We’ve released an important update to iOS Forensic Toolkit: the Toolkit now supports logical extraction from Apple Watch Series 6 (with a wired third-party adapter) and Apple Watch Series 7 through 10, SE2, Ultra, and Ultra 2 (via a special wireless adapter). With this update, the Toolkit supports the complete range of Apple Watch devices with no gaps or omissions.

Background

Previously, iOS Forensic Toolkit offered two types of extraction for Apple Watch:

• Full file system extraction with keychain (via the checkm8 exploit) for Apple Watch S0 through S3 – we were, and still remain, the only company in the world offering this capability.
• Logical extraction (media files and diagnostic logs) for Apple Watch S0 through S5, and the first-generation Apple Watch SE.
  (Note: Apple Watches do not have traditional backups like iPhones; logical acquisition provides access to highly valuable data like media and logs.)

The situation changed starting with Series 6.

Apple Watch Series 6

Supporting newer Apple Watch models wasn’t simply a matter of using existing techniques. Starting with the Series 6, Apple introduced a major changes that complicated forensic access. With the release of the Series 6, Apple quietly overhauled the underlying low-level communication protocols. Although the physical diagnostic port remained present (more on that later), the low-level interfaces that previously enabled access were replaced. This required us to build an entirely new driver to handle the communication. Implementing this solution was relatively straightforward on Linux, somewhat more challenging on macOS, and ultimately deemed impractical on Windows due to system limitations and the complexity involved.

As to adapters, Series 6 and earlier models work well with an inexpensive MaAnt 8 in 1 IBUS Adapter available directly from China. We have a comprehensive writeup on various adapters in Apple Watch Forensics: More on Adapters.

Apple Watch Series 7 and Newer

The situation changed even more dramatically with the Apple Watch Series 7. Up to the Series 7 generation, Apple Watch devices featured a hidden diagnostic port. This port allowed a wired connection using a Lightning-based adapter, and for several years, we made extensive use of it. We explored all commercially available adapters, tested their limits, and even went as far as designing and producing our own adapters – a process that consumed considerable time and resources, and which, in hindsight, proved much more complicated and costly than initially anticipated. Nevertheless; with this generation and onward, Apple completely removed the physical diagnostic port. From this point, communication with the device required a proprietary wireless protocol. For a long time, this effectively locked forensic access out – no compatible wireless adapters existed on the market, no official tools were available to facilitate this type of connection, and remember that new communication protocol that appeared in the Series 6? This, too, made things complicated.

Only recently did the first third-party wireless adapters become available. After thorough testing, we identified two viable options: the IBUS X AWRT Adapter for roughly $250 and the MFC IBUS X Tool AWRT Adapter for nearly double the price. Despite differences in build quality and casing, the core of these adapters is remarkably similar. Both are based on a highly sophisticated wireless transceiver board – an internal component likely sourced directly from Apple’s own production line, complete with legitimate part numbers.

The less expensive model works but has a rather rough, hand-assembled feel and feels reliable; we could not make the larger watches (e.g. Ultra, Ultra 2) to work with this adapter at all. In contrast, the more expensive version offers a professionally built, compact, metal-cased solution that seems to deliver better performance and stability. Therefore, we recommend this particular model, which can be bought from various merchants (e.g. mfcbox.com).

Thanks to these hardware breakthroughs, Elcomsoft iOS Forensic Toolkit can now perform logical extraction from Apple Watch Series 7 through 10, as well as SE2, Ultra, and Ultra 2 models. While full file system access remains out of reach for these newer models due to the absence of bootloader-level exploits, logical acquisition still allows investigators to retrieve valuable media files, system logs, and device metadata – a significant step forward in Apple Watch forensics.

How to Use

When performing logical acquisition from Apple Watch Series 6 and newer models with Elcomsoft iOS Forensic Toolkit, there are a few important technical considerations to keep in mind.

First, Windows is not supported for this process. You will need a Mac or a Linux machine.

On macOS, before connecting the Apple Watch, you must launch a special command in a separate terminal window and keep that window open during the entire session. This prepares the system for communication with the watch. Open a terminal and run:

sudo ./tools/usbmuxd -t

Important: After you finish working with the watch, you should restart your Mac. Otherwise, you may encounter issues when trying to connect regular iOS devices such as iPhones or iPads.

On Linux, this extra step is not necessary; you can proceed without running any additional commands.

If the Apple Watch is not recognized, remove it from the adapter, and on macOS, restart the usbmuxd command – interrupt it (Ctrl+C) and then run it again – before trying to reconnect the watch. You may need to repeat this process several times until the device is properly detected.

Make sure that the Apple Watch is unlocked before attempting extraction. If the device is locked, the acquisition will fail.

Once the watch is recognized and connected, do not move or adjust the device on the adapter. The connection must remain stable throughout the session. Please note that properly positioning the watch can be particularly tricky, especially with larger models from the latest series (such as the Ultra or Series 9/10). It may take a few attempts to align the device correctly with the wireless adapter.

Forensic Implications

Thanks to these advances, investigators and forensic specialists can now acquire data from Apple Watch Series 6–10, SE2, Ultra, and Ultra 2 using Elcomsoft iOS Forensic Toolkit using the logical acquisition process, provided the appropriate wired or wireless adapters are available.

Logical acquisition includes:

• Media files (mostly thumbnail-size photos)
• System and diagnostic logs
• Metadata (device information, installation records, etc.)

While full file system extraction remains unavailable for these newer models (due to lack of public low-level exploits), the ability to retrieve user data and logs still provides crucial evidence in many investigations.

More Information

Here’s some extra information on Apple Watches wireless connectivity:

• The Apple Watch Series 7 officially ditches the hidden diagnostic port | The Verge
• Proprietary Dock Apple Uses to Wirelessly Troubleshoot Apple Watch Series 7 Surfaces in Regulatory Database – MacRumors

Conclusion

The latest update greatly expands our existing Apple Watch support and brings new forensic capabilities to newer models, which had previously remained inaccessible due to significant hardware and protocol changes introduced by Apple.