Elcomsoft iOS Forensic Toolkit (EIFT) is a powerful software designed to acquire data from various Apple devices, ranging from iPhones to HomePods. However, to make the most of this tool, you’ll need more than just the software itself. In this article, we will quickly review the mandatory and optional accessories that are essential for the effective use of the product.

Please note: through the course of this article, we provided links to Apple original hardware where available. However, these links are purely for reference purposes. You don’t have to to use the originals; third-party alternatives can be considered, which are widely available on well-known trade sites at a significantly lower cost.

The tool: Elcomsoft iOS Forensic Toolkit (EIFT)

iOS Forensic Toolkit is a feature-rich software that allows you to extract data from Apple devices. It offers a wide range of features and supports both advanced logical extraction and multiple low-level extraction methods ranging from agent-based file system extraction to forensically sound acquisition through checkm8, making it one of the most comprehensive tools available for this purpose. Obviously, you’ll need the Toolkit itself, but that’s not all: you will also need a USB protection dongle to run the product. If you are a new customer, you will receive the dongle in the mail. If you are renewing your license, the dongle can be easily updated online. To sum it up, EIFT consists of:

1. Elcomsoft iOS Forensic Toolkit (Windows, Linux, and Mac editions)
2. USB license dongle

A Mac, Linux, or Windows PC

EIFT is compatible with Windows, Linux, and macOS platforms. Some features are exclusive to Linux and macOS editions, and are not supported on Windows:

1. checkm8: This bootrom exploit, which our software relies on for forensically sound extractions, currently works only on macOS and Linux due to USB driver dependencies.
2. Serial debugging: Although not frequently required, there may be unique device/iOS combinations that need further debugging, and macOS and Linux editions support this feature.
3. SSH access: This feature is quite useful when you only need specific data instead of a full file system image, among other cases.

In addition, some features are only available in the Mac edition. Currently there is a single feature exclusive to macOS:

1. Agent extraction using non-developer accounts: This process is much simpler on macOS compared to other platforms.

We support and recommend Macs based on Apple Silicon, including the different versions of M1, M2, and M3 SoC.

Raspberry Pi Pico

The Pico is an affordable (in the $5-$10 range) microcontroller that is a must-have accessory for EIFT. We recommend obtaining three pieces to avoid reflashing the units when using them for different purposes. The Pico can be utilized for the following purposes:

1. Apple A5/A5X exploit: The Pico can be used to exploit these specific Apple chips.
2. Automated screen shots: The Pico enables automated screen capturing.
3. Automated entering into DFU mode (A11+ devices): The Pico simplifies the process of entering DFU mode for devices with A11 chips or later.

Additional cables and connections are required for these tasks, as mentioned in the following sections.

Raspberry Pi 4

We highly recommend using a Raspberry Pi 4 to assist installing the EIFT acquisition agent. This device helps in establishing a firewall to install the acquisition agent. While it’s possible to use the software macOS-based firewall alone, the Raspberry Pi solution is more reliable and user-friendly. We support Raspberry Pi 3B/3B+, Orange Pi 5, and Orange Pi R1 Plus RTS, yet we continue to recommend the Raspberry Pi 4 as the most versatile and community-supported option.

Additionally, you’ll need a USB-C power supply with the appropriate cable for the Raspberry Pi.

Cables

While you might assume that an Apple Lightning cable would suffice, it’s not nearly enough. The standard cables required are:

1. USB-C to Lightning (recommended for logical and agent-based acquisition; faster and more reliable than the USB-A variant)
2. USB-A to Lightning (required for checkm8-based acquisition)
3. USB-A to Apple 30-pin

In addition, you’ll need some extra cables:

1. Micro-USB to USB-A Female (OTG) for connecting the iPhone/iPad devices to the Raspberry Pi Pico
2. USB-A to micro-USB for flashing the Raspberry Pi Pico
3. Two Ethernet cables

Adapters

You’ll also need a few adapters, especially for devices other than the iPhone or iPad:

1. GoldenEye (Foxlink X892) adapter (for Apple TV)
2. Apple Watch Universal Adapter or individual 38/40/42/44mm adapters for Apple Watch S0/S1; S2/S3; S4/S5/S6, and SE (1^st gen).
3. Apple HomePod adapter (3D-printable)

Furthermore, these adapters are essential:

1. USB-A to 5V+ground Dupont pins (to power up Raspberry Pi Pico)
2. Apple original Lightning to USB 3 Camera Adapter
3. DIY adapter Lightning to 5V+ground+data Dupont pins for automating DFU mode on certain devices
4. USB-A to Ethernet
5. Lightning to Ethernet

Essential extras

You will require the following extras when performing certain activities:

1. microSD card and card reader: You’ll need these to boot the Raspberry Pi. You probably have a few of those laying around. A 4GB card is enough to boot the Raspberry Pi, yet faster versions are usually available only in larger capacities.
2. USB-C hub with USB-A ports: This is highly recommended as the checkm8 exploit works more reliably with it (although a USB-C to USB-A adapter can be used instead). You will also need one to plug the EIFT USB dongle if your computer is short of USB-A ports.
3. USB mouse: A USB mouse is a must for the screenshot solution, as it sometimes works more smoothly when used in conjunction with a mouse.

Optional extras

There are a few additional items that we recommend:

1. DSCD adapter for serial debugging: This adapter is recommended for solving issues with specific devices running specific versions of Apple’s operating system.
2. External disk (preferably NVMe with USB-C interface): An external disk is indispensable for saving device extractions. Make sure to use a disk with enough free space as modern mobile devices come with capacities of up to 1 TB.
3. Faraday bag and power bank.

Knowledge and expertise

No combination of hardware and software can fulfill all your mobile forensic needs. The acquisition methods available to retrieve data from a device depend on its model and operating system version. It’s crucial to be prepared in advance and have a thorough understanding of the available options.

Finally, it’s essential to understand that no single-button solution exists. Regardless of the software and hardware you possess, waiting for a magic one-click solution will not yield results. Comprehensive and effective mobile forensics requires expertise, effort, and a deep understanding of the tools at your disposal.