How to Use iOS Forensic Toolkit 8.0 b2 to Perform Forensically Sound Extraction of iPhone 5s, 6, 6s and SE

November 17th, 2021 by Elcomsoft R&D
Category: «Elcomsoft News», «Mobile», «Tips & Tricks»

The second beta of iOS Forensic Toolkit 8.0 has arrived, offering repeatable, verifiable extraction for a limited range of iOS devices. The new release introduces a brand-new user interface, which differs significantly from the selection-driven console we’ve been using for the past several years. This article describes the new workflow for performing forensically sound extractions with iOS Forensic Toolkit 8.0 beta2.

Compatibility

The bootloader-level extraction is still exclusively available in the Mac edition due to technical limitations. You still need a real, physical Mac computer, no VMs and no Hackintosh builds. Both Intel and Apple Silicon are supported. At this time, iOS Forensic Toolkit has been tested on the following versions of macOS: 10.13 High Sierra, 10.14 Mojave, 10.15 Catalina, 11 Big Sur, and 12 Monterey.

The vulnerability exploited by checkm8 exists in a large number of devices ranging from the iPhone 4s all the way to the iPhone 8/8 Plus/X generation. However, our tool does not support the iPhone 4s due to the USB controller requirements; the iPhone 7, 7 Plus, 8, 8 Plus, and iPhone X are not currently supported due to SEP hardening. You may still extract these devices by other means such as using the extraction agent or going through a jailbreak.

At this time, forensically sound bootloader-level extractions are available for the following devices:

  • iPhone 4 (iPhone3,1/iPhone3,2/iPhone3,3): A1332, A1349
  • iPhone 5 (iPhone5,1): A1428, A1429, A1428
  • iPhone 5c (iPhone5,4): A1507, A1526, A1529, A1516
  • iPhone 5S (iPhone6,1/iPhone6,2): A1453, A1533, A1457, A1518, A1528, A1530
  • iPhone 6 (iPhone7,2): A1549, A1586, A1589
  • iPhone 6 Plus (iPhone7,1): A1522, A1524, A1593
  • iPhone 6s (iPhone8,1): A1633, A1688, A1691, A1700
  • iPhone 6s Plus (iPhone8,2): A1634, A1687, A1690, A1699
  • iPhone SE (iPhone8,4): A1662, A1723, A1724
  • iPod touch 6th gen: A1574
  • AppleTV 3 (AppleTV3,2): A1469

Our tool supports all versions of iOS from iOS 8.0 to 15.1 (no offical beta support).

Installing iOS Forensic Toolkit 8.0

The installation procedure has changed since previous releases. To install iOS Forensic Toolkit 8.0 beta 2, follow these steps:

  • Mount the DMG image specific to your version of macOS, supplying the password (you will receive the password in your order confirmation email)
  • Drag the “EIFT8B2” folder to the desktop
  • Open console
  • Run xattr to remove quarantine:
    xattr -r -d com.apple.quarantine <path to folder>
  • Alternatively, you can type part of the command (xattr -r -d com.apple.quarantine ), and drop the image onto the console window. Please note the whitespace at the end of the command.
  • cd Desktop/EIFT8B2
  • You can now launch ./EIFT_cmd to run the tool

There are to different DMG images. One for macOS Catalina and older; and one for Big Sur and newer. The file names are as follows:

  • iOS-Toolkit-8-beta2-Mac-legacy.dmg for Catalina and older
  • iOS-Toolkit-8-beta2-Mac.dmg for Big Sur and Monterey (with M1 support)

Command line parameters

For the past several years, iOS Forensic Toolkit was distributed with console-based, menu-driven UI. In EIFT 8.0 beta2, we have replaced the old UI with a console-based, command-line tool. There are good technical reasons for this, but please reserve your questions until the final release version of iOS Forensic Toolkit 8.0.

The available parameters include:

Main commands

You do not need to use any of the following “advanced” commands unless instructed (or unless you know what you are doing):

  • ssh
  • scp
  • serial
  • tools

Device information

Commands related to logical acquisition

Commands for agent-based extraction

Commands for jailbreak-based extraction

Ramdisk-related commands (when extracting via bootloader exploit)

Additional commands: ssh, scp

Bootloader-level extraction cheat sheet

Technically speaking, bootloader-level extraction was the most challenging to implement. This extraction methods requires experts to possess a certain level of skills and experience in handling iOS devices and placing them into DFU. The cost of a mistake is high: shall you fail to follow the sequence of precisely timed key presses, and the device may start booting iOS, which breaks the “forensically sound” part of the extraction. For this reason:

Practice DFU mode and familiarize yourself with the extraction process on a different iPhone device before you start the extraction.

Once you’re able to place the iPhone into DFU 10 times out of 10, follow these steps with the real device.

Below are the steps for the following 64-bit devices: iPhone 5s/6/6s/SE.

  1. Place device into DFU
  2. ./EIFT_cmd boot
  3. ./EIFT_cmd loadnfcd
  4. ./EIFT_cmd unlockdata -s
  5. ./EIFT_cmd ramdisk keychain -o {filename}
  6. ./EIFT_cmd ramdisk tar -o {filename}
  7. ./EIFT_cmd ssh halt

Bootloader-level extraction step by step

First, place the device DFU (several methods described in DFU Mode Cheat Sheet). The recommended method:

  • Connect the device to a computer using a USB cable (USB-A cables only! If connecting to a Type-C port, use a Type-C to USB-A adapter, and a USB-A cable; no hubs, no Type-C to Lightning cables!)
  • Hold down both the Home button and Lock button
  • After 8 seconds, release the Lock button while continuing to hold down the Home button (if the Apple logo appears, the Lock button was held down for too long)
  • Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode (If your device shows a screen telling you to connect the device to iTunes, retry these steps)

Note that, unlike the checkra1n jailbreak, our tool does not require going through Recovery first before entering DFU.

After that, execute the following command:

./EIFT_cmd boot

The command launches the exploit. The code detects the iOS version installed on the device and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop the ipsw file onto the console window.

Our extraction solution does not use the operating system installed on the iPhone to boot the device. Instead, a separate, patched version of the original Apple firmware is booted in the device RAM. This process requires you to have a copy of the original Apple firmware image that matches the device’s iOS version and build number exactly.

In many cases, the iOS version will be detected automatically by EIFT during the first stage of the exploit. The detection is based on the detected iBoot version and device hardware. However, in some cases the iBoot version may correspond to several iOS builds. If the wrong build is used, EIFT will be able to detect and display the correct build number at a later stage of the process. You will then have an option to either repeat the process with a different version of firmware, or continue with the current firmware image (which works in about 99% of cases).

If the process was successful, you will see the following information:

The iPhone will display the following screens:

 

./EIFT_cmd loadnfcd

This command is actually not always required; you can proceed right to unlock, and run that one only if unlock fails (in some cases). Still, you can always run it to be absolutely safe.

./EIFT_cmd unlockdata -s

This command unlocks the data partition and mounts it read-only.

If you enter the wrong passcode, an error will be displayed. With correct passcode, the volume is fully unlocked and you can proceed with data (keychain and file system) extraction).


If you don’t know the passcode, press ENTER on the screen below. In this case, a very limited BFU extraction will be performed.

After 5 or 6 wrong passcode entries, the iPhone will be locked for 1, 5, 15 and 60 minutes in succession. You must wait for the block to expire. After 10 unsuccessful unlock attempts, regardless of the wait time, the system will wipe the encryption metadata, making subsequent extraction attempts futile.
Note: To prevent permanent system wipe, EIFT will not allow trying to unlock after 7 failed attempts!

./EIFT_cmd ramdisk keychain -o {filename}

This command extracts and decrypts the keychain. If no path is specified, it will be saved into the current folder. There are specific considerations for some iOS versions:

  • iOS 15: keychain decryption is currently not available.
  • iOS 8 through 14: all keychain records decrypted except a small number of system records.
./EIFT_cmd ramdisk tar -o {filename}

This command images file system. The checksum (hash value) is calculated on the fly and displayed once the extraction is finished.

./EIFT_cmd ssh halt

This command powers off the iPhone. Always use this command at the end of the extraction as it is not possible to power off the iPhone with the buttons. If you try pressing and holding the power button, the iPhone will reboot and load the installed version of iOS, which breaks forensically sound extraction.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »