Step-by-Step iOS Jailbreak and Data Extraction Guide

Forensic and informatics experts frequently resort to jailbreaking to obtain data from the iPhone. The jailbreak method for obtaining data differs from the jailbreak for other purposes. IT professionals want to keep devices offline as much as possible to prevent data leaks, unwanted syncs, and remote device management. Although there is a lot of writing about jailbreak used for other purposes, there are too many details to be considered for jailbreak to be used for forensic purposes. You can perform an ideal jailbreak for this purpose by following the steps in the guide.

Preparing the Device and Taking Backups

  1. Put the device in airplane mode. This step is necessary to disconnect from the Internet and isolate the device from wireless networks.
  2. Recent versions of iOS allow manual switching of Wi-Fi and Bluetooth connectivity even when airplane mode is turned on. This feature of iOS devices; Apple Watch aims to continue communicating with wireless headphones and other accessories. Check that Wi-Fi, Bluetooth and cellular data are disabled one by one as all this is not desired.
  3. Turn on the device but do not remove its password. Although it is possible to put the device in airplane mode without unlocking the screen, the screen must be unlocked for the rest of the operations. Although some jailbreak guides recommend removing the screen lock, don’t do it. When the lock password is removed, Apple Pay payments, downloaded emails and many more data are deleted. Therefore, it would be more logical not to remove the password of the device.
  4. Pair the device with your computer. Beginning with iOS 11, iOS devices require a login password to pair with a computer. You will not be able to sideload the jailbreak IPA file to your phone without knowing the login password.
  5. Make sure your computer’s Wi-Fi connection is disabled. This step is often forgotten and causes transactions to fail. If your computer’s Wi-Fi connection is active and there is another iOS device on your network, iOS Forensic Toolkitagent may accidentally connect to that device and operations may fail.
  6. Run the iOS Forensic Toolkit. Make sure your iPhone is connected to your computer’s USB port with a licensed patch cable.
  7. Perform all the steps using the iOS Forensic Toolkit. iOS Forensic Toolkit has a method also called “Advanced Logical Extraction” that will perform all the necessary steps to hijack the device. During the transactions; a local backup will be taken, device information will be obtained (hardware, iOS version, installed apps), crash reports will be collected, media files and shared app data will be obtained. If the iOS device does not have a backup password, the iOS Forensic Toolkit will temporarily set the password “123” so that you can access messages and certain keychain components. If a backup password has been set and you do not know it, you may need to reset the backup password on the device. (For iOS 11 and 12, in Settings – General – Reset ” Reset all settings You need to apply the ” option. However, since this process will also remove the device login password, you will lose access to the data we mentioned.)

Preparing the Device for Jailbreak

  1. From iOS Forensic Toolkit to get hardware and iOS version Informationopen the section.
  2. Choose the correct jailbreak version for hardware and software:
    • for iOS 12 – 12.1.2 rootlessJB(Recommended as it leaves the least traces with compatible hardware and iOS version.)
    • For iOS 11.x – 12 – 12.1.2 unc0verjailbreak method;
    • Chimera jailbreak method for iOS 12 – 12.1.2.
  3. Make sure you have an Apple account registered with the Apple Developer Program. (For a certain annual fee) It allows you to sideload IPA files using the Apple account under the Apple Developer Program, when the device is offline and without having to manually sign a certificate in the device settings (Signing requires a connection to the Apple server.). However, you will need a business developer account as a personal developer account will not be sufficient for this purpose.
  4. Sign in to your Apple developer account and create your app-specific password. All user accounts under the Apple Developer Program require the use of a two-step verification factor. Since Cydia Impactor does not support two-step verification, you need to set an application-specific password and log in before you can sideload jailbreak IPA files.
  5. Run the Cydia Impactor tool and sideload the jailbreak IPA files along with the app specific password of your Apple account. Cydia will ask which certificate to use during the process. Select “Developer certificate” from the list.
  6. Run the jailbreak and follow the instructions. If jailbreak offers you to create a system backup, it would be useful to take a backup.

Problems Encountered During Jailbreak

Modern jailbreak methods targeting iOS 10 and newer versions are safer as they do not change the kernel. That’s why the jailbroken device is always booted unjailbroken, and the jailbreak is re-applied after each reboot.

jailbreak; It uses vulnerabilities in the operating system to obtain elevated rights, evade sandbox measures, and allow executing unsigned applications. Since many vulnerabilities are used, the jailbreak process may fail at some stage.

It is common for the jailbreak to fail on the first try. If the first attempt is unsuccessful, you have several options:

  1. Try to repeat the jailbreak process by running the jailbreak application again.
  2. If this fails, reboot the device. After unlocking the screen, wait about 3 minutes to allow all background processes to start. Then try jailbreaking again.
  3. You may need to repeat the second step a few times. However, if the process fails despite multiple attempts, it would be more logical to use a different jailbreak tool.
  4. Some jailbreak methods may have additional requirements. You should consider any additional information regarding the jailbreak method (such as removing certain iOS updates if they have been installed).

Problems Encountered While Using iOS Forensic Toolkit

If for any reason you have to close and restart the iOS Forensic Toolkit, first make sure that the second window is closed as well.

If the tool connects to your device but you get an unexpected result, close both windows of the iOS Forensic Toolkit and make sure your computer is not connected to the Wi-Fi network. You may also need to disable your computer’s wired network connection if you have other iOS devices on your network.

The Windows version of the iOS Forensic Toolkit will transfer the obtained information to the folder where the tool is installed. You can specify the area to transfer data to yourself, but it may be helpful to install the tool in a folder close to the root of the drive.

For the Mac version of the program, it is one of the common mistakes to mount the DMG image and try to start the program from there. Instead, you need to create a local directory and copy the program there.

What You Can Do If You Need to Reset the Backup Password

If iPhone backups are protected by an unknown password, you can reset this password with the “Reset All Settings” option we mentioned earlier. However, it makes sense to apply this option carefully and after you have properly taken a full local backup.

Since using the “Reset All Settings” option will also remove the device’s login password, Apple Pay payments, downloaded messages and other data linked to this protection will also be deleted. To protect this data, you must follow the steps below:

  1. Perform the necessary steps exactly as they should with the iOS Forensic Toolkit tool. (Backup, media files, crash reports, shared app data.)
  2. Jailbreak the device. If the transaction is successful, the keychain will also contain the backup password.
  3. If you cannot perform the jailbreak process and you have followed the steps in the problems encountered section, you may need to reset the password to obtain the backup. If you create a backup with the iOS Forensic Toolkit after resetting the password, this backup will be protected with the temporary password “123”.

Obtaining Backup Password via Keychain

If you have successfully recovered the device, you have also decrypted the iOS Keychain file. The keychain also contains the backup password. In the screenshot below “ BackupAgentIn the section in the ” section, change the backup password to “ DataYou can see it in the subheading.

backup pass

You can use the Elcomsoft Phone Breaker program to reveal this password and click on the “Explore keychain” option from the main screen. You can specify the location of the keychaindumpo.xml file that you obtained through the iOS Forensic Toolkit by following the “Browse – Choose another” path.

Obtaining Phone Data

It is possible to access the file system content on the jailbroken phone. For this you can follow the steps below:

  1. Make sure the iOS device is in airplane mode and the Wi-Fi, Bluetooth, and mobile data options are disabled.
  2. Make sure your computer’s wireless network is turned off.
  3. Make sure your iOS device is paired with the computer.
  4. Unlock the screen of the iOS device and keep the screen on as well. Then connect the device to the computer. As we mentioned before, do not remove the device’s screen passcode.
  5. Run the iOS Forensic Toolkit and from the main window “ Disable screen lock Use the ” command. Thus, the iOS device will not be locked automatically. This will prevent iOS from protecting certain parts of the file system when the screen is locked.
  6. keychainGet the Keychain file using the ” command.
  7. filesystemGet the file system image using the ” command.

Examining the Obtained Data

It is possible to obtain the following data from the obtained files:

  • Information about the device (.xml) and list of installed applications (text file).
  • Local backup in iTunes format. You can use any tool to show iTunes backups, such as Elcomsoft Phone Viewer. To examine the keychain data, you need to open the backup with Elcomsoft Phone Breaker.
  • Crash reports. You can review these reports with any text editor.
  • Media files. You can use any gallery app. Examining EXIF ​​information, and especially location data, can be useful to obtain a suspect’s location history.
  • Shared files. These files can be in any format, but are usually plist, XML, or SQLite files.
  • Keychain can be examined with the Elcomsoft Phone Breaker application. keychain; Contains user passwords stored in Safari, on the system, and in third-party applications. These passwords can be used to log into users’ emails and social media accounts.
  • File system image. You can review it with the Elcomsoft Phone Viewer application. You can also extract the TAR file from the archive and review it manually or with the application you want.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *