4 min read

Extracting Sensitive User Data From The iPhone Root Filesystem

Extracting Sensitive User Data From The iPhone Root Filesystem

Digital Forensics Vendors like Cellebrite provide software products that aim to process, parse and present data to an examiner as part of a legal process. A few examples of these software products include UFED and Physical Analyser.

These tools are, understandably are licensed purely to law enforcement organisations. These software products also tend to be pretty expensive. But at the core of it’s functionality and benefits, with consensual access to a device, what’s its power? I would say parsing and visualising data.

Visualising the data stored on a device, in a useful way, is a difficult and often manual process if you don’t have access to commercial forensics tools.

Having used a variety of these software products including the Cellebrite kit, Elcomsoft EIFT & XRY myself, I was able to get a good feel for the benefits of using these applications compared to just manually searching for content. I was also able to deduce generally useful databases and directories that Cellebrite Physical Analyser often picked out and found information I wouldn’t have otherwise identified.

Acquiring Our rootFS Image

To start, we’ll be using a macOS host for our forensic work and have a device at hand, booted with the checkra1n utility (Cydia is not a necessity, just Checkra1n so that we can have the SSH Daemon initialise on device).

To begin, we'll 'acquire' the Root Filesystem of our connected device.

To make this a little easier, there are a couple of utilities we should install first:

  • SSHPASS - "brew install esolitos/ipa/sshpass" - Allows us to pass SSH passwords into the ssh binary without interactively typing it each time (automation! 🎉)
  • iPhone Tunnel - You could alternatively use iProxy (part of libimobiledevice) but I feel that iPhone tunnel is a little easier for beginners to visualise what's going on. You can pull the binary here.

iPhone Tunnel should be running with the Device Port set to 44 (this is the port the on-device SSH Daemon exposes when using checkra1n).

To pull the Root Filesystem (rootFS) from your device, i’ve developed a utility you can run on your Mac. You can download the utility here...

Releases · DuffyAPP-IT/iPhone-rootFS-tool
A small utility I have developed to dump the rootfs from a jailbroken device to the Mac, ready for forensic inspection. - DuffyAPP-IT/iPhone-rootFS-tool

This utility will automate the process of compressing the Root Filesystem of your connected device to a TAR in the current working folder of your mac (check your ~/ folder if you've double clicked the binary!) .

If you need a hand with this process please feel free to get in contact!

We’ll now extract the rootFS tar on our mac, which might take a few minutes. You can 'un-tar' the filesystem by either double-clicking it in Finder, or running 'tar -xvf ./FILESYSTEM.tar' in terminal.

Upon opening the extracted tar contents, you’ll see a few folders... to name a few folders you should see on your display right now:

  • System
  • Applications
  • Developer
  • Library

(There will be other folders - we're just verifying we’re working in the right folder)

Let's jump into some file identification...

In comparison to the commercial tools, which will often present a hierarchal interface with automatically classified files, we’re going to have to do a bit of work to ‘classify’ our files ourselves. Here are some commands you can execute in the macOS terminal to move file types to their relevant folders ready for analysis.

To begin, we'll create some folders on our filesystem as follows...

Before starting, ensure your current working folder is that of the extracted Root Filesystem.

  • mkdir img
  • mkdir db
  • mkdir audiovideo

Using the following commands, we can find images, you can replace the commands with other extensions if you like.

- find rootfs/ -type f -name ‘*.png’ -exec mv -i {} img/  \;

- find rootfs/ -type f -name ‘*.jpg’ -exec mv -i {} img/  \;

- find rootfs/ -type f -name ‘*.jpeg’ -exec mv -i {} img/  \;

Using the above syntax, and a provided file extension, we can begin to classify some of the files within the filesystem. This will provide us with a little starting point for exploring some of the data you'll find within the filesystem.

Filesystem Exploration - Basic Artefacts

While we can classify by filetype, this isn't often going to provide us with any specific data-points that we can use to derive information about the device and it's owner.

There are a few plists we can use that will provide us a little more useful data about the device so we can get basic information such as the user’s connected accounts. Let’s browse from within our root filesystem to the following file:

private/var/mobile/Library/Accounts/Accounts3.sqlite

I recommend DB Browser for SQLite when interpreting databases - it's free!

DB Browser for SQLite

This file will contain varying amounts of accounts connected to the iPhone. Namely the iCloud account, but can also contain other user information such as User ID’s for various services, signed-in Mail accounts, etc.

Now that we have some very basic information about the user, we can browse to /var/mobile/application and extract data from User Application Data Containers like documents, pictures and configurations. There are so many resources online providing information around 'artefacts' (definitions of where specific data-points can be discovered) - Mattia Epifani posted a reference poster recently containing lots of useful artefacts!

I hope this helps you jump in and get started exploring the filesystem!

Please be sure to check out my other articles where we jump into much more detail around specific concepts and third party applications!

-James