Acquiring data from Apple devices, specifically those not susceptible to bootloader exploits (A12 Bionic chips and newer), requires the use of agent-based extraction. This method allows forensic experts to obtain the complete file system from the device, maximizing the amount of data and evidence they can gather using the iOS Forensic Toolkit. In this article, we will discuss some nuances of agent-based iOS device acquisition.
For forensic experts dealing with mobile devices, having a reliable and efficient forensic solution is crucial. Elcomsoft iOS Forensic Toolkit is an all-in-one software that aids in extracting data from iOS devices, yet it is still far away from being a one-button solution that many experts keep dreaming of. In this article, we will walk you through the preparation and installation steps, list additional hardware environments, and provide instructions on how to use the toolkit safely and effectively.
Year after year, the field of digital forensics and incident response (DFIR) presents us with new challenges. Various vendors from around the world are tirelessly striving to simplify and enhance the work of experts in this field, but there are some things you probably do not know about (or simply never paid attention to) that we discussed in the first part of these series. Today we’ll discuss some real cases to shed light onto some vendors’ shady practices.
The market of digital forensic tools is a tight one, just like any other niche market. The number of vendors is limited, especially when catering such specific needs as unlocking suspects’ handheld devices or breaking encryption. However, amidst the promises of cutting-edge technology and groundbreaking solutions, there are certain limitations that forensic vendors often don’t like to disclose to their customers. These limitations can have a significant impact on the applicability, effectiveness and reliability of the tools being offered.
The latest update to iOS Forensic Toolkit brings two new features, both requiring the use of a Raspberry Pi Pico board. The first feature automates the switching of iPhone 8, iPhone 8 Plus, and iPhone X devices into DFU, while the second feature adds the ability to make long, scrollable screen shots in a semi-automatic fashion. In this article we will show how to build, program, and use a Raspberry Pi Pico board to automate DFU mode.
iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.
Bootloader-based acquisition is the only 100% forensically sound data extraction method for Apple devices. It is the only way to acquire the full set of data from those devices that run iOS 16, albeit with a huge caveat that makes the whole thing more of a brain exercise than a practical forensic tool. Let’s review the iOS 16 compatibility in iOS Forensic Toolkit and go through the whole process step by step.
Elcomsoft iOS Forensic Toolkit supports checkm8 extraction from all compatible devices ranging from the iPhone 4s and all the way through the iPhone X (as well as the corresponding iPad, iPod Touch, Apple Watch and Apple TV models). The new update removes an important obstacle to the acquisition of the iPhone 7 and iPhone 7 Plus devices running recent versions of iOS.
Mobile forensics is not limited to phones and tablets. Many types of other gadgets, including IoT devices, contain tons of valuable data. Such devices include smart watches, media players, routers, smart home devices, and so on. In this article, we will cover the extraction of an Apple TV 4K, one of the most popular digital media players.
Keychain is an essential part of iOS and macOS that securely stores the most critical data: passwords of all kinds, encryption keys, certificates, credit card numbers, and more. Extracting and decrypting the keychain, when possible, is a must in mobile forensics. We seriously improved this part in the latest build of iOS Forensic Toolkit.