In iOS device forensics, the process of low-level extraction plays a crucial role in accessing essential data for analysis. Bootloader-level extraction through checkm8 has consistently been the best and most forensically sound method for devices with a bootloader vulnerability. But even though we brought the best extraction method to Linux and Windows in recent releases, support for iOS 16 on these platforms was still lacking behind. In this article we’ll talk about the complexities in iOS 16 extractions and how we worked around them in the newest release of iOS Forensic Toolkit.

The bootloader vulnerability affecting several generations of Apple devices, known as “checkm8”, allows for forensically sound extraction of a wide range of Apple hardware including several generations of iPhones, iPads, Apple Watch, Apple TV, and even HomePod devices. The exploit is available for chips that range from the Apple A5 found in the iPhone 4s and several iPad models to A11 Bionic empowering the iPhone 8, 8 Plus, and iPhone X; older devices such as the iPhone 4 have other bootloader vulnerabilities that can be exploited to similar effect. In this article, we will go through the different chips and their many variations that are relevant for bootloader-level extractions.

In the upcoming iOS 17.4 update, Apple is introducing significant changes to its App Store policies for apps distributed in the European Union. The new policy brings multiple changes, one of them being alternative app marketplaces (which are effectively third-party app stores). These changes have both technical and financial implications for developers, but do they bring news to the digital forensic crowd? Let’s have a look into what Apple’s new policy brings and how it may impact forensic experts.

In the world of digital forensics, there are various ways to analyze computer systems. You might be familiar live system analysis or investigating forensic disk images, but there’s yet another method called cold system analysis. Unlike live analysis where experts deal with active user sessions, cold system analysis works differently. It’s like a middle ground between live analysis and examining saved images of a computer’s storage. But why and when would someone use cold analysis? What can you do with it, and how does it compare to the usual methods?

This guide covers the correct installation procedure for Elcomsoft low-level extraction agent, an integral part of iOS Forensic Toolkit that helps extracting the file system and keychain from supported iOS devices. This instruction manual provides a step-by-step guide for setting up a device and installing the extraction agent. We’ve included suggestions from troubleshooting scenarios and recommendations we derived during testing.

The first developer beta of iOS 17.3 includes Stolen Device Protection, a major new security feature designed to protect the user’s sensitive information stored in the device and in iCloud account if their iPhone is stolen and the thief gets access to the phone’s passcode. This optional feature could represent a significant change in how Apple looks at security, where currently the passcode is king. At this time, no detailed documentation is available; developers are getting a prompt to test the feature when installing the new beta.

The latest update of iOS Forensic Toolkit brought an all-new Linux edition, opening up a world of possibilities in mobile device analysis. The highly anticipated Linux edition preserves and expands the features previously available to macOS and Windows users. Forensic professionals can now perform advanced logical and low-level extractions with the aid of a custom extraction agent and extract information using the bootloader-level exploit, making forensic analysis more accessible on Linux platforms.

The bootloader vulnerability affecting several generations of Apple devices opens the door to forensically sound extraction. In today’s article we’ll discuss the compatibility and features of this exploit with different devices, iOS versions, and platforms. In addition, we’ll provide security professionals and researchers with valuable insight into potential issues and solutions when working with checkm8.

In this tutorial, we will address common issues faced by users of the iOS Forensic Toolkit when installing and using the low-level extraction agent for accessing the file system and keychain on iOS devices. This troubleshooting guide is based on the valuable feedback and data received by our technical support team.

Have you ever tried to unlock a password but couldn’t succeed? This happens when the password is really strong and designed to be hard to break quickly. In this article, we’ll explain why this can be a tough challenge and what you can do about it.