Three reasons not to throw away your old iPhone: a guide to collecting artifacts after resetting your device

Learn how to recover data from an old iPhone after a factory reset. This article covers three key methods for recovering data, including exploiting the checkm8 vulnerability. Detailed instructions and tips from a digital forensics expert will help you save your important data and protect your personal information.

• Disclaimer: All references to geographical names, files, system paths, phone numbers or other technical data that may be associated with the territory of Russia are provided solely for informational purposes in the context of a technical analysis of the device. This article is not intended to popularize, promote or recognize any aggressor state, its infrastructure or services. All examples are used to illustrate the real possibilities of digital forensics and do not carry a political or ideological connotation. The article is for informational purposes only and is not an instruction or call to commit illegal actions.

What’s interesting there?

The field of mobile forensics has accumulated significant experience in investigating incidents related to a wide range of devices — from the simplest models to complex cases where access is difficult or completely lost due to damage, blocking or resetting settings. Apple smartphones deserve special attention, which usually have a higher level of data protection.

One common scenario is the discovery of an old device that, upon activation, displays a message like “iPhone is disabled. Connect to iTunes”. In such cases, it is often believed that the data is lost forever. This is due to the fact that after entering ten incorrect passwords, the iPhone deletes the encryption keys, which makes it significantly more difficult or even impossible to recover information.

However, certain iPhone models based on A5–A11 processors (from iPhone 4S to iPhone X) contain a hardware vulnerability that allows access to the device’s contents until the first unlocking — in the so-called BFU (Before First Unlock) mode. This exploit is called checkm8.

Despite the large number of publications describing the very possibility of accessing such devices, there is a lack of systematic information about the specific types of data that can be extracted, as well as where these artifacts are stored in the file system. This is what prompted the creation of a separate study that attempts to fill this gap.

Output data

So, we have a mobile phone iPhone 5s (А1533), access to the memory of which is blocked after 10 unsuccessful attempts to enter the password.

Using the vulnerability checkm8, you can extract data from the keychain and file system in BFU mode. This information can be obtained using various tools: Elcomsoft iOS Forensic Toolkit, UFED 4PC, etc.

The analysis process can be automated and use both paid tools (for example, “Mobile Forensic Expert Plus”, “UFED Physical Analyzer”) and open source tools (for example, “iLEAPP”). Unfortunately, they do not always allow you to process all types of data in automatic mode, so some artifacts have to be viewed manually.

When studying the extracted data, it turns out that the researcher may have access to technical information about the device, as well as information about user accounts authorized in the system.

What is revealed to the researcher

The data available to the researcher is grouped for convenience into three blocks: mobile device artifacts, user data, and application artifacts. The content of each item will be listed in more detail.

I. Mobile Device Artifacts

1. Information about the installed iOS version and build number

It can usually be viewed in the following files:

\private\var\installd\Library\MobileInstallation\LastBuildInfo.plist

\System\Library\CoreServices\SystemVersion.plist

\private\var\mobile\Library\Preferences\com.apple.locationd.plist

The recovered mobile device was running iOS 12.4.3, build 16G130. This information is very important in the context of analyzing mobile phone artifacts, as the amount of information in the recovered data may vary depending on the OS version.

2. Device IMEI and phone number.

The information is stored in this file:

\private\var\wireless\Library\Preferences\com.apple.commcenter.device_specific_nobackup.plist

• ReportedPhoneNumber stores information about the phone number registered in the system.

• imei is a unique identifier for a mobile device.

• meid is the same as IMEI, but for devices operating on CDMA networks.

• ReportedSubscriberIdentity is the ICCID of the SIM card.

3. Device model and connection information:

\private\var\preferences\SystemConfiguration\NetworkInterfaces.plist

4. Information about setting up the Find My iPhone app:

\private\var\mobile\Library\Preferences\com.apple.icloud.findmydeviced.FMIPAccounts.plist

5. Device information, the last backup of the device on the computer, iCloud backup settings:

\private\var\root\Library\Lockdown\data_ark.plist

• DeviceName – device name.

• com.apple.mobile.data_sync-Contacts → AccountNames – information about syncing contacts with iCloud.

6. Information about the device backup (created locally or in iCloud), creation time, errors:

\private\var\root\Library\Preferences\com.apple.MobileBackup.plist

• RetryAfter – The date and time when the backup can be attempted.

• BackupIsDelayed – The date and time when the backup was delayed.

• DrySpellFollowUpItem – The date and time when the next backup is scheduled.

• FailureCount – The number of failed backup attempts.

7. Device update information:

\private\var\mobile\MobileSoftwareUpdate\restore.log

• targertOSVersion – OS version to be installed.

• deviceClass – device type.

• storageCapacity – memory size.

• currentOSVersion – current OS version.

• eventTime – event time.

• batteryLevel – battery charge level at the time of update installation.

• deviceModel – device model.

• result – whether the installation was successful.

II. User-identifying data

1. Network configuration settings:

\private\var\preferences\SystemConfiguration\preferences.plist

• Model – the device model.

• Network → LocalHostName – the name assigned to the device on the local network, which allows other devices on that network to identify it.

• System → ComputerName – The name that appears in the mobile phone settings in the “About this device” section.

2. Device IMEI, phone number, network settings, SIM card identifiers (ICCID, IMSI):

\private\var\wireless\Library\Preferences\com.apple.commcenter.plist

• mdn (Mobile Directory Number) – subscriber phone number.

• ts (Timestamp) – timestamp.

• label-id – unique identifier that can be used to track or identify this record in the system.

3. Information about the subscriber’s location (here you can also view information about the device’s serial number):

\private\var\root\Library\Caches\locationd\consolidated.db

4. Information about SIM cards (ICCID, MSISDN) used in the device, including the dates of their last use:

\private\var\wireless\Library\Databases\CellularUsage.db

• subscriber_id is the device’s ICCID.

• subscriber_mdn is the mobile phone number.

• last_update_time is the date they were used in Unix format.

5. Information about the AirDrop ID of the device:

\ private\var\mobile\Library\Preferences\com.apple.sharingd.plist

6. Information with settings and preferences from Settings (Settings)

Of interest: here may be data about the cached user account in Apple ID:

\private\var\mobile\Library\Preferences\com.apple.Preferences.plist

• cachediCloudTitle is the username.

• cachediCloudUsername is the email address associated with the iCloud user account.

7. Information about connected and paired Bluetooth devices:

\private\var\containers\Shared\SystemGroup\GUID\Library\Database\com.apple.MobileBluetooth.ledevices.paired.db

• Name – The name of the device.

• Address, ResolvedAddress – The MAC address of the device.

• LastSeenTime and LastConnectionTime – Timestamps indicating when the device was last found and connected.

8. Information about the configuration of the Messages application:

This file may also store phone number information:

\private\var\mobile\Library\Preferences\com.apple.imservice.SMS.plist

• DisplayName – The display name of the account.

• LoginAs – Indicates how the user logs in. In this case, it is a phone number.

• OnlineAccounts, ActiveAccounts, Status – Information about the account ID.

9. Information about Wi-Fi points to which the device has previously connected:

\private\var\preferences\SystemConfiguration\com.apple.wifi.plist

• SSID_STR is the network name.

• lastUpdated is the date and time the information was last updated.

• BSSID is the MAC address of the access point.

10. Information about the user’s selected contacts:

\private\var\mobile\Library\Preferences\com.apple.mobilephone.speeddial.plist

• Name – the name of the contact from the notebook.

• ABDatabaseUUID – the unique identifier of the record.

• Value – the phone number of the contact.

11. Information about user accounts in the FaceTime application:

\private\var\mobile\Library\Preferences\com.apple.conference.plist

• phoneNumberRegistrationSubscriptionLabel – unique identifier.

• registration.savedAccountName — saved account name.

12. Information about blocked user contacts:

\private\var\mobile\Library\Preferences\com.apple.cmfsyncagent.plist

• _kCMFItemPhoneNumberCountryCodeKey — country code.

• _kCMFItemPhoneNumberUnformattedKey — phone number.

13. Information about accounts used on your device (iCloud, Apple ID, and others):

\private\var\mobile\Library\Accounts\Accounts3.sqlite

14. iCloud Account Information

Which is used in Home Sharing. Home Sharing is a feature available on Apple devices that allows users to share their media library (music, movies, TV shows, etc.) with other devices on the same network:

\private\var\mobile\Library\Preferences\com.apple.homesharing.plist

• homeSharingAppleID is the Apple ID used for Home Sharing.

• homeSharingGroupID is the group ID for Home Sharing.

15. Information about cached Apple ID user authentication statuses

This file can be used to retrieve information about when apps like iMessage, FaceTime first established communication with other registered Apple ID devices:

\private\var\mobile\Library\Preferences\com.apple.identityservices.idstatuscache.plist

However, this does not necessarily confirm the fact that a dialogue between users took place: when creating draft messages and subsequently deleting a message, the user’s Apple ID is authenticated, and this data is filled in the plist file.

• tel – phone number.

• LookupDate – search date.

To check whether a device has been infected with the Pegasus spyware, this plist file is often analyzed: https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso. However, it is worth considering that starting with iOS 14.7.0, user authentication information is not included in this file.

16. The keychain file contains information about user accounts that is also important for investigation

It is worth noting that the user key binding is encrypted. To analyze it, the contents must be decrypted.

III. Supplements used

1. Information about the user’s important contacts in the Mail application on iOS:

\private\var\mobile\Library\Mail\VIPs.plist

• EmailAddresses — mailbox information of a particularly important contact.

2. A very interesting directory \private\var\mobile\Library\Logs with various device log files:

The file \private\var\mobile\Library\Logs\mobileactivationd\mobileactivationd.log contains information about the device activation process, including successful and unsuccessful activation attempts, timestamps.

The \private\var\mobile\Library\Logs\CrashReporter directory contains crash report files. These files are created by the system when an application unexpectedly terminates or encounters an error.

The files located in the \private\var\mobile\Library\Logs\CrashReporter\WiFi\WiFiManager directory store information about Wi-Fi management component failures.

From these files, you can obtain information about the geolocation of the Wi-Fi point and the approximate location of the device during a specified period of time.

3. The log \private\var\installd\Library\Logs\MobileInstallation\mobile_installation.log contains information about the installation of applications:

In it you can find records of the process of installing, updating, and uninstalling programs.

4. Information about permissions for applications: access to camera, microphone, location, contacts:

\private\var\mobile\Library\TCC\TCC.db

• service – permission type.

• client – application.

5. Information about applications that use geolocation services:

\private\var\root\Library\Caches\locationd\clients.plist

• ru.yandex.mobile.search – the application package identifier.

• ReceivingLocationInformationTimeStopped – the time when receiving location information was stopped.

6. Дуже цікавий каталог з усіма встановленими програмами \ private \ var \ mobile \ Containers \ Data \ Application:

A subdirectory with the WhatsApp GUID was found in this directory. It contains a subdirectory \Library\Logs with information about the application version change (from 2.19.51 to 2.19.120), the user’s phone number, and the time of sending and receiving messages (without the text of the messages themselves).

The \Library\Caches\ChatMedia subdirectory contains folders with the phone numbers of subscribers with whom the user exchanged media files.

In the file:

\private\var\mobile\Library\Assistant\CustomVocabulary\net.whatsapp.WhatsApp
\private\var\mobile\Library\Assistant\CustomVocabulary\net.whatsapp.WhatsApp\0000000000000000000000000000000000000000\ContactGroupNameType\sentVocabulary.
00000000000000000000000000000000000000\ContactGroupNameType\sentVocabulary.

Contains cached information about group names in the WhatsApp application.

The file \private\var\mobile\Containers\Data\Application\GUID Telegram\Library\SyncedPreferences\ph.telegra.Telegraph.plist stores account information (phone number used) in the Telegram messenger.

Information about Safari web content was found in the directory \private\var\mobile\Containers\Data\Application\GUID Webkit\Library\WebKit\WebsiteData: information about the resources the user visited was obtained.

7. An interesting directory is \private\var\mobile\Media , which is used to store media files and other user data:

In this directory, I found the file \Downloads\downloads.28.sqlitedb with information about the downloaded files (file type, link to the resource from which the download was made).

The Purchases directory stores the contents of files. In our case, it’s an audio file and an album cover in JPEG format.

8. The Recordings directory contains subdirectories indicating the date and time the audio recording was created in the Voice Recorder application:

Conclusions

Even if an iPhone has been locked after ten failed passcode attempts, in some cases it is still possible to access important information. This data can be valuable not only to the device owner, but also as part of forensic investigations. However, the amount of information available depends on a number of factors: what version of iOS is installed, whether there are hardware vulnerabilities, which applications are installed and what versions of them.

This means that no list of potential artifacts will be completely exhaustive – each case is individual.

To make it easier for you to understand what exactly can be extracted from a device that is in the “iPhone is disabled. Connect to iTunes” state, I have prepared a detailed table with all the artifacts found during the investigation.