Articles

Full File System Extraction for iOS Devices with Belkasoft Evidence Center

© Belkasoft Research

In September 2019, an independent researcher axi0mX discovered and released a new iOS exploit called checkm8. The event has been announced ground-breaking, as checkm8 affects hundreds of millions of Apple devices, including iPhone, iPad, and it can’t be patched.

What does it mean? It means, that the devices already in use are vulnerable. And, of course, it’s an opportunity for digital forensic experts as well, as with Belkasoft Evidence Center now with the support for checkm8 it’s possible to make a full file system extraction and analyze all the retrieved data.

Why Checkm8-based Full File System Extraction is so Cool?

This February we have announced and released the new Belkasoft Evidence Center edition with the support of an iOS full file system extraction via checkm8 BootROM exploit. So, what are the key benefits you get with the new Belkasoft Evidence Center edition?

1. Unpatchable Vulnerability

Apple can't fix checkm8 exploit with iOS update since the vulnerability is in SecureROM, located on flash memory, which cannot be reprogrammed. The only solution for Apple is to replace the chip which means recalling every phone that has this vulnerability. It’s too expensive and impractical for any vendor. That’s why checkm8-based full file system extraction will be possible with Belkasoft Evidence Center for long years. And that’s why checkm8 is called a game-changer.

2. Available on Windows

All public implementations of checkm8 exploit run on macOS and Linux operating systems only. However, our method allows using this vulnerability on computers with Windows 10.

3. Forensically Sound

Jailbreaking an analyzed device is a complex, unsafe and not quite forensically sound process. You do not need to jailbreak a device to create an image of a phone memory if you have Belkasoft Evidence Center. BEC does not leave any traces on a device and does not require access to the Internet.

4. Extraction from Locked Devices

Our new method allows you to acquire certain data from locked devices. Of course, you won't be able to acquire as much data as you can get from an unlocked device, but it is still much better than nothing.

5. Support of a Vast Range of iOS Versions

The new approach allows us to investigate iPhones from 5S to X and iOS versions 12.3-13.3.

6. Easy to Use

All you need is a device itself and the original cable. Nothing more is required. You don't even need an Apple Developer account.

Conclusion

To sum up, checkm8 turned out to be a new and disruptive feature, which changed the iOS device market for long. The acquisition of iDevices is easier now than ever before.

The Belkasoft development team is constantly monitoring current digital forensics trends and turns all known device vulnerabilities to our customers’ advantage in Belkasoft Evidence Center. With the benefits of the latest Belkasoft Evidence Center edition mentioned in this article the investigator’s routine is simplified. Belkasoft is among the only two vendors on the market with the checkm8 support in the product, and it’s important to stress, that all the features highlighted above are available at a very affordable price in comparison to our competition.

Learn more about this new feature at https://belkasoft.com/checkm8

Check the schedule for the upcoming webinars at https://belkasoft.com/webinar

© Belkasoft Research