The release of the checkm8 exploit was a breakthrough for mobile forensics, finally granting investigators verifiable access to the file systems of various Apple devices. This accessibility established the current “gold standard” for extraction: using the bootloader exploit to access the file system and dump it into a simple tar archive. While convenient, a tar archive is merely a logical copy, not a physical one. It may fail to capture the device’s true state, missing certain low-level nuances. Truth be told, these nuances are rarely relevant to real investigations, but why settle for less when a better method is available? More importantly, this approach avoids the “teething problems” of traditional bootloader extraction – such as the mishandling of large sparse files – that continue to plague even the largest forensic vendors.

Perfect Acquisition challenges the standard bootloader extraction process by returning to the roots of digital forensics: true physical extraction. Instead of letting the device SEP handle the decryption on a per-file basis – walking the filesystem and copying files one by one – this new method creates a complete, block-level image of the encrypted storage. With modern iOS encryption, this means the physical dump is theoretically just “noise” without the proper keys. Our approach solves that problem by extracting the decryption keys and utilizing a proprietary driver to mount and decrypt the image on-the-fly. Essentially, Perfect Acquisition delivers a pure physical dump without modifying a single bit of evidence on the target device.

Supported devices and compatibility

Perfect Acquisition is compatible with a wide range of Apple hardware sharing vulnerable chipsets. The extraction process, including full bit-for-bit imaging and passcode recovery where applicable, supports the following device categories:

• iPhone: 3GS, 4, 4s, 5, 5c, 6, and 6 Plus
• iPad: 1, 2, 3, 4, Mini 1, Mini 4, and Air 2
• iPod Touch: 3rd, 4th, 5th, and 6th generations
• Apple TV: 2, 3, and 4 (HD)
• Other: Apple Watch S0 and HomePod (1st generation)

Notably, this exact same extraction process works reliably across these categories.

Because the checkm8 exploit relies on very low-level USB communication, it requires specific host operating systems. Due to these low-level requirements, the actual physical extraction and passcode recovery phases are currently supported only on macOS and Linux hosts (including Live USB environment).

However, once the encrypted disk image and the decryption keys are successfully extracted, the analysis phase becomes completely platform-independent. You are no longer tied to macOS or Linux; you can work with the extracted files on any system, including Windows. While our main toolkit includes built-in mounting features, we also provide a free, standalone mounting utility.

The passcode unlock

Perfect Acquisition stands alone as the only extraction method capable of performing a true passcode unlock on supported devices. While standard checkm8 implementations often require the operator to know the passcode beforehand – or force them to remove it, altering the evidence – our approach leverages an exploit to attack the Secure Enclave Processor (SEP) directly. This allows the toolkit to systematically test combinations on the device itself, eventually recovering the correct passcode and extracting the full suite of decryption keys needed to mount the user partition.

This capability is particularly potent on devices running iOS 12.1 and earlier. In these cases, the method can recover the passcode even if the device has been disabled following ten failed unlock attempts, a state that usually renders the data permanently inaccessible. The speed of recovery is practical for real-world labs: a 4-digit PIN takes approximately 6 minutes to crack, while a 6-digit code requires about 10 hours. This functionality effectively resurrects devices that were previously considered dead ends, providing full physical access where other extraction methods would simply fail. On newer (>12.1) versions of iOS the passcode unlock is also available, yet the recovery speed can be unpredictable, ranging from about 11 seconds to 4 minutes per single passcode variant.

Importantly, we not only recover the passcode – this would do little by itself for already blocked devices – but also allow to decrypt the extracted data.

Dealing with difficult devices

Perfect Acquisition shines where logical extraction often struggles: handling difficult devices that are partially bricked or unstable. Whether the instability stems from a failed iOS update causing issues with the Secure Enclave Processor (SEP) or a previous botched extraction attempt by different forensic tools (we won’t point any fingers, but we have seen it numerous times with tools from renowned vendors), the result is often a filesystem that refuses to mount or traverse normally.

The same logic applies to structural damage within the filesystem itself, such as corruption caused by a sudden battery failure or forced shutdown. When a standard extraction tool encounters a corrupted file node, it often hangs, crashes, or skips data entirely, leaving the investigator with an incomplete dataset. A bit-for-bit image, however, is indifferent to the logical health of the data it copies. It reads the storage sequentially at a constant, stable speed, capturing every block with bit precision regardless of whether the filesystem considers it valid or corrupt. This makes it the most reliable option for securing evidence from devices that are too damaged to function normally.

A straightforward DMG workflow

From a workflow perspective, the difference between a raw disk image and a tar archive is night and day. A tar file is effectively a serialized stream of data; it lacks a central index or catalog, meaning there is no true random access. To retrieve a single file located at the end of the archive, the software must parse through the data that precedes it, turning simple analysis tasks into time-consuming operations.

In contrast, a disk image (.dmg) functions as a virtual drive. When mounted – especially using our driver that presents it as a readable disk – it offers instant random access to the entire file system. Investigators can browse the directory structure, open individual files immediately, and navigate the evidence just as they would on a local drive, eliminating the overhead of extraction or indexing delays.

The limitations of tar extend beyond mere inconvenience. Even when “mounted” by third-party tools, navigation is often sluggish as the software parses the stream to locate specific files. However, the critical failure often occurs during the actual unpacking process. Standard extraction utilities – and even some dedicated forensic viewers we have tested – can mishandle metadata during this conversion. Most notably, the act of unpacking may reset the Access Time (atime) of files to the current system time. This process effectively erases a layer of interaction history, leaving the investigator with a less reliable timeline.

This loss of temporal data compromises more than just the accuracy of the chronology; it blinds the investigator to subtle anomalies. Accurate, granular timestamps are essential for detecting advanced threats – such as the Pegasus spyware – where minute discrepancies between creation, modification, and access times can reveal the injection of malware or the execution of unauthorized scripts. Furthermore, these timestamps are a primary method for identifying anti-forensic tampering. By flattening these sensitive metadata fields during the unpacking process, tar-based workflows can inadvertently obscure the very traces that a forensic examination is meant to uncover.

The sparse file trap

The Apple File System (APFS) manages storage efficiency through the use of sparse files – data structures that appear logically huge to the operating system but occupy very little actual space on the disk. For example, a file might report a size of several gigabytes, yet if it consists mostly of empty space, it may only consume a few kilobytes of physical storage. While this is a clever optimization for the device, it becomes a significant liability during standard filesystem-based extraction. When a forensic tool attempts to copy these files into a tar archive, it may read the file’s logical size rather than its physical footprint. The tool then asks the filesystem for the entire data stream, causing the operating system to generate gigabytes of “empty” zeros to fill the gaps, effectively inflating a tiny file into a massive one during the transfer.

This inflation can lead to a confusing paradox where the size of the extracted data exceeds the total storage capacity of the device itself. Users of major forensic platforms, including Cellebrite and Oxygen, frequently report failed extractions or full target drives caused by this exact issue. Because filesystem-based extraction is unaware of the underlying physical allocation, it can blindly copy this empty data, wasting time and storage space. For a deeper technical explanation of this behavior, the article APFS: How sparse files work by Eclectic Light offers an excellent breakdown of the mechanics involved.

Perfect Acquisition avoids this trap entirely by ignoring the file system’s logical reporting. Since it creates a bit-for-bit image of the physical storage partition, it captures the data exactly as it is written to the NAND memory. It does not interpret files or expand sparse regions; it simply records the physical blocks. This ensures that a 64GB iPhone results in exactly a 64GB image, regardless of how the filesystem manages its internal logic. This method guarantees a 1:1 copy without the risk of inflation, ensuring that the evidence is preserved exactly as it exists on the hardware.

Timestamps by the nanosecond and metadata integrity

Standard file system extraction relies on tar – a relic of a much simpler computing era. Tar archives struggle to store modern file system attributes, typically preserving Modification Time and, in many toolchains, Access Time at best. Furthermore, tar metadata is commonly handled at one-second precision by default. While a one-second margin of error rarely breaks a case, it represents a loss of fidelity that gnaws at the conscience of a forensic purist, leaving behind a digital footprint that is just slightly fuzzier than the original.

Perfect Acquisition, on the other hand, is an exercise in technical maximalism. By capturing the raw filesystem, we preserve all four native timestamps: Birth, Modified, Accessed, and Changed. More impressively, APFS records these events with nanosecond precision. Do you strictly need to know that a suspect opened a photo at exactly 14:02:05.123456789? Probably not. In the vast majority of real-world investigations, knowing the second – or even the minute – is plenty. But we developed this method to chase down that elusive last 1% of forensic soundness, ensuring that precise data is preserved simply because it can be. It is a technical triumph for its own sake, guaranteeing that if you ever do need that level of granular detail, it is there waiting for you, untouched and mathematically perfect.

Conclusion

We realize that much of this article might sound like an exercise in pure theory – a deep dive into the microscopic details of file systems that most users will never see. And in a way, that is the current reality of the industry. We can write volumes about the importance of correctly preserved timestamps or the dangers of sparse file inflation, but these “minor details” will remain theoretical until the major forensic vendors decide to prioritize them.

Right now, the industry seems far more interested in bolting on the latest “AI” buzzwords for marketing brochures than in addressing the fundamental mechanics of evidence preservation. We are doing our part: extracting data as completely and correctly as the state of the art allows. But for the end user to actually benefit from this precision, the rest of the ecosystem needs to catch up. Until then, we will keep providing the best possible image – because even if the analysis tools aren’t ready for it yet, the evidence deserves nothing less.