0:00
what's going on youtube gs9 here so in
0:02
today's video we're talking about some
0:04
achievements done by elcomsoft in terms
0:06
of ios 15 and of course the file system
0:08
and stuff like that now many people ask
0:10
me if this can be used for check range
0:12
so this is what we're going to clarify
0:13
in this video but first the fine people
0:15
here on your screen right now help make
0:17
these videos possible so check rain you
0:19
probably know the problem with chick
0:21
rain it doesn't support ios 15 for the
0:23
moment and there is one reason only the
0:26
file system being sealed we have
0:28
absolutely everything we need in order
0:29
to make checkrain work on all ios 15
0:32
versions except for that and while i'm
0:34
sure that is being worked by the
0:35
checkpoint team in the background it
0:37
probably still will take time before we
0:39
get into today's news with welcomesoft
0:41
and stuff like that what exactly is
0:43
wrong with the file system and check
0:45
range you see when apple created ios 15
0:47
they actually introduced a brand new
0:49
measure in place so that the file system
0:52
itself is completely sealed and if you
0:54
try to modify it in any way for example
0:56
to install cydia or the jailbreak
0:57
binaries things will not be good the
1:00
device will refuse to boot and stuff
1:01
like that while checkrain does have an
1:03
exploit to be able to create a jailbreak
1:05
that still hasn't been patched they
1:07
can't really do that on older devices
1:09
the new sealed file system has been an
1:12
issue now that problem actually applies
1:14
to uncover as well even if they get an
1:15
exploit they would have to overcome this
1:17
issue as well so you probably imagine
1:20
it's an important thing to do in our
1:21
community now in the past couple of days
1:23
there have been some news coming from
1:25
elcomsoft elcomsoft being a company that
1:27
specializes in data recovery and
1:29
forensics and stuff like that and they
1:31
do have ios tools now these people are
1:33
actually great at what they do they do
1:36
pretty good tools in order to get data
1:38
from devices and you know extract the
1:40
whole file system which contains
1:41
everything including your photos and
1:43
music and whatever recently they posted
1:45
this quote full file system acquisition
1:48
on apple a11 to a13 which is iphone 8 10
1:52
10 art and se se11 running ios 15 is
1:55
coming and they posted a picture with
1:57
what seems to be their toolkit their
1:59
tool in here which definitely shows the
2:01
device connected and the file system
2:03
being imaged which is usually something
2:05
you do for forensic purposes if you want
2:07
to examine what was on a device what
2:09
content a device had you probably know
2:11
ios devices are particularly hard to get
2:14
this content from because they usually
2:16
are encrypted by the sap or secure
2:18
enclave processor which uses your
2:20
passcode in order to generate a key and
2:22
stuff and face id and whatever so it's
2:24
not an easy feat but then they also
2:26
posted this iphone 10 keychain and full
2:29
file system acquisition is also coming
2:31
supporting ios from 11 to 15.3 which by
2:34
the way at the moment 15.3 as you can
2:37
see on my website idevicecentral.com is
2:39
the latest version available and the
2:41
only version signed aside from the beta
2:43
by the way ios 15.2 beta is still signed
2:46
should probably save the blobs for that
2:47
so they posted this a picture with their
2:50
tool again and they do get the file
2:52
systems and everything that is necessary
2:54
in there including the basement data the
2:56
system partition the data partition
2:58
which is basically the var partition
2:59
containing all the user data and they
3:01
also get the key bags they seem to
3:04
unlock by booting sep or secure enclave
3:06
processor that's actually interesting
3:08
and pretty pretty hard to do even with
3:10
checkmate which is the exploit behind
3:12
check rain right here it's what powers
3:14
check rain in the first place this is
3:16
still hard to do you still need a lot of
3:17
research to do that especially the sep
3:19
part so what they did in here is legit
3:21
and what they did in here is actually
3:23
quite great now can this research be
3:26
used for chickpea maybe but not for
3:28
remounts i don't believe that this is a
3:30
remount because they do not have to
3:32
remount anything in here you can see
3:34
exactly what kind of mounts they have
3:36
now for what they need to do which is
3:38
forensics they do not need to write
3:39
anything to the device that will be
3:41
destructive to the data they try to
3:43
actually harvest from the device what
3:45
they need to do is to image it to
3:46
extract the data which is read only so
3:48
can this be used for check rain yes and
3:51
no the underlying research behind it
3:53
could probably be used by the checkering
3:55
team to better understand what's going
3:57
on they already know what's going on and
3:59
they are already working on this do keep
4:01
in mind that many of the czech reign
4:03
team members are actually students they
4:05
do have exams finals whatever and for
4:08
many of them it's been a pretty busy
4:09
couple of months because of the finals
4:11
and stuff like that so once they get a
4:13
little bit more free time they will
4:14
probably start working on this now i do
4:16
believe that this is 100 percent doable
4:19
they can't do it and they have a couple
4:21
of ideas i think somebody on the
4:23
chickpean team posted back in december
4:25
that they do have an idea on how to do
4:27
this with bind mounts which is actually
4:29
a pretty clever idea so they will
4:31
release chick rain for ios 15. it's
4:33
definitely coming however contrary to
4:35
what you've probably seen on other
4:37
videos about the elcomsoft research it's
4:39
probably not that important to check
4:41
rain as it may look i'm not trying to
4:43
make these people look bad or anything
4:45
what they do is extremely hard to do and
4:48
pretty great extracting data from an
4:49
iphone especially by involving sep and
4:51
stuff like that is not an easy task but
4:54
it's not related to check rain in any
4:56
way other than the fact that they use
4:57
checkmate in the background elcomsoft
5:00
builds you know ios forensic tools and
5:02
stuff like that for dfir they do not
5:04
build jailbreaks which is an important
5:06
distinction so yes do not lose hope for
5:09
rain on ios 15 it's definitely coming
5:11
the only problem we have to overcome
5:12
with check rain on ios 15 is the sealed
5:15
file system which can definitely be done
5:17
so thank you for watching ings now till
5:19
the next time subscribe to stay updated