Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

ElcomSoft blog
«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

ElcomSoft blog
«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

« You Lost Your Second Authentication

Factor. Now What?

Step by Step Guide to iOS Jailbreaking and Physical

Acquisition
May 30th, 2019 by Oleg Afonin

0
Shares

Unless you’re using GrayShift or Cellebrite services for iPhone extraction, jailbreaking is a required pre-
requisite for physical acquisition. Physical access offers numerous benefits over other types of extraction; as
a result, jailbreaking is in demand among experts and forensic specialists.

The procedure of installing a jailbreak for the purpose of physical extraction is vastly different from
jailbreaking for research or other purposes. In particular, forensic experts are struggling to keep devices
offline in order to prevent data leaks, unwanted synchronization and issues with remote device management
that may remotely block or erase the device. While there is no lack of jailbreaking guides and manuals for
“general” jailbreaking, installing a jailbreak for the purpose of physical acquisition has multiple forensic
implications and some important precautions.

When performing forensic extraction of an iOS device, we recommend the following procedure.

Prepare the device and perform logical extraction

1. Enable Airplane mode on the device.

This is required in order to isolate the device from wireless networks and cut off Internet connectivity.

1 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

2. Verify that Wi-Fi, Bluetooth and Mobile Data toggles are all switched off.

Recent versions of iOS allow keeping (or manually toggling) Wi-Fi and Bluetooth connectivity even
after Airplane mode is activated. This allows iOS devices to keep connectivity with the Apple Watch,
wireless headphones and other accessories. Since we don’t want any of that during the extraction, we’ll
need to make sure all of these connectivity options are disabled.
3. Unlock the device. Do not remove the passcode.While you could switch the device into Airplane
mode without unlocking the phone, the rest of the process will require the device with its screen
unlocked. While some jailbreaking and acquisition guides (including our own old guides) may
recommend you to remove the passcode, don’t. Removing the passcode makes iOS erase certain types
of data such as Apple Pay transactions, downloaded Exchange mail and some other bits and pieces. Do
not remove the passcode.
4. Pair the device to your computer by establishing trust (note: passcode required!)Since iOS 11,
iOS devices require the passcode in order to establish pairing relationship with the computer. This
means that you will require the passcode in order to pair the iPhone to your computer. Without pairing,
you won’t be able to sideload the jailbreak IPA onto the phone.
5. Make sure that your computer’s Wi-Fi is disabled. This required step is frequently forgotten,
resulting in a failed extraction.While it is not immediately obvious, we strongly recommend
disabling Wi-Fi connectivity on your computer if it has one. If you keep Wi-Fi enabled on your
computer and there is another iOS device on the network, iOS Forensic Toolkit may accidentally
connect to that other device, and the extraction will fail.
6. Launch iOS Forensic Toolkit.Make sure that both the iPhone and the license dongle are connected to
your computer’s USB ports. iOS Forensic Toolkit is available from https://www.elcomsoft.com
/eift.html
7. Using iOS Forensic Toolkit, perform all steps for logical acquisition.iOS Forensic Toolkit supports
what is frequently referred as “Advanced Logical Extraction”. During this process, you will make a
fresh local backup, obtain device information (hardware, iOS version, list of installed applications),
extract crash logs, media files, and shared app data. If the iOS device does not have a backup password,
iOS Forensic Toolkit will set a temporarily password of ‘123’ in order to allow access to certain types
of data (e.g. messages and keychain items).If a backup password is configured and you don’t know it,
you may be able to reset the backup password on the device (iOS 11 and 12: the Reset All Settings
command; passcode required), then repeat the procedure. However, since the Reset All Settings
command also removes device passcode, you will lose access to Apple Pay transactions and some
other data. Refer to “If you have to reset the backup password” for instructions.

Prepare for jailbreaking and install a jailbreak

1. Identify hardware and iOS version the device is running (iOS Forensic Toolkit > (I)nformation).
2. Identify the correct jailbreak supporting the combination of device hardware and software.The
following jailbreaks are available for recent versions of iOS:iOS 12 – 12.1.2
RootlessJB (recommended if compatible with hardware/iOS version as the least invasive):
https://github.com/jakeajames/rootlessJBiOS 11.x – 12 – 12.1.2
unc0ver jailbreak (source code available): https://github.com/pwn20wndstuff/Undecimus

iOS 12 – 12.1.2
Chimera jailbreak: https://chimera.sh/

Other jailbreaks exist. They may or may not work for the purpose of forensic extraction.

3. Make sure you have an Apple Account that is registered in the Apple Developer Program (enrollment
as a developer carries a yearly fee).Using an Apple Account enrolled in the Apple Developer Program

2 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

allows sideloading an IPA while the device is offline and without manually approving the signing
certificate in the device settings (which requires the device to connect to an Apple server).Note: a
“personal” developer account is not sufficient for our purposes; you require a “corporate” developer
account instead.
4. Log in to your developer Apple Account and create an app-specific password.All Apple accounts
enrolled in the Apple Developer Program are required to have Two-Factor Authentication. Since Cydia
Impactor does not support two-factor authentication, an app-specific password is required to sign and
sideload the jailbreak IPA.
5. Launch Cydia Impactor and sideload the jailbreak IPA using the Apple ID and app-specific password
of your Apple developer account.Note: Cydia will prompt about which signing certificate to use. Select
the developer certificate from the list. Since you have signed the IPA file using your developer account,
approving the signing certificate on the iOS device is not required. The iOS device will remain offline.
6. Launch the jailbreak and follow the instructions. Note: we recommend creating a system snapshot if
one is offered by the jailbreak.

Troubleshooting jailbreaks
Modern jailbreaks (targeting iOS 10 and newer) are relatively safe to use since they are not modifying the
kernel. As a result, the jailbroken device will always boot in non-jailbroken state; a jailbreak must be
reapplied after each reboot.

Jailbreaks exploit chains of vulnerabilities in the operating system in order to obtain superuser privileges,
escape the sandbox and allow the execution of unsigned applications. Since multiple vulnerabilities are
consecutively exploited, the jailbreaking process may fail at any time.

It is not unusual for jailbreaking attempts to fail from the first try. If the first attempt fails, you have the
following options:

1. Reattempt the jailbreak by re-running the jailbreak app.

2. If this fails, reboot the device, unlock it with a passcode then wait for about 3 minutes to allow all
background processes to start. Then reattempt the jailbreak.
3. You may need to repeat Step 2 several times for the jailbreak to install. However, if the above
procedure does not work after multiple attempts, we recommend trying a different jailbreak tool. For
example, we counted no less than five different jailbreak tools for iOS 12.0-12.1.2, with some of them
offering higher success rate on certain hardware (and vice versa).
4. Some jailbreaks have specific requirements such as checking if an iOS update has been downloaded
(and removing the downloaded update if it is there). Do check accompanying info.

Troubleshooting iOS Forensic Toolkit

If for any reason you have to close and restart iOS Forensic Toolkit, make sure to close the second window as
well (the Secure channel window).

If iOS Forensic Toolkit appears to be connected to the device but you receive unexpected results, close iOS
Forensic Toolkit (both windows) and make sure that your computer is not connected to the Wi-Fi network. If
it isn’t, try disabling the wired network connection as well since your computer may be operating on the same
network with other iOS devices.

Windows: the Windows version of iOS Forensic Toolkit will attempt to save extracted information to the
folder where the tool is installed. While you can specify your own path to store data, it may be easier to move

3 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

EIFT installation into a shorter path (e.g. x:\eift\).

Mac: a common mistake is attempting to run iOS Forensic Toolkit directly from the mounted DMG image.
Instead, create a local directory and copy EIFT to that location.

If you have to reset the backup password

If the iPhone backup is protected with an unknown password, you may be tempted to quickly reset that
password by using the “Reset All Settings” command. We recommend using this option with care, and only
after making a full local backup “as is”.

Resetting “all settings” will also remove the device passcode, which means that iOS will wipe the types of
data that rely on passcode protection. This includes Apple Pay transactions, downloaded Exchange messages
and some other data. In order to preserve all of that evidence, we recommend the following acquisition
sequence:

1. Perform the complete logical acquisition sequence “as is” with iOS Forensic Toolkit (the backup,
media files, crash logs, shared app data).
2. Jailbreak the device and capture the keychain and file system image. If this is successful, the keychain
will contain the backup password.
3. Reset backup password: if you are unable to install a jailbreak and perform physical acquisition even
after you follow the relevant troubleshooting steps, consider resetting the backup password and
following logical acquisition steps again to capture the backup. Note that if you create the backup with
iOS Forensic Toolkit after resetting the password, that backup will be protected with a temporary
password of ‘123’.

Extracting the backup password from the keychain

If you have successfully performed physical acquisition, you already have the decrypted iOS keychain at
your disposal. The keychain stores the backup password; you can use that backup password to decrypt the
device backup. The backup password is stored in the “BackupAgent” item as shown on the following screen
shot:

4 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

On that screen shot, the backup password is “JohnDoe”.

To discover that password, launch Elcomsoft Phone Breaker and select Explore keychain on the main screen.
Click “Browse” > “Choose another” and specify path to the keychaindumpo.xml file extracted with iOS
Forensic Toolkit.

The keychain is always encrypted. The backup password is stored ThisDeviceOnly attribute, and can only be
extracted via physical acquisition.

Perform physical extraction

Once the device has been jailbroken, it will be possible to extract the content of the file system, obtain and
decrypt the keychain.

1. Make sure that the iOS device remains in Airplane mode, and Wi-Fi, Bluetooth and Mobile data
toggles are disabled.
2. Make sure that your computer’s Wi-Fi is disabled. This required step is frequently forgotten,
resulting in a failed extraction.While it is not immediately obvious, we strongly recommend
disabling Wi-Fi connectivity on your computer if it has one. If you keep Wi-Fi enabled on your
computer and there is another iOS device on the network, iOS Forensic Toolkit may accidentally
connect to that other device, and the extraction will fail.
3. Make sure the iOS device has been paired to the computer (or that you have a valid pairing/lockdown

5 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

file ready).
4. Unlock iOS device and make sure its display is switched on. Connect the iOS device to the computer.
Note: do not remove the passcode on the device! Otherwise, you will lose access to certain types of
evidence such as Apple Pay transactions, downloaded Exchange mail and some other data.
5. Launch iOS Forensic Toolkit.
6. Use the (D)isable screen lock command from the main window to prevent the iOS device from
automatically locking.This is required in order to access some elements of the file system that iOS tries
to protect when the device is locked. Preventing screen lock is the simplest way to work around these
protection measures.
7. Extract the keychain (K)eychain.
8. Extract file system image (F)ile system.

Analyzing the data

As a result of your acquisition efforts, you may have all or some of the following pieces of evidence:

1. Information about the device (XML) and the list of installed apps (text file). Use any XML or text
viewer to analyze.
2. A local backup in iTunes format. If you have followed the guideline, the backup will be encrypted with
a password, and the password is ‘123’. You can open the backup in any forensic tool that supports
iTunes backups such as Elcomsoft Phone Viewer. In order to analyze the keychain, you’ll have to open
the backup with Elcomsoft Phone Breaker.
3. Crash logs. You can analyze these using a text editor. Alternatively, refer to the following work about
log file analysys: iOS Sysdiagnose Research (scripts: iOS sysdiagnose forensic scripts).
4. Media files. Use any gallery or photo viewer app. You may want to use a tool that can extract EXIF
information and, particularly, the geotags in order to re-create the suspect’s location history. The article
iOS Photos.sqlite Forensics is also worth reading!
5. Shared files. These files can be in any format, most commonly plist, XML or SQLite.
6. Keychain (extracted with iOS Forensic Toolkit). Analyze with Elcomsoft Phone Breaker. The keychain
contains passwords the user saved in Safari, system and third-party apps. These passwords can be used
to sign in to the user’s mail and social network accounts. The passwords can be also used to create a
highly targeted custom dictionary for attacking encrypted documents and full disk encryption with
tools such as Elcomsoft Distributed Password Recovery.
7. File system image (extracted with iOS Forensic Toolkit). Analyze with Elcomsoft Phone Viewer or
unpack the TAR file and analyze manually or using your favorite forensic tool.

0
Shares

Tags: EIFT, Elcomsoft iOS Forensic Toolkit, iOS, iOS forensics, jailbreak, physical acquisition

This entry was posted on Thursday, May 30th, 2019 at 2:49 pm and is filed under Did you know that...?, Tips & Tricks. You can
follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Sign up for free ElcomSoft Password Recovery Software newsletter

Comments are closed.

Search

6 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

Search for:

Categories
Cryptography
Did you know that…?
Elcom-News
General
GPU acceleration
Hardware
Human Factor
Industry News
Legal Questions
Security
Software
Tips & Tricks
Uncategorized

Links
Articles about us
Books about security
Case studies
Presentations
Press releases
Wallpapers
White papers

Pages
About ElcomSoft Co.Ltd.
About this blog

Archives
May 2019
April 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018

7 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
October 2014
June 2014
May 2014
March 2014
December 2013
November 2013
September 2013
August 2013
July 2013
June 2013
May 2013

8 of 9 12/06/2019, 13:28
Step by Step Guide to iOS Jailbreaking and Physical Acquisition | Elco... https://blog.elcomsoft.com/2019/05/step-by-step-guide-to-ios-jailbreakin...

February 2013
December 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
December 2011
November 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
December 2010
November 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009

Copyright © 2009-2019 ElcomSoft Co. Ltd.

Powered by WordPress.

9 of 9 12/06/2019, 13:28