Checkra1n & iOS Forensics

It’s an exciting time to be doing iOS forensics! I was reading Mattia Epifani’s blog this morning and I’m looking forward to playing with his updated ios_bfu_triage script.

ios_bfu_triage, in summary, is a script that you can run on MacOS to extract data from a “chekcra1ned” iOS device. The possibilities include collecting device information, executing live commands, and acquiring a full image! Read more here:

Once the acquisition is complete, you can bring the acquired TAR to your mobile forensics tools for parsing, examination, and reporting!

If you are not familiar with Mattia’s work, I would recommend reading all of his posts on the topic. Especially this one:

Mainstream tools are also adding support for the recent iOS exploits. If you have been acquiring “chekcra1ned” iOS devices, I would be interested to hear your experiences (afu.1.dar anyone?) :grin:

1 Like

Another interesting open-source project is iLEAPP by Alexis Brignoni:

This is a logs, events, and preferences parser for iOS 11+ written in Python.

You can read more here:

1 Like