Approaching iOS Extractions: Choosing the Right Acquisition Method

November 24th, 2022 by Oleg Afonin

The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.

Read the rest of this entry »

iOS Forensic Toolkit 8 Extraction Agent Cheat Sheet

November 22nd, 2022 by Oleg Afonin

iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

Read the rest of this entry »

Cloud Forensics: Obtaining iCloud Backups, Media Files and Synchronized Data

November 17th, 2022 by Oleg Afonin

Apple offers by far the most sophisticated solution for backing up, restoring, transferring and synchronizing data across devices belonging to the company’s ecosystem. Apple iCloud can store cloud backups and media files, synchronize essential information between Apple devices, and keep highly sensitive information such as Health and authentication credentials securely synchronized. In this article we’ll explain what kinds of data are stored in iCloud and what you need to access them.

Read the rest of this entry »

Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet

November 15th, 2022 by Oleg Afonin

Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.

Read the rest of this entry »

iOS Backups: Leftover Passwords

November 10th, 2022 by Oleg Afonin

In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.

Read the rest of this entry »

checkm8 Extraction Cheat Sheet: iPhone and iPad Devices

November 3rd, 2022 by Oleg Afonin

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

Read the rest of this entry »

How to Put Apple TV 3 (2012-2013), Apple TV 4/HD (2015) and Apple TV 4K (2017) into DFU

October 31st, 2022 by Oleg Afonin

The title says it all. In this article we’ll explain the steps required to put the listed Apple TV models into DFU mode. These Apple TV models are based on the A5, A8, and A10X chips that are susceptible to the checkm8 exploit and checkm8-based extraction with iOS Forensic Toolkit 8, and DFU mode is the required initial step of the process.

Read the rest of this entry »

iOS 16: SEP Hardening, New Security Measures and Their Forensic Implications

September 23rd, 2022 by Vladimir Katalov

iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.

Read the rest of this entry »

iOS Forensic Toolkit 8.0 Now Official: Bootloader-Level Extraction for 76 Devices

September 22nd, 2022 by Oleg Afonin

iOS Forensic Toolkit 8.0 is officially released! Delivering forensically sound checkm8 extraction and a new command-line driven user experience, the new release becomes the most sophisticated mobile forensic tool we’ve released to date.

Read the rest of this entry »

iOS 16: Extracting the File System and Keychain from A11 Devices

September 22nd, 2022 by Vladimir Katalov

Bootloader-based acquisition is the only 100% forensically sound data extraction method for Apple devices. It is the only way to acquire the full set of data from those devices that run iOS 16, albeit with a huge caveat that makes the whole thing more of a brain exercise than a practical forensic tool. Let’s review the iOS 16 compatibility in iOS Forensic Toolkit and go through the whole process step by step.

Read the rest of this entry »