±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35997
New Yesterday: 1 Visitors: 116

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

iOS 12.4.0 jailbroken traces BlackBag

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

TinyBrain
Senior Member
 

iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 15, 19 04:44

Is it possible to find jailbroken traces of iOS 12.4.0 by a BlackBag tool in an iPhone XR? We not used BlackBag before.  
 
  

passcodeunlock
Senior Member
 

Re: iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 15, 19 11:04

If the device is still jailbroken, yes.

If it was reset to factory reset or firmware flashed, then no.

If it was just a sideload jailbrake, it is gone after reboot.

Please reformulate your question, maybe somebody might be able to help you Smile
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

v.katalov
Member
 

Re: iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 15, 19 12:30

First, there is no iOS 12.4 version; the latest is 12.1.4 (plus 11.2 beta 1/2).

Second, not sure what do you mean mean by jailbreaking in this context. There are known vulnerabilities for versions up to 12.1.2, plus some (not available to public) exploits for 12.1.3. Right now there are two jailbreaks: unc0ver and rootlessJB, but first, they work on versions up to 12.1.2, and second, the do not support iPhone Xr yet.

Finally, as far as I know, BlackBag do not have their own tool for jailbreaking (or even file system acquisition) -- they rely on GrayKey extractions. In the meantime, GrayShift do not disclosure what modifications to the file system are being done (in theory, some traces are left, but to find them you will have to jailbreak or GrayKey tool again).  
 
  

TinyBrain
Senior Member
 

Re: iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 15, 19 12:35

ok, got it - my mistake iOS 12.1.4 (16D57), sorry

Its not about jailbreaking its about finding traces that the device was jailbroken. The info about sidechannel is fine. The question came up as we gave a device to Cellebrite Advanced Unlocking Services and wanted to know if they during unlocking had jailbreaking in use.  
 
  

shahartal
Member
 

Re: iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 15, 19 14:44

The term 'jailbreak' is actually fairly non-standard as it can mean different things.
When most people talk about a jailbreak, they talk about a public tool that removes or reduces restrictions placed by iOS. This usually installs software to the device in a detectable way.
Cellebrite uses a forensic process that avoids to any extent possible modification of the file system, and thus should not be recognizeable in post extraction analysis.  
 
  

passcodeunlock
Senior Member
 

Re: iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 15, 19 15:17

@tinybrain

- passcodeunlock
If it was just a sideload jailbrake, it is gone after reboot.


Whenever you got a CAS related question, the best is to ask Cellebrite, no ?! Smile

If the purpose of your post was to find out how CAS did the task, the answer is: "Good question?!" or even better "Wizardry." Smile

@shahartal

Thank you for clarifying this, some of our customers asked this question as well before...
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

TinyBrain
Senior Member
 

Re: iOS 12.4.0 jailbroken traces BlackBag

Post Posted: Feb 16, 19 23:22

Shahar, toda raba  
 

Page 1 of 1