Page 93 - Cyber Defense eMagazine for July 2020
P. 93
Why not just keep using a jailbreak?
If jailbreaks are such a great thing, why don’t we keep using them for low-level extractions? The thing is,
jailbreaks bring their share of problems. First and most importantly, public jailbreaks were never meant
for mobile forensics. Installing a jailbreak unnecessarily modifies the system partition (making the post-
acquisition future of the device iffy). Since public jailbreaks are designed to allow running unsigned code
(such as the various apps downloaded from third-party app stores), they do a lot more (and a lot deeper)
modifications to the system than would be necessary for the purpose of forensic acquisition.
Finding the right jailbreak and installing it properly may also become a challenge if you are not
accustomed to this sort of things. For these and other reasons, jailbreaking may not be an option for
some experts. This is where jailbreak-free acquisition comes to help.
How jailbreak-free acquisition works
In the previous chapter, I wrote that one needs low-level access to the file system in order to perform the
extraction, and this still stands even if you are not going to use a jailbreak. We developed a different
method for obtaining the required level of privileges on a wide range of iOS devices. Explaining the
essence of the method brings us back to jailbreaking.
Essentially, a jailbreak exploits several vulnerabilities discovered in a given version of iOS or a range of
versions of iOS. The vulnerabilities are exploited consecutively one after another, which makes it a chain
of vulnerabilities to exploit. A jailbreak requires a number of different exploits to escape sandbox, obtain
superuser access and disable various protections iOS has in place to prevent this sort of things. Finally,
a jailbreak opens read/write access to the system partition and patches several files in order to disable
signature verification, which allows installing apps missing Apple approval from third-party app stores.
While this is a grand oversimplification, you get the idea: a jailbreak does a lot of things that aren’t
necessary for just extracting the file system and obtaining the keychain.
A given jailbreak can be installed on a given version of iOS (or a range of versions of iOS). Different
jailbreaks are required to break into the different versions of the system since different exploits are
required. Our method automatically detects the installed version of iOS and applies exactly those exploits
that are minimally required to obtain access to the file system. To do that, one must sign and install the
‘agent’ app to the device, and then use that agent to extract the file system and decrypt the keychain.
Unlike jailbreaks, the agent performs all modifications in the device’s volatile memory (RAM) without
writing any unnecessary stuff into persistent storage. The agent does not even touch the system partition,
leaving the post-acquisition device perfectly usable and updatable.
Why choose jailbreak-free extraction over jailbreaks
There are numerous advantages of agent-based extraction over jailbreaks.
1. Jailbreak-free extraction is safe. The agent does not touch the system partition, leaving the device
in a clean state after the acquisition.
Cyber Defense eMagazine –July 2020 Edition 93
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
