The release of macOS Catalina brought the usual bunch of security updates. One of those new security features directly affects how you install Elcomsoft iOS Forensic Toolkit on Macs running the new OS. In this guide we’ll provide step by step instructions on installing and running iOS Forensic Toolkit on computers running macOS 10.15 Catalina. Note: on macOS Catalina, you must use iOS Forensic Toolkit 5.11 or newer (older versions may also work but not recommended).
In macOS 10.15, Apple made running third-party apps slightly more difficult. The new security measure is designed to prevent users from accidentally running apps downloaded from the Internet by quarantining files obtained from sources that aren’t explicitly whitelisted by Apple.
As Elcomsoft iOS Forensic Toolkit is not distributed through Apple App Store, our tool falls under this restriction and will be quarantined once you install it.
Technically speaking, the system sets the quarantine flag when an agent (such as the Web browser, email client or another app) saves a file to the computer. When you first try to open an app you’ve downloaded from the internet, the OS will display a warning message and prevent you from launching the app.
In order to launch Elcomsoft iOS Forensic Toolkit, you’ll have to remove the quarantine flag by running the following command through the system’s terminal.
xattr -r -d com.apple.quarantine <path_to_dmg>
In order to install EIFT on a Mac running macOS Catalina, follow the instructions in the next chapter.
Follow these steps to install iOS Forensic Toolkit:
xattr -r -d com.apple.quarantine <path_to_dmg>
For example, if you saved the DMG on your desktop, use this command:
xattr -r -d com.apple.quarantine Desktop/iOS-Toolkit-5.11-Mac.dmg
There are several changes in macOS 10.15 making many forensic tools incompatible with the new OS. iOS Forensic Toolkit fully supports macOS Catalina from version 5.11 onwards.
Establishing trust
As you may know, macOS Catalina ditches the iTunes app. As a result, establishing trust with the iPhone you connect to your Mac now looks as follows:
Logical acquisition
This is how you extract a backup from the iPhone:
The detailed coverage of all iOS Forensic Toolkit features, issues and limitations is available in the product manual.
We have recently covered some EIFT issues for Windows platform, see iOS Acquisition on Windows: Tips&Tricks for more details.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »