When it comes to digital evidence, most investigators naturally focus on smartphones – and occasionally tablets. But the rest of the Apple ecosystem often goes unnoticed: Apple Watch, Apple TV, HomePod, even older iPod Touch models. These supplementary devices might seem irrelevant, but they can contain valuable digital artifacts: activity logs, Wi‑Fi credentials, leftover bits and pieces of information, system logs, and even synced photos.

When performing forensic tasks on Apple devices, the order in which you enter device modes can make a big difference. While DFU mode is necessary for certain extractions, especially using checkm8, going straight into DFU might not be your best option. Starting with Recovery Mode offers several advantages that make it a safer, faster approach. By entering Recovery Mode first, you reduce the risk of unexpected data changes, minimize delays, and ensure the device stays in a stable state. Let’s take a closer look at why starting with Recovery Mode is the better approach for your extraction process.

In modern digital forensics, a reliable USB hub isn’t just a convenience – it’s a critical piece of lab infrastructure. With today’s laptops (especially MacBooks) offering only one or two USB-C ports – often occupied by power adapters – connecting all the required equipment becomes a real challenge. USB hubs help bridge this gap, solving port limitations, improving device compatibility, and even increasing the stability of the checkm8 exploit used for iPhone data extraction. This article explains why and where to use USB hubs shine in forensic workflows and how to choose the right model for your lab.

For a long time, the macOS version of iOS Forensic Toolkit remained the most feature-complete. Only macOS supported bootloader-level acquisition using checkm8, installation of the extraction agent with regular Apple IDs, and use of wireless adapters for Apple Watch analysis. All of these capabilities are now available in the Linux build as well, eliminating the need for a Mac in many workflows. This guide explains how to properly install and use EIFT on a Linux system.

Acquiring data from iOS devices can be a complex task, particularly when performing bootloader-based extractions leveraging the checkm8 exploit. Traditionally, these extractions required access to a macOS computer. However, the Linux edition of iOS Forensic Toolkit offers a practical and efficient solution for forensic investigators who may not have macOS readily available. With minimal functional differences between the Mac, Windows, and Linux editions, the toolkit’s new, bootable Live Linux version allows for seamless bootloader-level extractions, booting from an external device and utilizing all the necessary tools without the need for a Mac.

A forensic examiner receives a locked smartphone – a recent-model iPhone, encrypted and secured with an unknown passcode. No tool works, checkm8 long obsolete, USB port locked. Is this a dead end? Not quite. iPhones don’t operate in isolation. They’re part of a digital ecosystem, and ecosystems often have weak points. This article explores how gaining access through a weak link  can compromise even the most secure smartphone.

We’ve released an important update to iOS Forensic Toolkit: the Toolkit expands logical acquisition to all newer models of Apple Watch starting from Apple Watch Series 6 (with a wired third-party adapter), Apple Watch Series 7 through 10, SE2, Ultra, and Ultra 2 (via a special wireless adapter). With this update, the Toolkit supports the complete range of Apple Watch devices with no gaps or omissions.

Welcome to the world of mobile forensics, where extracting data is the first (and arguably the most critical) step. Whether you’re working with an ancient Apple device or attempting to break into the latest iPhone 16 Pro Max, there is a method for every gadget – each with its own share of challenges. We love explaining the differences between the extraction techniques, detailing their pros and contras, but sometimes you are limited to the one and only method that is the most likely to succeed.

iOS Forensic Toolkit comes in three flavors, available in macOS, Windows, and Linux editions. What is the difference between these edition, in what ways is one better than the other, and which edition to choose for everyday work? Read along to find out.

Forensic acquisition using Elcomsoft iOS Forensic Toolkit (EIFT) has undergone significant changes over the last few years. The earlier major branch, EIFT 7, was a carefully crafted but Windows-only script that automated the use of several bundled tools and guided the user without requiring them to know how to use each of them individually. EIFT 8 brought many new features, a more powerful interface and widespread support for new devices and host operating systems. Due to restrictions and challenges, not all features were immediately available on all platforms. There are still some minor differences in features between Windows, Linux, and macOS versions of the tool.