Since October 2007, the process of Jailbreaking has been out in the universe, allowing for deeper access to the mysterious Apple file system. In the beginning, this technique was frowned on in the digital forensics field because of the potential risk to the device evidence. Jailbreaking was also a violation of the Digital Millennium Copyright Act (DMCA) and voided the warranty by Apple. In July of 2010, the courts ruled that the protection Apple used that made Jailbreaking a device legal and not a violation of the DMCA. This ruling opened the digital forensic world to new techniques and new levels of access, but at what cost?
What is Jailbreaking?
Jailbreaking means removing all restrictions from an iOS device. Apple devices that can be jailbroken include iPad, iPod Touch, Apple TV 2, and all iPhone smartphones. Â Jailbreaking allows root access to system files that can be manipulated to enable the installation of apps, themes, and extensions that are not supported by Apple or are unavailable for download on the Apple App Store. Â
(Source: https://www.cleverfiles.com/howto/what-is-jailbroken-device.html)
What is the advantage of Jailbreaking?
Jailbreaking allows you to circumvent the protection that Apple places on the file system of the device. Depending on the firmware on the device, jailbreaking can make a huge impact on your case. In earlier firmware versions, user data did not always primarily exist in the protected area, so the value of the jailbreak compared to the risk on the device was not always weighted in the favor of the jailbreaking technique. As times and locations of data have changed, so has the value of the Jailbreak.   Â
Each tool will have different methods for implementation of the Jailbreak options in digital forensics. For the E3 Forensic Platform, a package manager, Cydia, is installed on the device.  Cydia is used for the installation of software not authorized by Apple. Cydia is then used to be able to install the OpenSSH package for the successful acquisition of the jailbroken devices. This imaging option using the checkra1n jailbreak allows access to new iOS devices physically and the user data that is now residing in the file system.
You can see the Checkra1n method utilized in the E3 Platform. Electronic Evidence Examiner allows acquiring the iOS devices jailbroken by multiple exploits, for example, unc0ver, Checkra1n, Chimera and so on. The choice of the exploit depends on the iOS version.
The data that can be captured for your case from a jailbroken device is much greater than what can be captured from a basic logical examination. The following list is data that can be accessed with an acquisition of a Jailbroken device. Some of this data might also be available with a logical acquisition, but not all of the data.Â
- Contacts
- Messages
- Address Book Images
- Voice Memos up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
- Cookies up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
- Call History
- iMessages
- Calendar
- Notes up to iOS 9.0
- Maps Bookmarks up to iOS 8.0
- Maps History up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
- Maps Directions up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
- Mac Address
- Installed Applications
- Mail Messages up to iOS 13.0
- Safari Bookmarks
- Safari History
- Safari Suspend State (issue with obtaining data from devices with iOS 12 will be resolved in 2.6)
- Dynamic Text up to iOS 11.0
- Wi-Fi Locations up to iOS 8.0
- Cell Locations up to iOS 10.0
- Mail Accounts up to iOS 11.0
- Filesystem
- Last three SIM cards used on the device up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
- Network Connections up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
- Bit-by-bit image up to iOS 11.0
- Recovered SMS Search up to iOS 8.0
- Recovered Messages
- Recovered Safari History
- Recovered Safari Bookmarks
- Recovered Safari Suspend State
- Recovered Notes up to iOS 9.0
- Recovered Call History
- Recovered Contacts
- Recovered Contacts Properties
- Recovered Calendar
- Recovered Cell Locations (iOS 9.0)
- Device Properties
Risks of Jailbreaking?
So, with so many advantages to jailbreaking, why are we not seeing more people do this technique? The fact is, many people have adjusted their procedures to be able to jailbreak devices as part of their process steps. There is still a risk that the device could be bricked as part of the process of jailbreaking.Â
The standard recommended process steps are logical image, backup with a known password to capture keychain data and cloud keys, and finally, jailbreak the device for a physical image.
Brick
Slang for a device becoming unusable. (Not a good moment for evidence)
Different exploits for different iOS versions can be found here:
Different exploits for different iOS versions can be found here:
Many might think that the large variety of images done with Apple devices might be overkill. However, when it comes to the value of additional data that comes with each image, those extra steps pay off during an examination.
Forensic-Impact Articles
Making an Investigations Sock Puppet
Transcript Hello and welcome to the next edition of, the Forensic Impact blog. I'm Amber Schroader. I have been off the video blog for a hot minute because I have broken my ankle, as you can see by my scooter. This is the best background I can get going right now. So,...
Empowering Small Businesses: The Significance of Data Governance
Guest Blog Post In today's digitally driven world, data is the lifeblood of businesses, regardless of their size. Small businesses, in particular, stand to gain significantly from harnessing the power of data. This article from Paraben Corporation delves into the...
Strengthening Your Career In Digital Investigations
Transcript Hi there, and welcome to another installment of forensic impact. I'm Amber Schroader, and this week I am sharing with you information about strengthening your career in digital investigations. This was a topic conversation that I had with one of the blog...
