We are excited to announce an update to Elcomsoft iOS Forensic Toolkit that solves a long-lasting issue connected to the installation and use of the low-level extraction agent. In version 8.70, we introduce a critical improvement: you can now sideload and launch the extraction agent completely offline using any Apple Developer account – regardless of when it was created. What exactly changed, and what does that mean for you? Read along to find out.

Background

For those new to the tool, the low-level extraction agent is a lightweight, in-house developed iOS app that plays a key role in low-level forensic acquisition. The agent packs all known and iOS exploits into a single tool. Once sideloaded onto a compatible iOS or iPadOS device, the agent:

1. Applies a chain of exploits to elevate privilege level, escape the iOS sandbox, and gain access to the root of the file system as well as the encryption keys required to decrypt the keychain.
2. Establishes a communication channel between the device and the expert’s computer.
3. Grants full file system access and Keychain extraction capabilities

This method allows forensic experts to extract crucial evidence from iPhones and iPads at a low level, providing access to user data that would otherwise be impossible to retrieve.

The Problem with Developer Accounts – Until Now

In the past, installing and running our extraction agent required careful handling during the initial stage. Sideloading (that is, installing an app directly, bypassing the official App Store) the extraction agent on an Apple device requires a digital signature; that digital signature is verified on-device before one can run the app.

When sideloading an app on an iPhone or iPad using a regular, non-developer Apple ID, users are prompted to verify the digital signature, requiring the device to establish contact with an Apple server. Enrolling into Apple’s Developer Program used to lift this requirement. However, since 6.6.2021, new enrollments do not guarantee full offline work, and any app signed with such newly enrolled Apple ID’s must be verified on the first launch, which makes the whole Apple Developer thing pretty much pointless for mobile forensics.

Anyway; connecting the device to the internet poses a number of risks such as accidental synchronization or even receiving a remote lock or erase command. A firewall mitigates these risks by ensuring the device can connect to Apple’s servers for signature verification while blocking all other internet access.

Here’s a quick overview of what changed over time (we have a comprehensive writeup on the matter in More on Apple Developer Accounts):

Before June 6, 2021:

• If you installed the extraction agent using an Apple ID enrolled in the Apple Developer Program before that date, the entire process could be performed completely offline.
• This allowed experts to install and run the extraction agent without needing the device to connect to the Internet.

After June 6, 2021:

• Apple introduced changes to the Developer Program that affected newly enrolled accounts.
• While you could still install the agent offline using a newer Developer account (on-device certificate approval not required), an Internet connection was now required on first launch.
• This created significant risks for forensic investigations, as forced connectivity could trigger unwanted syncs, remote locks, or data wipes, potentially compromising evidence.
• Notably, this change did not apply to Apple developer accounts enrolled before June 6, 2021.

Regular (non-developer) Apple IDs:

• Sideloading with regular (non-developer) Apple IDs has always been possible, but it requires an Internet connection on the device for approving the certificate and when launching the agent app for the first time, posing the same risks.
• Since newly enrolled developer accounts also required on-device Internet connectivity (just like regular accounts), they provided no benefits in the context of sideloading the extraction agent.

As a result, the use of Apple Developer accounts became less attractive. At one point, we even stopped recommending them because they no longer provided real offline benefits.

Because of this, we had to make A Comprehensive Instruction Manual on Installing the Extraction Agent and Extraction Agent and Firewall: Software vs. Hardware, which suggested the use of a firewall to restrict the device’s connectivity to a signature validation service while disallowing access to all other resources. While we tried to make it as simple as possible, using a firewall was still a hassle, and a major one to tell the truth.

The Solution

Today, we are introducing a breakthrough solution. Starting with iOS Forensic Toolkit 8.70, we developed a smart workaround that enables the ability to sideload and run the extraction agent completely offline with any Apple Developer account – regardless of when it was created or enrolled in Apple’s Developer Program. In other words:

• No more worrying about the enrollment date of your Developer account.
• No more Internet connection needed during sideloading or on the first launch.
• Safe, offline extraction is now fully available once again.
• The firewall is no longer required to install the extraction agent if you use a developer account.

Thanks to this improvement, we are once again recommending the use of Apple Developer accounts for sideloading the extraction agent. This change dramatically simplifies the preparation and installation steps, reduces operational risks, and improves the overall forensic workflow.

The Limitations

Our solution works in all three editions of iOS Forensic Toolkit, covering Windows, macOS, and Linux PCs. Currently, theare two major limitations.

• The signing certificate is short-living, expires after 7 days.
  • If subsequent extraction is performed more than 7 days after initial sideloading, one must reinstall the extraction agent.
• You can only digitally sign the extraction agent on up to 100 devices of each type per year with a single Developer Account (e.g. 100 iPhones and 100 iPads and so on).
  • If you need to process more devices, you will need to enroll additional accounts.
• When sideloading the extraction agent, the Toolkit will now ask about the type of the Apple ID used (regular or developer).
  • You’ll have to provide the correct answer, or the signing will fail.

Conclusion

The advancement in the latest build of iOS Forensic Toolkit removes a major barrier that had complicated forensic workflows for years, making iOS acquisition safer, faster, and more convenient for forensic experts and law enforcement professionals.