Let’s all take a moment and reflect – we have come so far. We have been locked out of non-tethered jailbreaks on iOS devices for almost a decade! November of 2019 changed that for us when checkra1n, the first public jailbreak leveraging the checkm8 exploit was released. Now everyone, not just LE, can get a full file system extraction from an iOS device. Based on the current state of iOS forensics, a jailbreak may be your only way to access third-party application files of interest. More on this topic will be covered in detail in Section 5.

You need to be aware in the chance that you stumble upon a device that was previously jailbroken. Determining if the iPhone you have was previously jailbroken can be as simple as viewing the extraction log from your smartphone forensic tool or by manually verifying the settings in the System partition. However, don’t expect your tool to always be correct. Jailbreaks have changed over the last decade and most tools are most likely leveraging checkra1n.