Checkm8 for iPhone Forensics

Examination of an Apple iOS device is a big challenge for Digital Forensics. Apple have focussed on improving the security of their devices over many years with such success that law enforcement was unable to access the devices without the PIN code. The highly publicised Court case of the San Bernardino killer played out this argument between Apple and the FBI in public.

Bypassing PIN codes

This prompted some major developments in forensics. The secretive GrayKey and a similar service from Cellebrite were launched, allowing PIN codes to be bypassed, but they are either available to Law Enforcement only, or are prohibitively expensive and can’t be used in-house.

Additional data

As a side effect of the exploits used to gain this access, it was also found that a great deal of additional data could be accessed using these tools. The traditional approach was based upon a backup of the device being taken, the content of which is limited. Data such as log files relating to the handset’s usage and apps such as Snapchat (which aren’t included in the backup) are left inaccessible on the phone. These new techniques allowed all of the data, known as a 'full file system extraction', to be recovered from the phone.

Unpatchable flaw

As stated, these tools are only available to Law Enforcement. Whilst the extracted data can be made available to the defence for examination, solicitors have been unable to commission the same level of examination for devices not previously examined by the Police (with some expensive exceptions for civil, family or other non-criminal matters). This has now changed. At the end of 2019, researchers discovered an unpatchable flaw (which they named 'checkm8') in most Apple devices, which developed into an exploit named 'checkra1n'.

New possibilities

Our forensic tools can now use these techniques to extract full file system extractions for most iOS devices, giving a wealth of further data that could be the key to proving your client's case, for example, exactly when a device is locked and unlocked, when it is connected to a power supply, or some Snapchat messages - all of this data has now become available. Whilst the PIN cannot be bypassed using these tools, some data can now be extracted from a locked device which may assist in proving the attribution of it.

Keith Borer Consultants’ view

One of Keith Borer Consultants' senior mobile telephone experts, Mr Thomas Marryat says "the advent of Checkm8 presents exciting possibilities in Apple iOS device examination and will provide a wealth of extra data enabling an even greater insight into the user’s activity.

Next steps

If you would like to discuss how these developments could help your case, please get in touch with our mobile forensics department at our Durham office on 0191 3324999.