Getting into a pass code protected iPhone using checkm8 and Cellebrite

Data Rescue Labs Inc.(ForensicGuy)

3 Feb 202007:22

Summary

TLDRIn this video, Chris from Data Rescue Labs demonstrates the process of 'before first unlock' data extraction from a password-protected iPhone using Cellebrite and the Checkmate exploit. The video contrasts data extraction with and without the phone's passcode, highlighting the increased information access with the correct password. Chris guides viewers through the process of using Cellebrite's UFED to extract data from an iPhone 7, even when it doesn't boot, showcasing the capabilities of forensic tools in retrieving app lists, logon tokens, emails, and more.

Takeaways

🔐 The video discusses iPhone data extraction using the Checkmate exploit and Cellebrite UFED, focusing on devices that are password protected.
📱 The presenter explains that before first unlock (BFU) data extraction is possible on iPhones that have been rebooted, as they remain encrypted until the passcode is entered.
🔍 BFU extraction can yield useful information for forensic work, such as app lists, logon tokens, emails, and other data, even if it's not fully usable for consumers.
🛠️ The video demonstrates the process of using Cellebrite UFED with the Checkmate exploit to access data on iPhones, including those with no image or display.
📲 The presenter shows how to put an iPhone into DFU (Device Firmware Update) mode, which is necessary for the extraction process.
💾 The Checkmate exploit is used to bypass the iPhone's security measures, allowing for data extraction even without the device's passcode.
🔑 The video compares data extracted with and without the device's passcode, highlighting the difference in the amount and type of data retrieved.
📈 The presenter notes that using Checkmate and Cellebrite allows for accessing a wider range of iPhones for data extraction, including those running iOS 14.
🚫 The video includes a disclaimer about the privacy of the data being extracted, with the presenter blurring out sensitive information.
🔍 The presenter concludes by emphasizing the utility of the Checkmate exploit for the forensic community and hints at more videos on the subject.

Q & A

What is the main topic of the video?
-The main topic of the video is the process of data extraction from a password-protected iPhone using a technique called 'before first unlock' (BFU) and the Checkmate exploit.
What is meant by 'before first unlock' (BFU) extraction?
-'Before first unlock' (BFU) extraction refers to the process of extracting data from an iPhone before it has been unlocked with a passcode after a reboot, when certain data is still accessible before full encryption kicks in.
Why is BFU extraction useful in forensic work?
-BFU extraction is useful in forensic work because it allows access to data such as app lists, logon tokens, emails, and other service information that might not be available after the device is fully encrypted.
What tool is used in the video to perform the extraction?
-The tool used in the video to perform the extraction is Cellebrite UFED, which incorporates the Checkmate exploit to access the iPhone's data.
What is the Checkmate exploit and how does it help in data extraction?
-The Checkmate exploit is a security vulnerability that allows access to an iPhone's data. It is used in conjunction with Cellebrite UFED to bypass the need for a passcode and extract data, including from devices with no image, no display, or those that are corrupted.
What does DFU mode stand for and why is it used in this process?
-DFU mode stands for Device Firmware Update mode. It is used in this process to allow the iPhone to communicate with the Cellebrite UFED tool without fully booting up the device, which is necessary for applying the Checkmate exploit.
How is the iPhone put into DFU mode as described in the video?
-To put the iPhone into DFU mode, the video instructs holding the power and volume down buttons, then releasing the power button while continuing to hold the volume down button until the device enters DFU mode.
What is the difference between a BFU extraction and a full extraction as shown in the video?
-A BFU extraction provides access to some data without the need for a passcode, while a full extraction requires the correct password and yields more comprehensive data, including deleted files, call logs, chats, emails, and a larger number of images.
What issues were encountered with the iPhone in the video before attempting extraction?
-The iPhone in the video did not boot up properly after being plugged into USB, which is a common issue with iOS upgrades. The video mentions a hardware fix for this issue, but instead of fixing the hardware, the decision was made to use Cellebrite UFED and the Checkmate exploit to extract the data.
How does the video demonstrate the effectiveness of the Checkmate exploit?
-The video demonstrates the effectiveness of the Checkmate exploit by showing successful data extraction from an iPhone that would not boot normally, and by comparing the limited data obtained from a BFU extraction to the more extensive data obtained with the correct password after using the exploit.