checkm8: Advancements in iOS 16 Forensic Extraction

March 15th, 2024 by Elcomsoft R&D

In iOS device forensics, the process of low-level extraction plays a crucial role in accessing essential data for analysis. Bootloader-level extraction through checkm8 has consistently been the best and most forensically sound method for devices with a bootloader vulnerability. But even though we brought the best extraction method to Linux and Windows in recent releases, support for iOS 16 on these platforms was still lacking behind. In this article we’ll talk about the complexities in iOS 16 extractions and how we worked around them in the newest release of iOS Forensic Toolkit.

Read the rest of this entry »

A Comprehensive Instruction Manual on Installing the Extraction Agent

December 27th, 2023 by Oleg Afonin

This guide covers the correct installation procedure for Elcomsoft low-level extraction agent, an integral part of iOS Forensic Toolkit that helps extracting the file system and keychain from supported iOS devices. This instruction manual provides a step-by-step guide for setting up a device and installing the extraction agent. We’ve included suggestions from troubleshooting scenarios and recommendations we derived during testing.

Read the rest of this entry »

iOS 17.3 Developer Preview: Stolen Device Protection

December 20th, 2023 by Oleg Afonin

The first developer beta of iOS 17.3 includes Stolen Device Protection, a major new security feature designed to protect the user’s sensitive information stored in the device and in iCloud account if their iPhone is stolen and the thief gets access to the phone’s passcode. This optional feature could represent a significant change in how Apple looks at security, where currently the passcode is king. At this time, no detailed documentation is available; developers are getting a prompt to test the feature when installing the new beta.

Read the rest of this entry »

iOS Forensic Toolkit: Exploring the Linux Edition

November 30th, 2023 by Oleg Afonin

The latest update of iOS Forensic Toolkit brought an all-new Linux edition, opening up a world of possibilities in mobile device analysis. The highly anticipated Linux edition preserves and expands the features previously available to macOS and Windows users. Forensic professionals can now perform advanced logical and low-level extractions with the aid of a custom extraction agent and extract information using the bootloader-level exploit, making forensic analysis more accessible on Linux platforms.

Read the rest of this entry »

Forensic Insights into Apple Watch Data Extraction

November 30th, 2023 by Oleg Afonin

The latest update to the iOS Forensic Toolkit has expanded data extraction support for older models of Apple Watch, introducing low-level extraction capabilities for Apple Watch Series 0, Series 1, and Series 2. In a landscape where new devices are released on a yearly schedule, we stand committed to a balanced approach. While it’s easy for many to dismiss older devices, we recognize their significance as they frequently reappear in the labs of forensic experts. It is important to emphasize that, unlike many, we cater to the needs of experts who have to deal with legacy devices. This enhancement enables macOS and Linux users to delve deeper into these watches, retrieving crucial information such as passwords and complete file systems.

Read the rest of this entry »

Using and Troubleshooting the checkm8 Exploit

October 31st, 2023 by Oleg Afonin

The bootloader vulnerability affecting several generations of Apple devices opens the door to forensically sound extraction. In today’s article we’ll discuss the compatibility and features of this exploit with different devices, iOS versions, and platforms. In addition, we’ll provide security professionals and researchers with valuable insight into potential issues and solutions when working with checkm8.

Read the rest of this entry »

iOS Forensic Toolkit 8 Lands on Windows

October 5th, 2023 by Oleg Afonin

We have exciting news: iOS Forensic Toolkit 8 is now available for Windows users in the all-new Windows edition. The new build maintains and extends the functionality of EIFT 7, which is now approaching the end of its life cycle. In addition, we’ve made the Toolkit portable, eliminating the need for installation. Learn what’s new in the eights version of the Toolkit!

Read the rest of this entry »

iOS Forensic Toolkit: Troubleshooting Low-Level Extraction Agent

September 12th, 2023 by Oleg Afonin

In this tutorial, we will address common issues faced by users of the iOS Forensic Toolkit when installing and using the low-level extraction agent for accessing the file system and keychain on iOS devices. This troubleshooting guide is based on the valuable feedback and data received by our technical support team.

Read the rest of this entry »

What to Do When Password Recovery Attacks Stall

August 22nd, 2023 by Oleg Afonin

Have you ever tried to unlock a password but couldn’t succeed? This happens when the password is really strong and designed to be hard to break quickly. In this article, we’ll explain why this can be a tough challenge and what you can do about it.

Read the rest of this entry »

Open-Sourcing Orange Pi R1 Plus LTS Software for Firewall Functionality: Secure Sideloading of Extraction Agent

August 3rd, 2023 by Oleg Afonin

We are excited to announce the release of an open-source software for Orange Pi R1 LTS designed to provide firewall functionality for sideloading, signing, and verifying the extraction agent that delivers robust file system imaging and keychain decryption on a wide range of Apple devices with iOS Forensic Toolkit. This development aims to address the growing security challenge faced by forensic experts when sideloading the extraction agent using regular and developer Apple accounts.

Read the rest of this entry »

Breaking into iOS 16.5: Extracting the File System and Keychain

August 2nd, 2023 by Oleg Afonin

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit is the top choice for forensic experts. Its cutting-edge features and unmatched capabilities have made it the go-to software for investigating iOS devices. In a recent update, we expanded the capabilities of the low-level extraction agent to support full file system extraction and keychain decryption on Apple’s newest devices running iOS 16.5. This achievement represents a breakthrough, as the delay between Apple’s iOS updates and our forensic software release has significantly reduced.

Read the rest of this entry »