iOS 13 Images….ImageS…Now Available!

****UPDATE.  PLEASE READ****

It was discovered there was an issue with the original .tar files containing both images.  After a little additional testing, I was able to confirm the .tar files were not behaving correctly, which prevented them from being completely parsed.  But, they do contain the data.  They have now been fixed and can be easily imported into most tools, or extracted and examined manually.  If you downloaded the images before 2020-04-20 at 12:15 UTC, please re-download them to get the updated versions.

Since the original .tar files do contain the data, you can extract the files using a terminal window in macOS or Linux if you do not feel like re-downloading.  The following command can be used:

tar -xpf NameOfTheTarFile -C NameofDirectoryToPutNewFile

For example:  tar -xpf myTarFile.tar -C /Users/JoshHickman/MyDirectory/

This will not work on Windows.  Some of the structure contains file names/sym links that prevent Windows from writing the files to disk.  Once extracted, you can point your tool of choice at the newly created folder, or you can manually inspect the file structure.

The updated hash values are listed at the end of the post.  Sorry for any inconvience.  😦

Original Post

Since everyone is at home a little more these days, myself included, I thought I would create two iOS 13 images, both of which are now available for download.  The images were created using an iPhone SE which was jailbroken just prior to extraction using checkra1n.  The first image is of iOS 13.3.1, and there are quite a few apps with user-generated data in them:

Burner
Discord
Dust
Facebook Messenger
Facebook Messenger for Kids (deleted – no activity, unfortunately)
Firefox Focus
Fitbit (and an associated wearable)
Houseparty
Imgur
imo
Instagram
Line
MeWe
Onion Browser
Proton Mail
Reddit
Signal
Silent Phone
Skout
Skype
Snapchat
Spotify
Sync Solver
Telegram
TextNow
Threads (by Instagram)
Tik Tok
Tutanota
Twitter
Venmo
Viber
WhatsApp
Wickr Me
Wire
Zoom

The second image is of 13.4.1.  She may not remember it, but Jessica Hyde (@B1N2H3X) gave me this idea a while back.  I thought it would be neat to see what happens to existing data after an iOS dot update, so I left the data from 13.3.1 on the phone, updated to 13.4.1, generated a bit more data, and performed another extraction.  There are additional apps, too:

CoverMe
KeepSafe
Photo Vault

These apps are in addition to the stock apps/functionality inherent in iOS.  Addtionally, there is AppleWatch data, some AirPods (regular and Pro), a HomePod (with a small bit of associated HomeKit data), and a car (CarPlay).

Each image also comes with its own encrypted iTunes backup (password is included in the documentation), its own set of Sysdiagnose logs, and a lot of documentation.  All of the components for each image are contained within their own respective zip file.

Please note the images and related materials are hosted by Digital Corpora.  You can find everything here.

Quite a few of the apps/functionalities in these images came from ideas from the Ctrl+Alt+Del talk, so thank you to everyone who provided suggestions!

Enjoy!

iOS 13.3.1 Extraction.zip
MD5: 6641ce1395d392661921cb0ca321e4b7
SHA1: a35a877151b11d851e1f6d2fdee1918e071ff572
SHA256: f194e8bbfb950a5a31d5308e8131a14ec602f12d6a3d9f2841d15f47d34b2643

iOS 13.4.1 Extraction.zip
MD5: 4e094801ba1e3b938b2c0cc18d0e0d1d
SHA1: aa1d6ef543d3fdcc22e700c4e88602f24d012186
SHA256: 761854a669c38da6ac0a908afe77763d54ccb83044ff123350890d408c154551

 

 

9 thoughts on “iOS 13 Images….ImageS…Now Available!

  1. This is extremely useful, thank you! – Do you know of any sites/resource with similar to the above but older versions of iOS?

    Like

  2. Thank you for this. I tried using Cellebrite Reader and Autopsy to analyze the .zip files but I was unable to do so. Could you please offer me some coaching advice?

    Like

  3. Hi Scott. You’ll need to be a bit more specific about which .zip file. If you’re referring to the .zip file you downloaded, then neither tool will work against it. That file contains multiple files in it that are part of an overall package, including documentation about the extraction itself. You’ll need to unzip the file you downloaded, and then point your tool(s) at the .tar file in the “Extraction” folder. I am not sure if Cellebrite Reader will work against the extraction, though. Reader is designed to read output from Cellebrite Physical Analyzer, i.e. an extraction that has been parsed by Physical Analyzer. The .tar file is a raw extraction, i.e. it has not been parsed by any tool(s). Hope this helps.

    Like

  4. Hi John. Unfortunately, I am not aware of any site offering anything older. You could always check Digital Corpora, AboutDFIR.com, or dfir.training.

    Like

  5. Thanks for confirming that Cellebrite reader won’t work well. Do you have any suggestions for a open source tool (on Windows) that can handle these .TAR package? Some tools out there for handling .TAR are for Android so I’ve been looking around without much luck as I’d like use this for practice.

    Much appreciated and, again, thank you for doing this.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s