Oct192020October 19, 2020October 19, 2020by Appletvjailbreak

Apple TV and Apple Watch Forensics 01: Acquisition – AppleTV 4 Jailbreak (appletv4jailbreak.com)

Posted in 4K, Apple TV 4K, Cable Cutting, Jailbreak, Jailbreaking, Reviews, Tips and Tricks, TVOS, Update

While the iPhone is Apple’s bread and butter product, is not the only device produced by the company. We’ve got the Mac (in desktop and laptop variations), the complete range of tablets (the iPad line, which is arguably the best tablet range on the market), the music device (HomePod), the wearable (Apple Watch), and the Apple TV. In today’s article, we are going to cover data extraction from Apple TV and Apple Watch. They do contain tons of valuable data, and are often the only source of evidence.

Acquisition Methods

Generally speaking, there are only three data extraction methods available for the range of Apple devices. Logical extraction (the backup, media files, shared files, crash logs and diagnostic logs) is the most straightforward, albeit somewhat limited method. File system acquisition, while being available for some specific devices and OS versions is the most difficult yet the most advanced method. Cloud acquisition with access to information backed up or synced from all devices sharing the same Apple ID is great, but requires the correct login credentials. Each of these methods produces a different set of data that partly overlap, so we recommend using all of them if you can. Speaking of Apple Watch and Apple TV, the same rules apply.

Apple TV

There are two versions of Apple TV we’ll be discussing here: the Apple TV 4 (recently rebranded Apple TV HD) and Apple TV 4K, the company’s latest effort. From our standpoint, the major difference between the two device is the USB port. While the Apple TV 4 (Apple TV HD) offers a USB Type-C port on the back, the newer Apple TV 4K lacks USB connectivity. The lack of USB connectivity on the newer device requires using specific hardware (a macOS-based PC or laptop) and software (Xcode) to connect.

Apple TV acquisition is somewhat similar to the iPhone except just one thing: there is no backup service on Apple TV. This in turn means that logical acquisition is limited to extracting media files acquisition via the afc protocol. This could be quite a lot as most Apple TV units have iCloud Photos enabled.

There are also good news. First, the Apple TV cannot be protected with a passcode, and there is no need to pair it with a computer in order to extract data. Second, jailbreaks exist for many versions of tvOS, meaning you can capture an image of the file system and decrypt the keychain.

Before you install a jailbreak, make sure to use other such as extracting media files (Photos.sqlite can be pretty useful, as it may contain some information on files that are NOT on that Apple TV):What about the Apple TV jailbreak? You have a choice of at least the following tools covering tvOS 10 through 12.1.1:

ChimeraTV
tvOS 12.0 – 12.1.1
https://chimera.sh/

LiberTV
tvOS 10.0-10.1, 11.0, 11.1
http://newosxbook.com/libertv/

Electra
tvOS 11.0-11.4.1
https://coolstar.org/electra/

The installation is similar to the process of jailbreaking iOS devices. Assuming your Apple TV runs tvOS 12.0 through…

https://blog.elcomsoft.com/2019/06/apple-tv-and-apple-watch-forensics-01-acquisition/
AppleTV 4 Jailbreak (appletv4jailbreak.com)