Belkasoft and Checkm8!

When I first started examining smartphones (in a galaxy far, far away), there wasn’t much to it. For criminal investigations, it was more of the phone call logs and cell tower dumps that were important since not that much data was on the phones. Most phones at that time practically had no data anyway because they were just portable phones, not portable computers.

Fast forward to today and a mobile device examination can take longer and be more labor-intensive than any typical workstation examination. Plus, mobile devices have a ton of difficulties just to reach the data if you can access it all.  Considering that a mobile phone may have dozens of apps more than the user’s home computer, it is easy to be overwhelmed by the sheer amount of user data, storage capacity, and near 24/7 logged activity on the typical mobile device.

At one point of fighting to gain access to just some of the data on these portable, pocket computers, I considered never touching a smartphone again because it is nearly a field within a field of DFIR work. Actually, it pretty much is its own field, especially when it comes to iOS. The Apple iOS has been one of the most problematic OSs to access. Kudos to Apple for the security, but it surely makes forensics challenging if not impossible at times.

But! There comes the jailbreaking and now even better, Checkm8!

https://twitter.com/axi0mX/status/1177542201670168576

The point of this post is not to get into the technical weeds of accessing iOS data as there is plenty of information online that discusses this in greater detail.  To sum it up, Checkm8 was documented in 2019  as an exploit for iPhones from iPhone 4s through iPhone 8 and X, many iPads, and the Apple TV. This exploit permanently affects MILLIONS UPON MILLIONS of Apple devices in use today.

More on Checkm8 at Checkm8 .

More on Checkra1n at Checkra1n .

Using the checkm8 exploit, you can create a full file system capture if the phone is unlocked (“After First Unlock”, aka: known passcode) or a partial file system capture if the phone is locked (“Before First Unlock”, aka: no known passcode).

My week of testing Belkasoft’s support of Checkm8

I wanted to see how Belkasoft’s Checkm8 support worked in terms of ease of use and if it worked at all.  Just the option of a Windows-based forensic tool supporting Checkm8 was more than enough to be excited about.

The short answer to whether Belkasoft worked and if it was easy: Yes.  Way easy.

  1. Place the device in DFU mode.
  2. Image it.
  3. Done.

I never liked the term or methods of “jailbreaking” when capturing legal evidence. Terminology always seems to bite you when used against you. Plus, jailbreaking has its own technical problems as it relates to collecting best evidence. Checkm8 is a much better solution .

I have been using Checkm8 since reading the first blog post that I found last year, but I was doing it the hard way, and eventually the easy ways with some pricey solutions. So, with Belkasoft’s checkm8 addition, this made my day.

As far as what Belkasoft gives you with Checkm8 support, you get everything that you could hope for, as in giving you everything that you’d expect and demand of any quality tool. I don’t typically harp on the price of DFIR tools as being too expensive or reasonably priced or ‘must be free and open-source’, because usually you get what you pay for and if you need something to be done, if there is a price, you have to pay it or you don’t get the work done.

However, I will say that some tools are substantially more expensive than others yet do virtually the same thing at a lower price without sacrificing any quality. Belkasoft is one that fits in my sweet spot of price-to-value, even when compared with higher-priced tools. I’ve stated this in another post, but I like the data presentation as Belkasoft does it.  I suggest asking for a quote  and you will see what I am talking about.

Belkasoft Data Presentation

This post is not “how-to” exam evidence with Belkasoft, but I have to at least give credit to Belkasoft’s presentation and layout.  Easy to review data, easy to find artifacts, easy to search, and easy on the eyes. Many tools are going this way insofar as laying out data in a manner that can be quickly understood, and Belkasoft does well in this regard.

Case Explorer view

 

Overview

 

Open Street Maps

Summary

As far as Checkm8 and Belkasoft are concerned, If the device is supported (i.e. exploitable with Checkm8) and the device can be successfully placed in DFU mode, Belkasoft is an extremely simple and cost-effective tool to give you what we want in pulling as much iPhone data as possible. Being able to get into an iPhone with this exploit is one thing, but to do this easily is quite another.

Nice job, Belkasoft!

 

 

Written by :Brett Shavers