Installing and Troubleshooting the Extraction Agent (2025)

July 2nd, 2025 by Oleg Afonin

Over the years, we’ve published numerous guides on installing the iOS Forensic Toolkit extraction agent and troubleshooting issues. As both the tool and its environment evolved, so did our documentation – often leading to outdated or scattered information. This article consolidates and updates everything in one place, detailing the correct installation and troubleshooting procedures.

Read the rest of this entry »

Extracting and Analyzing Apple sysdiagnose Logs

June 27th, 2025 by Oleg Afonin

Apple’s unified logging system offers a wealth of information for forensic investigators analyzing iOS, iPadOS, watchOS, tvOS, and other devices from Apple ecosystems. Originally designed for debugging and diagnostics, these logs capture a continuous stream of detailed system activity – including app behavior, biometric events, power state changes, and connectivity transitions. In digital forensics, where traditional sources of evidence like backups or app data may be encrypted or inaccessible, the logs provide an alternative and often untapped reservoir of forensic artifacts. This article explores the content, availability, and forensic value of Apple logs collected via sysdiagnose across different device types, focusing on practical methods for extraction and analysis using modern forensic tools.

Read the rest of this entry »

The 16 Billion Passwords Panic: What Really Happened and Why It Matters (Or Doesn’t)

June 23rd, 2025 by Oleg Afonin

In June 2025, headlines shouted that 16 billion passwords had leaked. Major outlets warned that credentials for Apple, Google, and other platforms were now exposed. As expected, this triggered a wave of public anxiety and standard advice: change your passwords immediately. Upon closer examination, however, technical sources clarified the situation. This was not a new breach, nor did it expose fresh credentials. The dataset was an aggregation of previously leaked databases, malware logs from infostealers, junk records and millions of duplicate entries. Essentially, it was old material, repackaged and redistributed under a sensational label. For digital forensics teams, however, the question remains open: could this kind of dataset be useful in real-world password recovery? In this article, we will explore if massive password leaks have practical value in the lab.

Read the rest of this entry »

Apple Ecosystem: Overlooked Devices

June 18th, 2025 by Oleg Afonin

When it comes to digital evidence, most investigators naturally focus on smartphones – and occasionally tablets. But the rest of the Apple ecosystem often goes unnoticed: Apple Watch, Apple TV, HomePod, even older iPod Touch models. These supplementary devices might seem irrelevant, but they can contain valuable digital artifacts: activity logs, Wi‑Fi credentials, leftover bits and pieces of information, system logs, and even synced photos.

Read the rest of this entry »

What TRIM, DRAT, and DZAT Really Mean for SSD Forensics

June 2nd, 2025 by Oleg Afonin

If you’re doing forensic work today, odds are you’re imaging SSDs, not just spinning hard drives. And SSDs don’t behave like HDDs – especially when it comes to deleted files. One key reason: the TRIM command. TRIM makes SSDs behave different to magnetic hard drives when it comes to recovering deleted evidence. This article breaks down what TRIM actually does, how SSDs respond, and what forensic experts need to know when handling modern storage.

Read the rest of this entry »

iOS Extraction Tip: Why Start with Recovery Mode?

May 30th, 2025 by Oleg Afonin

When performing forensic tasks on Apple devices, the order in which you enter device modes can make a big difference. While DFU mode is necessary for certain extractions, especially using checkm8, going straight into DFU might not be your best option. Starting with Recovery Mode offers several advantages that make it a safer, faster approach. By entering Recovery Mode first, you reduce the risk of unexpected data changes, minimize delays, and ensure the device stays in a stable state. Let’s take a closer look at why starting with Recovery Mode is the better approach for your extraction process.

Read the rest of this entry »

Why Every Digital Forensics Lab Needs a Good USB Hub

May 23rd, 2025 by Oleg Afonin

In modern digital forensics, a reliable USB hub isn’t just a convenience – it’s a critical piece of lab infrastructure. With today’s laptops (especially MacBooks) offering only one or two USB-C ports – often occupied by power adapters – connecting all the required equipment becomes a real challenge. USB hubs help bridge this gap, solving port limitations, improving device compatibility, and even increasing the stability of the checkm8 exploit used for iPhone data extraction. This article explains why and where to use USB hubs shine in forensic workflows and how to choose the right model for your lab.

Read the rest of this entry »

Installing iOS Forensic Toolkit on Linux

May 22nd, 2025 by Oleg Afonin

For a long time, the macOS version of iOS Forensic Toolkit remained the most feature-complete. Only macOS supported bootloader-level acquisition using checkm8, installation of the extraction agent with regular Apple IDs, and use of wireless adapters for Apple Watch analysis. All of these capabilities are now available in the Linux build as well, eliminating the need for a Mac in many workflows. This guide explains how to properly install and use EIFT on a Linux system.

Read the rest of this entry »

The Linux Edition Goes Live

May 20th, 2025 by Oleg Afonin

Acquiring data from iOS devices can be a complex task, particularly when performing bootloader-based extractions leveraging the checkm8 exploit. Traditionally, these extractions required access to a macOS computer. However, the Linux edition of iOS Forensic Toolkit offers a practical and efficient solution for forensic investigators who may not have macOS readily available. With minimal functional differences between the Mac, Windows, and Linux editions, the toolkit’s new, bootable Live Linux version allows for seamless bootloader-level extractions, booting from an external device and utilizing all the necessary tools without the need for a Mac.

Read the rest of this entry »

Breaking into the Ecosystem: How One Weak Link Can Unlock a Secure Device

May 19th, 2025 by Oleg Afonin

A forensic examiner receives a locked smartphone – a recent-model iPhone, encrypted and secured with an unknown passcode. No tool works, checkm8 long obsolete, USB port locked. Is this a dead end? Not quite. iPhones don’t operate in isolation. They’re part of a digital ecosystem, and ecosystems often have weak points. This article explores how gaining access through a weak link  can compromise even the most secure smartphone.

Read the rest of this entry »