iOS Forensics Advanced Logical File System Extraction and Checkm8 – Part 1 of Cellebrite Solutions 2022 Update Summary
Cellebrite released many updates to its digital intelligence and forensics solutions in 2022. These updates were covered in a recent on-demand webinar you can watch here.
The webinar is split into 4 main solution updates sections:
- Mobile Forensics for iOS and Android Devices
- Computer Forensics for Windows and Mac Platforms
- Frequently Asked Questions
- Live – Questions-and-Answers
This blog will highlight the mobile device forensic tool updates supporting iOS devices.
Advanced logical file system extraction
The advanced logical file system extraction is equivalent to the iTunes backup. This method of data extraction is available for all iOS devices, regardless of the version of the iOS installed, and regardless of the hardware platform.
The recent iOS releases versions 15 and 16 are also supported in the advanced logical file system extraction. To perform extractions on devices with the latest iOS version, always keep your UFED software version up-to-date.
Watch the video below – How to Use Cellebrite UFED or Physical Analyzer to Perform iOS Advanced Logical Extractions
Next are updates to CHECKM8 which is a full file system extraction solution that supports A7 to A11 devices on the condition that the device does not have a passcode, or the passcode is known to you. So generally, this data in an extraction covers the support for iPhone 5S to iPhone X.
CHECKM8 support for 15.7 is included in the latest UFED 7.60. Support for the IOS 16 is under development and we hope to bring you this in a future release. Regarding iPhone 8, 8+ and iPhone X running iOS 14 to 15.7, the extraction flow is different from the usual one. The user passcode has to be removed from the device before attempting the CHECKM8 extraction.
Watch the video below – How to Perform a BFU Extraction Using checkm8 in Cellebrite UFED
Animated iOS DFU
Now on to Animated iOS DFU (Device Firmware Upgrade) mode instructions. This feature is included in UFED 7.56. To perform the CHECKM8 full file system extraction, the iOS device has to be placed in recovery mode and enter DFU mode from the recovery. So, placing the device in DFU mode can be tricky, especially if you have not attempted it before. And the challenging areas are different for the various iOS devices that have different instructions to enter DFU mode.
There is no on-screen indication that the device has entered DFU mode successfully, and you will have to perform each step carefully taking note of the timings. If any steps are missed in the process, the device may restart instead of entering the DFU mode. The whole process has to be repeated till the device shows a black screen, which will then indicate that the device has successfully entered DFU mode.
UFED makes the whole process less agonizing by providing animated instructions. An interactive image gives detailed instructions and a timer to carry out each step more accurately. If there’s anything missing in the process, hit the restart button to start the process from the beginning.
Stay tuned for Android Forensics – Part 2 of the Cellebrite Solutions 2022 Update Summary