Extracting cloud data becomes increasingly valuable – and increasingly complex at the same time. In scenarios where a target device is physically unavailable cloud extraction is often the only real way to access evidence. This is particularly relevant when devices are secured by an unknown passcode or locked under Apple’s Stolen Device Protection framework without available biometric authentication, rendering traditional extraction techniques ineffective.

We’ve just updated iOS Forensic Toolkit to version 10.0, significantly expanding its low-level extraction capabilities for both the extraction agent and bootloader-based methods. Previously, agent-based extraction was capped at iOS 16.6.1. This release finally covers the remainder of the iOS 16 branch, and adds support for the entire iOS 17  branch as well as iOS 18 through 18.7.1. We have also expanded checkm8 support to cover all the latest OS updates pushed by Apple on devices susceptible to the exploit. Finally, we improved extended logical acquisition support for iOS/iPadOS 26, now pulling significantly more shared data than before.

Perfect Acquisition is the most reliable method to acquire data from an iOS device. It is completely forensically sound – it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis.

We’re expanding our product line with a new tool: Elcomsoft Quick Triage. With this release, we are expanding into an area we had not previously covered – digital forensic triage. EQT is designed to address a very specific need that arises at the earliest stages of an investigation, when time is limited and quick decisions matter. The new tool is not intended to replace full-featured forensic platforms or in-depth analysis. Instead, it focuses on a different phase of the workflow: fast identification, collection, and review of the most relevant evidence before committing resources to a complete examination.

Big news is coming – and this time, it’s from the living room. Our team has successfully extracted a complete file system image from an Apple TV 4K running tvOS 26. This marks the first-ever low-level extraction of Apple’s 26th-generation operating systems, including iOS 26, iPadOS 26, and tvOS 26. No one – not even the major forensic players! – has been able to achieve this before.

The latest update to iOS Forensic Toolkit brought bootloader-level extraction to a bunch of old iPads, Apple TVs, and even the first-gen HomePod running OS versions 17 and 18. This enabled full file system and keychain extraction on a those older Apple devices that can still run these versions of the OS.

In our previous post, Extracting and Analyzing Apple sysdiagnose Logs, we explained the difference between sysdiagnose logs and Apple Unified Logs. Today we’ll show how the latest build of iOS Forensic Toolkit can pull Unified Logs directly from an iPhone or iPad during advanced logical extraction.

Perfect Acquisition is the most sophisticated method for extracting data from compatible iOS devices. This method is completely forensically sound; it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis. Note: this guide applies to iOS Forensic Toolkit 8.80 and newer, in which the process has been made easier to use.

We’ve released an important update to iOS Forensic Toolkit: the Toolkit expands logical acquisition to all newer models of Apple Watch starting from Apple Watch Series 6 (with a wired third-party adapter), Apple Watch Series 7 through 10, SE2, Ultra, and Ultra 2 (via a special wireless adapter). With this update, the Toolkit supports the complete range of Apple Watch devices with no gaps or omissions.

We are excited to announce an update to Elcomsoft iOS Forensic Toolkit that solves a long-lasting issue connected to the installation and use of the low-level extraction agent. In version 8.70, we introduce a critical improvement: you can now sideload and launch the extraction agent completely offline using any Apple Developer account – regardless of when it was created. What exactly changed, and what does that mean for you? Read along to find out.