A new update to iOS Forensic Toolkit is out. The headline feature is an alternative installation method for the extraction agent – that is, deploying it onto an iPhone while bypassing the mandatory pairing requirement. The agent can now be delivered across the network, which removes a number of limitations that came with the usual cable-based installation. One requirement up front: the device must already be unlocked – in other words, the passcode must be known. This method does not work with a fully locked iPhone.

If you have an Apple device running iOS 18 or iOS 26 and gone looking for the old Get Verification Code option under Settings → [user name] → Sign-In & Security, you’ve probably noticed it’s no longer there. A quick search turns up forum threads, support comments, and even GitHub issues all reaching the same conclusion: Apple removed it. Some posts go further and call it “deprecated” or “Apple’s middle finger to users of older devices.” That conclusion is wrong. The option still exists in iOS 26. It just doesn’t show up the way it used to.

Elcomsoft Phone Breaker 11.2 adds the ability to download iCloud backups created on devices running iOS and iPadOS 26 and, by extension, iOS/iPadOS 27 beta. With this release, Elcomsoft Phone Breaker becomes the first and only third-party tool capable of pulling these backups from Apple’s cloud. That might read like a routine compatibility update. It isn’t. In iOS 26, Apple reworked its iCloud backup mechanism from the ground up, breaking every third-party tool that relied on the previous scheme. Restoring access meant rebuilding a large part of our cloud extraction pipeline. Below is what changed, what we did about it, and where the current build still has rough edges.

Over the years, we have published several articles about the extraction agent. However, the underlying technology changes quickly, and incremental changes often have significant cumulative effects. As a result, many of our older posts are no longer relevant and can be misleading if followed to the letter today. While last year’s recap, Installing and Troubleshooting the Extraction Agent (2025), remains a solid foundation for general setup, it does not account for the most recent hardware and software developments. This article serves as the definitive point of reference, providing an up-to-date recap of everything you need to know about the extraction agent as of May 2026.

We’ve just updated iOS Forensic Toolkit to version 10.0, significantly expanding its low-level extraction capabilities for both the extraction agent and bootloader-based methods. Previously, agent-based extraction was capped at iOS 16.6.1. This release finally covers the remainder of the iOS 16 branch, and adds support for the entire iOS 17  branch as well as iOS 18 through 18.7.1. We have also expanded checkm8 support to cover all the latest OS updates pushed by Apple on devices susceptible to the exploit. Finally, we improved extended logical acquisition support for iOS/iPadOS 26, now pulling significantly more shared data than before.

The release of the checkm8 exploit was a breakthrough for mobile forensics, finally granting investigators verifiable access to the file systems of various Apple devices. This accessibility established the current “gold standard” for extraction: using the bootloader exploit to access the file system and dump it into a simple tar archive. While convenient, a tar archive is merely a logical copy, not a physical one. It may fail to capture the device’s true state, missing certain low-level nuances. Truth be told, these nuances are rarely relevant to real investigations, but why settle for less when a better method is available? More importantly, this approach avoids the “teething problems” of traditional bootloader extraction – such as the mishandling of large sparse files – that continue to plague even the largest forensic vendors.

Perfect Acquisition is the most reliable method to acquire data from an iOS device. It is completely forensically sound – it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis.

We’re expanding our product line with a new tool: Elcomsoft Quick Triage. With this release, we are expanding into an area we had not previously covered – digital forensic triage. EQT is designed to address a very specific need that arises at the earliest stages of an investigation, when time is limited and quick decisions matter. The new tool is not intended to replace full-featured forensic platforms or in-depth analysis. Instead, it focuses on a different phase of the workflow: fast identification, collection, and review of the most relevant evidence before committing resources to a complete examination.

Big news is coming – and this time, it’s from the living room. Our team has successfully extracted a complete file system image from an Apple TV 4K running tvOS 26. This marks the first-ever low-level extraction of Apple’s 26th-generation operating systems, including iOS 26, iPadOS 26, and tvOS 26. No one – not even the major forensic players! – has been able to achieve this before.

Our customers often ask us which exact iOS versions are supported by iOS Forensic Toolkit. There’s always a temptation to answer “all of them,” and while that answer is technically correct, there are a lot of caveats. The devil is in the details, and the real answer depends on what you mean by “support”.