iOS Triage

Bash script to extract data from a "checkra1ned" iOS device

Developed and tested on Mac OS X Mojave (10.14.6)

Mandatory Requirements

• checkra1n (https://checkra.in/)
• libimobiledevice (https://www.libimobiledevice.org/)
• SSHPASS for Mac OS X (https://gist.github.com/arunoda/7790979)
• dialog for Mac OS X (http://macappstore.org/dialog/)

Optional Requirements

• python3 (https://www.python.org/downloads/)
• sysdiagnose scripts (https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts)
• APOLLO (https://github.com/mac4n6/APOLLO)
• iOS Mobile Installation Logs Parser (https://github.com/abrignoni/iOS-Mobile-Installation-Logs-Parser)

How to use it

• checkra1n an iOS device
• Open a terminal and execute "sudo iproxy 22 44"
• Open a new terminal and execute ssh root@localhost and add localhost to the list of known hosts
• Download the script in the folder where you want to save the extraction (i.e. Desktop)
• Make the script executable (chmod +x ios_bfu_triage.sh)
• Execute the script and follow the instructions

Version 0.1 [5/12/2019] First release

Version 0.2 [6/12/2019] Changed the output folder name to the device UDID instead of the device NAME

Version 1.0 [23/12/2019] For detailed instructions read this: Checkra1n Era - Ep 5 - Automating extraction and processing (aka "Marry Xmas!") (https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-5-automating.html)

Version 2.0 [5/6/2020]

• Improved direct extraction and processing with APOLLO, iLEAPP and sysdiagnose
• Improved "find" function