Elcomsoft has updated its iOS Forensic Toolkit to add the ability to extract a limited type of data from iPhone 5s to iPhone X running iOS 12 – iOS 13.3. The tool works irrespective of the iOS version the iPhone is running and is based on the checkm8 bootrom exploit.
The company notes that it can now even extract keychain records from iPhones or iPad in BFU (Before First Unlock) mode which is usually the most secure state of an iOS device. This is the mode in which the device has been rebooted or powered cycled and not been unlocked even once after that. Unless an iPhone is unlocked once after a reboot, “almost” all data on it remains encrypted as the screen lock is required to generate the decryption key.
It is the data that is unencrypted and available before the first unlock which Elcomsoft is now able to retrieve from locked iPhones or iPads.
In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock. This is by design; these bits and pieces are needed to allow the iPhone to start up correctly before the user punches in the passcode.
With the latest update to its tool, Elcomsoft is using the checkm8 exploit to extract this very unencrypted data from an iPhone using partial file system extraction. Since the keychain is also extracted in this process, one can find email and passwords leaked from insecure apps in this data dump. Other data that can be extracted include the list of installed apps, selected data related to the Wallet, Wi-Fi connections, media files, notifications, and location points.
There is one catch with the tool though — it requires the device in question to be already jailbroken using checkra1n jailbreak. Now, even if your iPhone or iPad is not jailbroken, it can be done so using checkra1n as it makes use of the DFU mode to jailbreak devices.
[Via Elcomsoft]