iOS Forensic Toolkit Tips & Tricks

July 17th, 2023 by Vladimir Katalov
Category: «Mobile», «Tips & Tricks»

For forensic experts dealing with mobile devices, having a reliable and efficient forensic solution is crucial. Elcomsoft iOS Forensic Toolkit is an all-in-one software that aids in extracting data from iOS devices, yet it is still far away from being a one-button solution that many experts keep dreaming of. In this article, we will walk you through the preparation and installation steps, list additional hardware environments, and provide instructions on how to use the toolkit safely and effectively.

Installation Steps

The software is available in Windows and macOS editions, and there are two major releases available: v7 and v8. However, please note that v8 is exclusively designed for macOS, with a Linux version coming soon. To obtain the software, visit the official Elcomsoft website and follow the instructions provided when purchasing the license. You will need a registration code (the one starting with “IOFT-“) to download the software; you can always get the latest version here. Here’s what you’ll find on the website:

Elcomsoft iOS Forensic Toolkit v.7

  • Windows Edition
  • macOS X Edition

Elcomsoft iOS Forensic Toolkit v.8

  • macOS Big Sur, Monterey and Ventura (Intel and Apple Silicon)
  • macOS High Sierra, Mojave, Catalina (Intel only)

Version 7 offers a slightly simpler user interface with a text-based menu displaying available commands for data extraction. On the other hand, Version 8 is more advanced and feature-rich. Elcomsoft plans to release v8 for Windows and Linux platforms soon, leading to the retirement of v7.

To install Version 7, simply run the installer and provide the installation password. If you’re using a Mac, you might encounter a warning message on the first run; in such cases, just confirm the warning.

To install Version 8, mount the .dmg file (select the appropriate platform) and enter the password. Then, copy the folder named EIFTx.y (where x.y denotes the version number) to a folder on your local computer, such as the desktop folder. The next step involves opening the Terminal and removing the ‘quarantine’ flag from the entire program folder. Use the following command:

xattr -r -d com.apple.quarantine <path to folder>

For example:

xattr -r -d com.apple.quarantine /Users/JohnDoe/Desktop/EIFT8.31

A Word on Compatibility with Older Versions of iOS

Please note: for technical reasons, we had to remove support for iOS 9 through 11 from recent versions of the extraction agent. From now on, the earliest version of iOS supported by the extraction agent is iOS 12. For this reason, if you need to extract a device running an earlier version of iOS than iOS 12, you’ll have to use iOS Forensic Toolkit 8.23 or 7.81.

Using Elcomsoft iOS Forensic Toolkit v8

Once the installation is complete, navigate to the EIFT folder using the Terminal. For example:

cd /Users/JohnDoe/Desktop/EIFT8.31

Elcomsoft iOS Forensic Toolkit v8 provides a command-line interface (CLI). To utilize it, follow this format:

./EIFT_cmd {command}

For instance, to gather information about the connected iPhone, use the following command:

./EIFT_cmd info

Running the program without any parameters will display the complete list of commands and their respective options. For detailed instructions, consult the product manual, which provides comprehensive descriptions of each command.

Important note: Ensure that the USB dongle remains inserted throughout your work with the program. Do not remove it during the data acquisition process.

Additional Hardware Requirements and Working Environment Considerations

In addition to the software, you will require some additional hardware components to effectively use Elcomsoft iOS Forensic Toolkit. While having a computer (preferably a Mac) is essential, there are other cables, adapters, and extras that may be needed. We will soon release a comprehensive list of these devices. Even if you don’t need them immediately, it’s advisable to be prepared.

It is ideal to work in an isolated room, preferably a Faraday tent. Using a Faraday bag alone may not be sufficient, as you will need to connect the device to the computer and utilize its screen during the forensic process.

Using a USB Hub

To connect the iPhone to a Mac, even if it has a physical USB Type A port, please connect the device to the available USB Type C/Thunderbolt port through a Type C USB hub (with Type A ports), or a USB Type C to Type A adapter. This is particularly important for the latest version of EIFT. Please do not use USB Type C to Lightning cables; instead, use the Type A to Lightning cable plugged into the Type A port of a USB hub or USB Type C to Type A adapter to ensure proper connection and compatibility.

Device Preparation

Before beginning the forensic process, it’s important to ensure that the device you are working with is adequately charged. We recommend a minimum charge of 20%, although having 50% or more is preferred. This recommendation applies unless you are working with an Apple TV or Apple HomePod connected to a power supply.

It is crucial to have the correct date and time set on the device, as this plays a significant role in the agent acquisition method.

If you plan to use the extraction method based on a bootloader exploit, make sure you are familiar with the appropriate buttons needed to put the device into Recovery mode and DFU (Device Firmware Update) mode. Typically, these buttons include Power, Home, and Volume Down. For certain acquisitions, the touch screen should also be functional, e.g. to enter a passcode.

Regardless of the acquisition method you choose, it is vital to keep the device in Airplane mode. In addition to that, we strongly recommend manually checking (and disabling, if necessary) the individual wireless toggles for Wi-Fi and Bluetooth networks as these may not be automatically disabled when the device is placed to Airplane mode. This serves two purposes:

  • Preventing the device from syncing: By disabling syncing, you minimize changes that could occur on the device during the forensic process.
  • Preventing remote lock/wipe: If the device has FindMy enabled, keeping it in Airplane mode ensures that it won’t be remotely locked or wiped.

Please note that for some specific scenarios, such as iPhone 8, iPhone 8 Plus, or iPhone X running iOS 14 or 15 and utilizing the checkm8 exploit, you may need to reset the device settings. Once you do, the wireless isolation mode is automatically disabled after reboot, and it’s important to ensure that the iPhone does not accidentally connect to a cellular network (if a SIM card or e-SIM is inserted) or a known/open Wi-Fi access point.

Choosing the Right Acquisition Method

When using Elcomsoft iOS Forensic Toolkit, it’s important to select the appropriate acquisition method for the given device. We provide detailed information on this topic in our resource titled “Approaching iOS Extractions: Choosing the Right Acquisition Method.” It is crucial to gather as much information as possible about the device and plan the acquisition accordingly. In some cases, multiple methods may be applicable, and selecting the correct order is essential. Making the wrong choices at this stage can result in negative consequences, such as unnecessary changes to the device, the loss of irreplaceable data, or missing critical evidence.

While we won’t describe all the methods and commands in detail within this article, our product manual provides comprehensive coverage. However, we would like to highlight some important issues that may arise during the process. Please pay close attention to the information presented here, as it complements the documentation.

For example, if the device is vulnerable to a bootloader exploit, it is advisable to use this method first to maintain the forensic integrity of the process.

Extended Logical Acquisition

Logical acquisition is the simplest and most universal method that works for all Apple devices. However, it returns a limited set of data. Extended logical acquisition includes:

  • Full device information
  • iTunes-style backup *
  • Media files and metadata
  • Shared app files
  • Crash and diagnostics logs

* There are important nuances to consider in this method. For instance, backups contain the maximum amount of data if they are password-protected. However, breaking an unknown backup password is virtually impossible. On the other hand, sometimes the backup password can be extracted from the Windows or macOS computer the device was connected to.

If a backup password is set and you are unable to break or reset it, the other parts of logical acquisition will still work. You can at least obtain media files (including valuable metadata) and logs, which can help build a timeline of device usage. It’s worth noting that logs are often underestimated in their significance. Remember to generate the logs as needed (refer to the manual for instructions). Additionally, we provide resources that offer more information on logs and how to interpret them (see the provided links).

  1. GitHub – cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts
  2. Checkra1n Era – Ep 6 – Quick triaging
  3. Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
  4. iOS Crash Dump Analysis, Second Edition
  5. Sysdiag -who? | WithSecure™ Labs
  6. More useful information gleaned from sysdiagnose – The Eclectic Light Company

It’s important to mention that backups can be obtained for iPhone, iPad, and iPod Touch devices. However, for Apple TV, Apple Watch, and Apple HomePod, you can obtain media files, logs, and other similar data. Occasionally, it is possible to access the full file system of these devices as well.

Full File System & Keychain Acquisition: Using Bootloader Exploit

Using the bootloader exploit for full file system and keychain acquisition provides forensic experts with a powerful method for extracting data. By carefully following the instructions for entering DFU mode, booting the device, and understanding the limitations and variations across different iOS versions and device models, one can unlock valuable evidence and ensure a robust forensic investigation process.

DFU Mode

Entering DFU (Device Firmware Update) mode can be a bit tricky, especially for those who are new to the process. Different models require different key combinations, and timing is crucial. It may take a few attempts before successfully entering DFU mode, as the device might simply reboot otherwise.

We recommend entering Recovery mode first, followed by DFU mode. The reason behind this is simple: Recovery mode is easier to enter and rarely fails. Once in Recovery mode, you can set the device to boot only into DFU mode, ensuring a forensically sound process.

Note that iPhone 8, iPhone 8 Plus, and iPhone X (and newer models) can be entered into DFU mode in an automated way. You can find instructions on automating DFU mode using a Raspberry Pi Pico here: Automating DFU Mode with Raspberry Pi Pico. On the other hand, if some buttons on the device don’t work, you may need to disassemble the device and use the test points. Refer to the article “How to Put an iOS Device with Broken Buttons in DFU Mode” for detailed instructions.

For more information on Recovery and DFU modes, you can explore the following articles on our blog:

Booting the Device

Our approach to bootloader-based acquisition differs from other vendors. We detect the iOS (or iPadOS, WatchOS, tvOS) version installed on the device and provide automatic links for you to download and use the corresponding version. This ensures maximum compatibility across all devices and iOS versions. We patch the bootloader on-the-fly during the process.

However, there may be instances where the exact iOS build version cannot be detected. In such cases, we offer several best matches for you to choose from. If the process fails with the selected version, you can try using another one.

Restoring the Device to its Original State

Once your work with the device is complete, and it is time to return it to its owner in its original condition, it is important to reset the autoboot mode flag that is set automatically by iOS Forensic Toolkit to prevent accidental reboots into the main OS. This will ensure that the device can boot into iOS. Enter the following command in the Terminal or command line interface:

./EIFT_cmd tools autobootTrue

Note: the device will undergo an automatic reboot to complete the process.

By following this step, you can ensure that the device is returned to the owner without any modifications made during the checkm8 analysis.

Legacy Devices

Older devices without the Secure Enclave and with HFS file systems follow a different acquisition path compared to iPhone 5s and newer models. You can find detailed information in “Perfect HFS Acquisition“. Certain models can be unlocked by breaking the device’s passcode (with some limitations), while for others, it is possible to extract the full file system regardless of the passcode set.

Limitations

Devices powered by the Apple A11 SoC (iPhone 8, iPhone 8 Plus, and iPhone X) are technically compatible with the bootloader exploit. However, for iOS 14 and 15, you will need to remove the passcode first. There are a couple of issues with this:

  • It is not always possible to remove the passcode
  • Removing the passcode will result in some data loss, breaking forensically sound process

For iOS 16, the situation is even more challenging. Extraction never works if the passcode has been set on the device since the device was set up, so even removing it won’t help. Please note that this limitation applies only to A11-based iPhones. When dealing with iPads running iOS 16, you may need to remove the passcode, but it’s worth trying with the passcode first, as it often works.

Full File System & Keychain Acquisition: Using the Agent

Agent acquisition is the only available method used to obtain the full file system and keychain from devices based on A12 or newer SoC (System on a Chip). While it offers great potential in theory, practical use can sometimes be challenging.

To begin, you need to sideload the agent onto the device, which had become a challenge. Apple has implemented measures to prevent app installations from sources other than their App Store. However, it is still possible to sideload apps, especially with an account registered in the Apple Developer Program. Regular accounts can also work, but there may be additional hurdles to overcome.

The main challenge arises when the app, particularly our extraction agent, requires online verification. This can be problematic due to the need for device isolation and the associated risks of enabling online access to the device. To address this, you may need to set up a software or hardware firewall to control the verification process. It’s worth noting that even with a developer account, there are limitations. For example, only the first 10 devices (out of a total allowance of 100) are added in real-time, while for subsequent devices you may need to wait up to 3 days for the device to be “connected” and allow the agent to run. Additionally, iOS 16 requires enabling a special developer mode on the device (after agent installation).

In terms of version compatibility, agent-based acquisition is not as versatile as bootloader-based methods. While some zero-day exploits exist, it is unlikely that we will be able to work with the latest iOS versions. At the time of writing, our tool covers iOS 12 to 16.4. Note that support for iOS 9 to 11 was available previously but had to be removed due to technical reasons. However, if you urgently require support for those older versions, you can still use an older version of our product.

A Note about A11 Bionic

There is something specific about the A11 SoC that sets it apart from other chips (A12 Bionic and newer). It is comparatively less vulnerable, and fewer exploits are available for it. Consequently, in some cases, we can only obtain a partial file system using the agent, and the keychain may not be accessible.

Troubleshooting

No software is completely free of bugs, and it’s impossible for us to test every model/iOS combination thoroughly, despite our extensive testing with over 70 combinations and ongoing efforts to expand coverage. In version 8 of the toolkit, the logs are stored in the following folder:

~/Elcomsoft/EIFT/logs

If something goes wrong during the process, kernel panic logs can be incredibly helpful. You can find these files, named panic-full-{timestamp}.ips, on the device itself under:

Settings | Privacy & Security | Analytics & Improvements | Analytics Data

From there, you can use AirDrop or other methods to transfer the logs from the device to your Mac (or another iPhone, for example).

However, before delving into advanced troubleshooting steps, sometimes a simple reboot of your Mac and retrying the process can resolve minor issues.

Using the DCSD Adapter for Advanced Troubleshooting

In some cases, when utilizing an acquisition method based on the bootloader exploit, the logs mentioned earlier may not be sufficient to detect and resolve issues that may arise. To overcome such challenges, we highly recommend obtaining the DCSD adapter. This adapter is specifically designed for serial debugging purposes, allowing you to capture the traffic between the host and the device. It creates its own log, providing valuable insights when working with specific devices and iOS combinations that may encounter difficulties.

While we sincerely hope that you will never need to use the DCSD adapter, we strongly advise acquiring one as a precautionary measure. Its availability can prove invaluable in resolving complex issues during the forensic process. For detailed instructions on how to utilize the DCSD adapter effectively, please refer to the product manual, which provides comprehensive guidance.

By having the DCSD adapter at your disposal, you can enhance your troubleshooting capabilities and ensure a more robust and thorough analysis when using iOS Forensic Toolkit.

Conclusion

Elcomsoft iOS Forensic Toolkit offers forensic experts a powerful solution for extracting data from iOS devices. By following the installation instructions, considering additional hardware requirements, preparing the device appropriately, and selecting the right acquisition method, forensic experts can maximize their efficiency and accuracy in obtaining crucial evidence. Whether utilizing the logical acquisition method, the bootloader exploit, or the agent-based approach, each method has its considerations and limitations, which were outlined in this article. By understanding the nuances and troubleshooting techniques provided, forensic experts can navigate the complexities of mobile forensic analysis, ensuring a robust and effective investigative process.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »