The second beta of iOS Forensic Toolkit 8.0 has arrived, offering repeatable, verifiable extraction for a limited range of iOS devices. The new release introduces a brand-new user interface, which differs significantly from the selection-driven console we’ve been using for the past several years. This article describes the new workflow for performing forensically sound extractions with iOS Forensic Toolkit 8.0 beta2.
The bootloader-level extraction is still exclusively available in the Mac edition due to technical limitations. You still need a real, physical Mac computer, no VMs and no Hackintosh builds. Both Intel and Apple Silicon are supported. At this time, iOS Forensic Toolkit has been tested on the following versions of macOS: 10.13 High Sierra, 10.14 Mojave, 10.15 Catalina, 11 Big Sur, and 12 Monterey.
The vulnerability exploited by checkm8 exists in a large number of devices ranging from the iPhone 4s all the way to the iPhone 8/8 Plus/X generation. However, our tool does not support the iPhone 4s due to the USB controller requirements; the iPhone 7, 7 Plus, 8, 8 Plus, and iPhone X are not currently supported due to SEP hardening. You may still extract these devices by other means such as using the extraction agent or going through a jailbreak.
At this time, forensically sound bootloader-level extractions are available for the following devices:
Our tool supports all versions of iOS from iOS 8.0 to 15.1 (no offical beta support).
The installation procedure has changed since previous releases. To install iOS Forensic Toolkit 8.0 beta 2, follow these steps:
xattr -r -d com.apple.quarantine <path to folder>
There are to different DMG images. One for macOS Catalina and older; and one for Big Sur and newer. The file names are as follows:
For the past several years, iOS Forensic Toolkit was distributed with console-based, menu-driven UI. In EIFT 8.0 beta2, we have replaced the old UI with a console-based, command-line tool. There are good technical reasons for this, but please reserve your questions until the final release version of iOS Forensic Toolkit 8.0.
The available parameters include:
Main commands
You do not need to use any of the following “advanced” commands unless instructed (or unless you know what you are doing):
Device information
Commands related to logical acquisition
Commands for agent-based extraction
Commands for jailbreak-based extraction
Ramdisk-related commands (when extracting via bootloader exploit)
Additional commands: ssh, scp
Technically speaking, bootloader-level extraction was the most challenging to implement. This extraction methods requires experts to possess a certain level of skills and experience in handling iOS devices and placing them into DFU. The cost of a mistake is high: shall you fail to follow the sequence of precisely timed key presses, and the device may start booting iOS, which breaks the “forensically sound” part of the extraction. For this reason:
Practice DFU mode and familiarize yourself with the extraction process on a different iPhone device before you start the extraction.
Once you’re able to place the iPhone into DFU 10 times out of 10, follow these steps with the real device.
Below are the steps for the following 64-bit devices: iPhone 5s/6/6s/SE.
First, place the device DFU (several methods described in DFU Mode Cheat Sheet). The recommended method:
Note that, unlike the checkra1n jailbreak, our tool does not require going through Recovery first before entering DFU.
After that, execute the following command:
./EIFT_cmd boot
The command launches the exploit. The code detects the iOS version installed on the device and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop the ipsw file onto the console window.
Our extraction solution does not use the operating system installed on the iPhone to boot the device. Instead, a separate, patched version of the original Apple firmware is booted in the device RAM. This process requires you to have a copy of the original Apple firmware image that matches the device’s iOS version and build number exactly.
In many cases, the iOS version will be detected automatically by EIFT during the first stage of the exploit. The detection is based on the detected iBoot version and device hardware. However, in some cases the iBoot version may correspond to several iOS builds. If the wrong build is used, EIFT will be able to detect and display the correct build number at a later stage of the process. You will then have an option to either repeat the process with a different version of firmware, or continue with the current firmware image (which works in about 99% of cases).
If the process was successful, you will see the following information:
The iPhone will display the following screens:
./EIFT_cmd ramdisk loadnfcd
This command is actually not always required; you can proceed right to unlock, and run that one only if unlock fails (in some cases). Still, you can always run it to be absolutely safe.
./EIFT_cmd ramdisk unlockdata -s
This command unlocks the data partition and mounts it read-only.
If you enter the wrong passcode, an error will be displayed. With correct passcode, the volume is fully unlocked and you can proceed with data (keychain and file system) extraction).
If you don’t know the passcode, press ENTER on the screen below. In this case, a very limited BFU extraction will be performed.
After 5 or 6 wrong passcode entries, the iPhone will be locked for 1, 5, 15 and 60 minutes in succession. You must wait for the block to expire. After 10 unsuccessful unlock attempts, regardless of the wait time, the system will wipe the encryption metadata, making subsequent extraction attempts futile.
Note: To prevent permanent system wipe, EIFT will not allow trying to unlock after 7 failed attempts!
./EIFT_cmd ramdisk keychain -o {filename}
This command extracts and decrypts the keychain. If no path is specified, it will be saved into the current folder. There are specific considerations for some iOS versions:
./EIFT_cmd ramdisk tar -o {filename}
This command images file system. The checksum (hash value) is calculated on the fly and displayed once the extraction is finished.
./EIFT_cmd ssh halt
This command powers off the iPhone. Always use this command at the end of the extraction as it is not possible to power off the iPhone with the buttons. If you try pressing and holding the power button, the iPhone will reboot and load the installed version of iOS, which breaks forensically sound extraction.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »