additional support. 

 

Figure 1 Checkm8 decision diagram

How To Locate The New Method  

For each device in the table above, we’ve added a new method (button) under Advanced Logical called “Full File System” (checkm8). Pressing on the button will lead you to a general instruction screen that will outline how to place the device into “Device Firmware Update” (DFU) mode.

Placing a device in DFU can prove to be a bit tricky, so follow the steps below for the iPhone versions listed. The “Continue” button will only be enabled if the device is in DFU. You can see if the attack is successful by looking at the iPhone screen to see if the Cellebrite iOS client appears.

DFU Guide 


iPhone 5S | iPhone 6 | iPhone 6+ | iPhone 6S | iPhone 6S+ | iPhone SE

  1. Place the device in recovery mode. (The Apple iTunes logo should appear.)
  2. Press the “Power” button for three seconds.
  3. After three seconds simultaneously hold both the Power and “Home” buttons down for an additional 10 seconds.
  4. Release the Power button while holding the Home button for an additional five seconds.
  5. Cellebrite UFED “Continue” should now be enabled.


iPhone 7 | iPhone 7+

  1. Place the device in recovery mode. (The Apple iTunes logo should appear.)
  2. Simultaneously hold both the “Power” and “Volume-down” buttons down for 10 seconds.
  3. Release the Power button while holding the Volume-down button for an additional 10 seconds.
  4. Cellebrite UFED “Continue” should now be enabled.


iPhone 8 | iPhone 8+ | iPhone X

  1. Place the device in recovery mode. (The Apple iTunes logo should appear.)
  2. In the recovery screen, short-press the “Volume-up” button.
  3. Short-press the “Volume-down” button.
  4. Press and hold the “Side” button until the screen completely turns off.
  5. Simultaneously press and hold both the Side and Volume-down buttons for five seconds.
  6. Release the Side button while holding the Volume-down button for an additional 10 seconds.
  7. Cellebrite UFED “Continue” should now be enabled.


The Future of checkm8

The checkm8 path in Cellebrite UFED is only beginning. New OS versions may require additional research and development to support them; time will tell what amount of effort will be needed. In future versions, checkm8 may allow examiners to perform deep, “selective” extractions to directly extract specific applications or files, which will save valuable time during investigations.

The future looks exciting and here at Cellebrite we promise to keep delivering the best digital intelligence tools you’ve come to expect. Stay tuned.

Share this post