****UPDATE. PLEASE READ****
It was discovered there was an issue with the original .tar files containing both images. After a little additional testing, I was able to confirm the .tar files were not behaving correctly, which prevented them from being completely parsed. But, they do contain the data. They have now been fixed and can be easily imported into most tools, or extracted and examined manually. If you downloaded the images before 2020-04-20 at 12:15 UTC, please re-download them to get the updated versions.
Since the original .tar files do contain the data, you can extract the files using a terminal window in macOS or Linux if you do not feel like re-downloading. The following command can be used:
tar -xpf NameOfTheTarFile -C NameofDirectoryToPutNewFile
For example: tar -xpf myTarFile.tar -C /Users/JoshHickman/MyDirectory/
This will not work on Windows. Some of the structure contains file names/sym links that prevent Windows from writing the files to disk. Once extracted, you can point your tool of choice at the newly created folder, or you can manually inspect the file structure.
The updated hash values are listed at the end of the post. Sorry for any inconvience. 🙁
Since everyone is at home a little more these days, myself included, I thought I would create two iOS 13 images, both of which are now available for download. The images were created using an iPhone SE which was jailbroken just prior to extraction using checkra1n. The first image is of iOS 13.3.1, and there are quite a few apps with user-generated data in them:
Facebook Messenger for Kids (deleted – no activity, unfortunately)
Fitbit (and an associated wearable)
Threads (by Instagram)
The second image is of 13.4.1. She may not remember it, but Jessica Hyde (@B1N2H3X) gave me this idea a while back. I thought it would be neat to see what happens to existing data after an iOS dot update, so I left the data from 13.3.1 on the phone, updated to 13.4.1, generated a bit more data, and performed another extraction. There are additional apps, too:
These apps are in addition to the stock apps/functionality inherent in iOS. Addtionally, there is AppleWatch data, some AirPods (regular and Pro), a HomePod (with a small bit of associated HomeKit data), and a car (CarPlay).
Each image also comes with its own encrypted iTunes backup (password is included in the documentation), its own set of Sysdiagnose logs, and a lot of documentation. All of the components for each image are contained within their own respective zip file.
Please note the images and related materials are hosted by Digital Corpora. You can find everything here.
Quite a few of the apps/functionalities in these images came from ideas from the Ctrl+Alt+Del talk, so thank you to everyone who provided suggestions!
iOS 13.3.1 Extraction.zip
iOS 13.4.1 Extraction.zip
14 thoughts on “iOS 13 Images….ImageS…Now Available!”
Scott, there are two open-source tools that currently support a .tar file of an iOS extraction. Alexis Brignoni has iLEAPP (https://github.com/abrignoni) and Ian Whiffin has ArtEx (http://www.doubleblak.com). I have personally tested both and find they are extremely well done, and both authors regularly maintain/update/enhance them.
Thanks for confirming that Cellebrite reader won’t work well. Do you have any suggestions for a open source tool (on Windows) that can handle these .TAR package? Some tools out there for handling .TAR are for Android so I’ve been looking around without much luck as I’d like use this for practice.
Much appreciated and, again, thank you for doing this.
Hi John. Unfortunately, I am not aware of any site offering anything older. You could always check Digital Corpora, AboutDFIR.com, or dfir.training.
Hi Scott. You’ll need to be a bit more specific about which .zip file. If you’re referring to the .zip file you downloaded, then neither tool will work against it. That file contains multiple files in it that are part of an overall package, including documentation about the extraction itself. You’ll need to unzip the file you downloaded, and then point your tool(s) at the .tar file in the “Extraction” folder. I am not sure if Cellebrite Reader will work against the extraction, though. Reader is designed to read output from Cellebrite Physical Analyzer, i.e. an extraction that has been parsed by Physical Analyzer. The .tar file is a raw extraction, i.e. it has not been parsed by any tool(s). Hope this helps.
Thank you for this. I tried using Cellebrite Reader and Autopsy to analyze the .zip files but I was unable to do so. Could you please offer me some coaching advice?
This is extremely useful, thank you! – Do you know of any sites/resource with similar to the above but older versions of iOS?
Thank you for sharing them. 🙂
Thank you for your contribution.