When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit stands head and shoulders above the competition. With its cutting-edge features and unmatched capabilities, the Toolkit has become the go-to software for forensic investigations on iOS devices. The recent update expanded the capabilities of the tool’s low-level extraction agent, adding keychain decryption support on Apple’s newest devices running iOS 16.0 through 16.4.

Low-Level Extraction: File System Image and Keychain

iOS Forensic Toolkit is an all-in-one solution for iOS data acquisition. The low-level extraction agent, in particular, sets the tool apart from the competition. While we have already established ourselves as pioneers in checkm8 extractions and extended support to Apple TV, Apple Watch, and HomePod devices in addition to the full range of iPhone and iPad devices, our dedication to innovation continues.  We were among the first to implement low-level extraction support for the range of iPad models based on the Apple M1 and M2 chips, ensuring compatibility across a wide range of Apple devices.

The previously posted update gave our tool the ability to extract the full file system image from supported devices (which include all iPhones from the Xs/Xr up to the iPhone 14/14 Pro range, and iPads up to M1/M2), yet we have not included support for the keychain at the time. While low-level file system extraction is impressive on its own, the ability to decrypt and access the keychain opens up a wealth of opportunities for forensic investigators. We are proud to introduce full keychain decryption support for the same range of devices, at the same time expanding the range of supported OS versions.

The keychain stores crucial encryption keys required to unlock protected messaging applications like Signal. The keychain safeguards users’ online account passwords, granting investigators access to vital information that can shed light on their digital activities.

The current support matrix looks as follows:

iOS 16.4 Support and Beyond

Our company remains at the forefront of iOS forensic tools, constantly evolving to meet the demands of the ever-changing landscape. While the latest updates to iOS Forensic Toolkit introduced support for iOS 16.4, further enhancing its capabilities, we are committed to staying ahead of the curve, and our development team is diligently working on supporting subsequent iOS versions, including iOS 16.4.1 and 16.5. With each update, we ensure that forensic professionals have the tools they need to extract and analyze data from the latest iOS devices.

Please note: for technical reasons, we had to remove support for iOS 9 through 11 from recent versions of the extraction agent. From now on, the earliest version of iOS supported by the extraction agent is iOS 12. For this reason, if you need to extract a device running an earlier version of iOS than iOS 12, you’ll have to use iOS Forensic Toolkit 8.23 or 7.81.

Conclusion

Elcomsoft iOS Forensic Toolkit continues to be the unrivaled leader in iOS data acquisition. With its powerful extraction agent, support for iPhone models up to and including the latest iPhone 14/14 Pro range and iPad models based on M1 and M2 chips, and the ability to decrypt keychains, EIFT empowers forensic investigators with comprehensive access to valuable information. The recent addition of iOS 16.4 support, alongside the ongoing commitment to support upcoming versions, solidifies EIFT’s position as the most advanced iOS acquisition software on the market. We are working dilligently to unlock new possibilities in your forensic investigations.