iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.

What’s it all about

Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.

Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone models running iOS 9 through iOS 14.8, iOS 15-15.1, and iOS 15.1.1 on select platforms. For the A14 platform specifically, the extraction agent supported iOS 14.0-14.3, and 15.0-15.1, making the entire range of iOS 14 builds missing. This made for a rather fragmented support matrix. In this release, we closed the two remaining gaps, once again offering truly gapless file system extraction for all supported platforms. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.1 for all iPhone and iPad models that can run these versions of iOS, and iOS 15.1.1 on some models.

Benefits of agent-based extraction

There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.

Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

iOS 14.8.1

In earlier versions of iOS Forensic Toolkit, we supported iOS versions up to and including iOS 14.8. We also supported iOS 15.0-15.1 on all compatible devices, and iOS 15.1.1 on some platforms. iOS 14.8.1 was notably missing from the list due to the lack of a proper exploit.

For other iOS versions including iOS 15, the extraction agent relied on kernel exploits that are publicly available. The situation is different with iOS 14.8.1, which does not have a public exploit. For this iOS build we incorporated a new, unpublished exploit, making our extraction agent the first tool of its kind to support this version of iOS.

iOS 14.4-14.8.1 (Apple A14)

Prior to this release, we supported iOS 15.0-15.1 on all platforms, and iOS 15.1.1 on some devices. Notably, on Apple A14 Bionic devices the entire range of iOS 14.4-14.8.1 was not supported. iOS Forensic Toolkit 7.40 brings iOS 14.4-14.8.1 support to A14 devices, now offering gapless coverage all compatible devices and all versions of iOS ranging from iOS 9.0 through 15.1.1.

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.

Steps to extract the file system and decrypt the keychain

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.40 or newer.
3. On the computer, sideload the extraction agent by using the corresponding command in iOS Forensic Toolkit.
4. On the iPhone, launch the extraction agent by tapping its icon.
   Windows: developer account required. Use app-specific password.
   macOS: developer account not required but strongly recommended.
5. If supported, extract the keychain. Extract file system image (full file system or data partition). We recommend extracting the data partition only; the full image may be usable e.g. to check the system partition for persistent malware.
6. On the iPhone, uninstall the extraction agent in a regular way.
7. You may now disconnect the iPhone and start analyzing the data.