Installing and using iOS Forensic Toolkit on macOS 10.15 Catalina

October 2nd, 2019 by Oleg Afonin
Category: «Elcomsoft News», «Tips & Tricks»

The release of macOS Catalina brought the usual bunch of security updates. One of those new security features directly affects how you install Elcomsoft iOS Forensic Toolkit on Macs running the new OS. In this guide we’ll provide step by step instructions on installing and running iOS Forensic Toolkit on computers running macOS 10.15 Catalina. Note: on macOS Catalina, you must use iOS Forensic Toolkit 5.11 or newer (older versions may also work but not recommended).

The Issue

In macOS 10.15, Apple made running third-party apps slightly more difficult. The new security measure is designed to prevent users from accidentally running apps downloaded from the Internet by quarantining files obtained from sources that aren’t explicitly whitelisted by Apple.

As Elcomsoft iOS Forensic Toolkit is not distributed through Apple App Store, our tool falls under this restriction and will be quarantined once you install it.

The Solution

Technically speaking, the system sets the quarantine flag when an agent (such as the Web browser, email client or another app) saves a file to the computer. When you first try to open an app you’ve downloaded from the internet, the OS will display a warning message and prevent you from launching the app.

In order to launch Elcomsoft iOS Forensic Toolkit, you’ll have to remove the quarantine flag by running the following command through the system’s terminal.

xattr -r -d <path_to_dmg>

In order to install EIFT on a Mac running macOS Catalina, follow the instructions in the next chapter.

How to Install and Run iOS Forensic Toolkit on a Mac

Follow these steps to install iOS Forensic Toolkit:

  1. Download Elcomsoft iOS Forensic Toolkit via the link you received in your purchase confirmation email (make sure to select the Mac version)
  2. Unpack the archive. The current version will be unpacked as iOS-Toolkit-5.11-Mac.dmg
  3. Before mounting the DMG, run the following command in the system console:
    xattr -r -d <path_to_dmg>

    For example, if you saved the DMG on your desktop, use this command:

    xattr -r -d Desktop/iOS-Toolkit-5.11-Mac.dmg
  4. Mount the DMG file. IMPORTANT: do NOT launch EIFT directly from the mounted image! You MUST create a new directory on your Mac (e.g. on your Desktop) and copy the entire content of the mounted disk to that new folder. You can unmount and delete the DMG afterwards.
  5. Run the “Toolkit.command” from the newly created folder.

Using iOS Forensic Toolkit on macOS Catalina

There are several changes in macOS 10.15 making many forensic tools incompatible with the new OS. iOS Forensic Toolkit fully supports macOS Catalina from version 5.11 onwards.

Establishing trust

As you may know, macOS Catalina ditches the iTunes app. As a result, establishing trust with the iPhone you connect to your Mac now looks as follows:

Logical acquisition

This is how you extract a backup from the iPhone:

The detailed coverage of all iOS Forensic Toolkit features, issues and limitations is available in the product manual.

Running Windows?

We have recently covered some EIFT issues for Windows platform, see iOS Acquisition on Windows: Tips&Tricks for more details.


Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »