Jailbreaking iOS Smartphones in 2020

Written by Amber Schroader

May 5, 2020

Since October 2007, the process of Jailbreaking has been out in the universe, allowing for deeper access to the mysterious Apple file system.  In the beginning, this technique was frowned on in the digital forensics field because of the potential risk to the device evidence.  Jailbreaking was also a violation of the Digital Millennium Copyright Act (DMCA) and voided the warranty by Apple.  In July of 2010, the courts ruled that the protection Apple used that made Jailbreaking a device legal and not a violation of the DMCA.  This ruling opened the digital forensic world to new techniques and new levels of access, but at what cost?

What is Jailbreaking?

Jailbreaking means removing all restrictions from an iOS device. Apple devices that can be jailbroken include iPad, iPod Touch, Apple TV 2, and all iPhone smartphones.  Jailbreaking allows root access to system files that can be manipulated to enable the installation of apps, themes, and extensions that are not supported by Apple or are unavailable for download on the Apple App Store.  

(Source: https://www.cleverfiles.com/howto/what-is-jailbroken-device.html)

What is the advantage of Jailbreaking?

Jailbreaking allows you to circumvent the protection that Apple places on the file system of the device.  Depending on the firmware on the device, jailbreaking can make a huge impact on your case.  In earlier firmware versions, user data did not always primarily exist in the protected area, so the value of the jailbreak compared to the risk on the device was not always weighted in the favor of the jailbreaking technique.  As times and locations of data have changed, so has the value of the Jailbreak.     

Each tool will have different methods for implementation of the Jailbreak options in digital forensics.  For the E3 Forensic Platform, a package manager, Cydia, is installed on the device.  Cydia is used for the installation of software not authorized by Apple.  Cydia is then used to be able to install the OpenSSH package for the successful acquisition of the jailbroken devices. This imaging option using the checkra1n jailbreak allows access to new iOS devices physically and the user data that is now residing in the file system.

You can see the Checkra1n method utilized in the E3 Platform. Electronic Evidence Examiner allows acquiring the iOS devices jailbroken by multiple exploits, for example, unc0ver, Checkra1n, Chimera and so on. The choice of the exploit depends on the iOS version.

The data that can be captured for your case from a jailbroken device is much greater than what can be captured from a basic logical examination. The following list is data that can be accessed with an acquisition of a Jailbroken device. Some of this data might also be available with a logical acquisition, but not all of the data. 

  • Contacts
  • Messages
  • Address Book Images
  • Voice Memos up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
  • Cookies up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
  • Call History
  • iMessages
  • Calendar
  • Notes up to iOS 9.0
  • Maps Bookmarks up to iOS 8.0
  • Maps History up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
  • Maps Directions up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
  • Mac Address
  • Installed Applications
  • Mail Messages up to iOS 13.0
  • Safari Bookmarks
  • Safari History
  • Safari Suspend State (issue with obtaining data from devices with iOS 12 will be resolved in 2.6)
  • Dynamic Text up to iOS 11.0
  • Wi-Fi Locations up to iOS 8.0
  • Cell Locations up to iOS 10.0
  • Mail Accounts up to iOS 11.0
  • Filesystem
  • Last three SIM cards used on the device up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
  • Network Connections up to 13.0 (issue with obtaining data from devices with iOS 13+ will be resolved in 2.6)
  • Bit-by-bit image up to iOS 11.0
  • Recovered SMS Search up to iOS 8.0
  • Recovered Messages
  • Recovered Safari History
  • Recovered Safari Bookmarks
  • Recovered Safari Suspend State
  • Recovered Notes up to iOS 9.0
  • Recovered Call History
  • Recovered Contacts
  • Recovered Contacts Properties
  • Recovered Calendar
  • Recovered Cell Locations (iOS 9.0)
  • Device Properties

Risks of Jailbreaking?

So, with so many advantages to jailbreaking, why are we not seeing more people do this technique?  The fact is, many people have adjusted their procedures to be able to jailbreak devices as part of their process steps.  There is still a risk that the device could be bricked as part of the process of jailbreaking. 

The standard recommended process steps are logical image, backup with a known password to capture keychain data and cloud keys, and finally, jailbreak the device for a physical image.


Slang for a device becoming unusable. (Not a good moment for evidence)

Different exploits for different iOS versions can be found here:

Different exploits for different iOS versions can be found here:

Many might think that the large variety of images done with Apple devices might be overkill. However, when it comes to the value of additional data that comes with each image, those extra steps pay off during an examination.

Forensic-Impact Articles

Investigating and Capturing Google Data

Investigating and Capturing Google Data

There are so few people on the planet now that don’t have something to do with Google. With parents selecting Gmail accounts for their kids prior to being born to the proliferation of Google in the classroom the searching giant is everywhere. With this level of...

What is Android ADB with smartphone forensics?

What is Android ADB with smartphone forensics?

There is a lot of trust put into your digital forensic tools when it comes to processing data. Many times, the “magic” of the tool remains someone unknown to the end-user. Each company claims to have a special means to capture the data that is seen in the acquisition....

Forensically Imaging Bitlocker

Forensically Imaging Bitlocker

Guest Blogger, Michael Zinn with Micro Systems Management BitLocker is Microsoft’s Full Volume Encryption (FVE) feature in Windows. BitLocker can be used to encrypt operating system volumes, non-Operating System fixed drive volumes, and removable drive volumes.[1]...