For digital forensics enthusiasts, a full file system extraction on iOS devices provides access to a deeper range of data than standard backups, including app data, system logs, and detailed activity information. With the Checkm8 exploit and open-source tools like UFADE (Universal Forensic Apple Device Extractor), achieving this level of data access is possible even from home, giving hobbyists and forensic analysts hands-on experience.
As of iOS 18, the iPad 7th generation remains the last device that supports a full file system extraction using Checkm8 due to Apple’s removal of the exploit vulnerability from newer devices. This post explores what a full file system extraction entails, the Checkm8 exploit, and the legal standing of jailbreaking in the UK.
What a Full File System Extraction Offers
Performing a full file system extraction allows access to extensive data such as:
- Third-Party App Data: Information from apps like WhatsApp, Instagram & Facebook Messenger which isn’t included in standard backups.
- Detailed Logs and Metadata: System logs and metadata, which are critical for creating a comprehensive timeline.
- User Interaction Data: Records of app usage, showing when and how apps were accessed—valuable for forensic analysis.
Using UFADE, users can perform various types of extractions, including a Full File System extraction on jailbroken devices, enabling a deeper exploration of iOS data structures and improving analysis capabilities.
Is Jailbreaking Legal in the UK?
Yes, jailbreaking is legal in the UK as long as it’s performed on a device you own and for non-infringing purposes, such as interoperability or personal testing. This aligns with UK copyright law and EU Directive 91/250/EEC, which allows software modifications for research or testing. However, it’s worth noting that jailbreaking voids Apple’s warranty, so consider this for any new device.
By jailbreaking, users gain root access, which is essential for conducting full system extractions without needing professional-grade tools.
The Checkm8 Exploit and Its Role in iOS Forensics
The Checkm8 exploit is a bootrom vulnerability discovered in 2019 that affects specific iOS devices. As a bootrom-level exploit, it is unpatchable and allows for a tethered jailbreak (which must be re-applied after each reboot) on older devices. Checkm8 is fundamental for enabling full file system extractions, providing the root access needed to access system and app data.
As of iOS 18, the iPad 7th generation is the only device still supported by Checkm8 for this purpose. This jailbreak compatibility allows users to gain full data access without professional tools, making the iPad 7th generation a unique device for those interested in exploring iOS data at home.
Using UFADE for Full File System Extraction
UFADE (available on GitHub) is an open-source tool designed to facilitate full file system extractions on jailbroken iOS devices. UFADE supports Windows, macOS, and Linux, using libraries like pymobiledevice3 to make data extraction accessible for home use.
Key Features of UFADE:
- Complete File System Extraction: UFADE retrieves comprehensive data from jailbroken devices, including app data and system logs.
- Log and Metadata Collection: The tool enables the collection of detailed logs and metadata, crucial for creating a full activity timeline.
- Cross-Platform Compatibility: Available across various operating systems, making it adaptable to different user setups.
Using UFADE, users can explore app behavior, device usage, and interaction logs, providing hands-on forensic analysis experience.
Important Considerations
While UFADE and Checkm8 make full extractions accessible, remember these key points:
- Legal Boundaries: Perform extractions only on devices you own.
- Device Modifications: Jailbreaking alters the device’s security, making it unsuitable for formal evidence gathering.
- Device Compatibility: As of iOS 18, only the iPad 7th generation supports full extractions via Checkm8.
Conclusion
With tools like UFADE and Checkm8, forensic enthusiasts can explore iOS data at a professional level, accessing comprehensive data logs, app data, and metadata to enhance their forensic analysis skills. The iPad 7th generation remains the last device compatible with Checkm8 on iOS 18, offering a rare opportunity for full extraction at home.
For more information on UFADE and getting started, visit the UFADE project on GitHub.