For a long time, the macOS version of iOS Forensic Toolkit remained the most feature-complete. Only macOS supported bootloader-level acquisition using checkm8, installation of the extraction agent with regular Apple IDs, and use of wireless adapters for Apple Watch analysis. All of these capabilities are now available in the Linux build as well, eliminating the need for a Mac in many workflows. This guide explains how to properly install and use EIFT on a Linux system.

Why the Linux edition matters

The Linux build includes the full functionality previously exclusive to macOS and surpasses the Windows version. It supports low-level data extraction via the checkm8 bootloader exploit, agent installation without MDM or developer access, and acquisition from Apple Watch via wireless adapters (not supported on Windows). All other major features available on macOS are also present in the Linux version. For feature comparison, please refer to the following article: iOS Forensic Toolkit: macOS, Windows, and Linux Editions Explained.

Installation guide

Check compatibility: The Linux edition has been tested on multiple Linux distributions, officially supporting the current Debian, Ubuntu, Kali Linux, and Mint distros. Make sure you run one of these versions of Linux.

Download the EIFT.zip archive. Do not unzip it on Windows – symbolic links may be lost or corrupted. Transfer the untouched ZIP file to a Linux system using USB or network transfer.

Common mistake: Unzipping on Windows and transferring the folder results in broken symlinks. Always unzip on Linux.

Copy the archive to the desktop. Open a terminal and escalate privileges with:

sudo su

Type unzip (with trailing space), then drag the ZIP file from the desktop into the terminal to complete the command and press Enter.

Change into the extracted directory. Type cd (with trailing space) and drag the EIFT folder into the terminal window, then press Enter. For example:

unzip '/home/username/Desktop/file'

cd '/home/username/Desktop/folder'

Install dependencies:

sudo apt install ./com.elcomsoft.eift-dependency.deb

To run the toolkit:

./EIFT_cmd [parameters]

Case sensitivity matters – the filename must be entered exactly as shown.

Live Linux edition

If no Linux or macOS system is available, use the Live Linux version. It’s a bootable image based on a preconfigured Ubuntu environment with EIFT preinstalled. This version includes full support for checkm8, wireless Apple Watch acquisition, and all other macOS/Linux-only features. Dependencies are preconfigured; the system is ready immediately after boot. It runs on most systems with Intel or AMD CPUs. An experimental ARM build (e.g., for Raspberry Pi 5) is also available for testing.