Using the Extraction Agent in 2026: Compatibility, Signing, Firewall, and Extraction Tips
May 11th, 2026 by Oleg Afonin
Over the years, we have published several articles about the extraction agent. However, the underlying technology changes quickly, and incremental changes often have significant cumulative effects. As a result, many of our older posts are no longer relevant and can be misleading if followed to the letter today. While last year’s recap, Installing and Troubleshooting the Extraction Agent (2025), remains a solid foundation for general setup, it does not account for the most recent hardware and software developments. This article serves as the definitive point of reference, providing an up-to-date recap of everything you need to know about the extraction agent as of May 2026.
Playing devil’s advocate: iPhone anti-forensics
September 30th, 2020 by Vladimir Katalov
Everyone’s iPhones contain overwhelming amounts of highly sensitive personal information. Even if some of that data is not stored on the device, the iPhone itself or the data inside can work as a key to other many things from bank accounts to private family life. While there are many possible vectors of attack, the attacker will always try exploiting the weakest link. Learn to think like one, find the weakest link and eliminate the potential vulnerabilities before they are exploited. This guide comes from the forensic guys making tools for the law enforcement, helping the good guys break into the bad guys’ iPhones.
The Issue of Trust: Untrusting Connected Devices from Your iPhone
September 29th, 2020 by Oleg Afonin
When connecting an iPhone to a computer for the first time, you’ll see the prompt asking you whether to trust the computer. Trusting a computer enables your phone and computer to exchange information. However, should the trusted computer fall into the wrong hands, the pairing record from that computer could be used to pull information from your iPhone. Learn about the risks associated with pairing records and how to block unwanted connections by untrusting connected computers from your iPhone.
Using Screen Time Password to Protect iPhone Local Backups
September 28th, 2020 by Oleg Afonin
The iOS backup system is truly unrivalled. The highly comprehensive, versatile and secure backups can be created with Apple iTunes. For the user, local backups are a convenient and easy way to transfer data to a new device or restore an existing one after a factory reset. For forensic experts, iOS backups are an equally convenient, versatile and easy way to obtain a copy of the user’s data without attempting to break into the device. In malicious hands, the backup becomes a dangerous weapon. Logins and passwords from the Keychain allow hackers accessing the user’s social accounts, messages, and financial information. A backup password can be set to protect local backups, but it can be removed just as easily shall the hacker have access to the physical iPhone and know its passcode. In this article, we’ll discuss how the Screen Time password can be used to further strengthen the protection of local backups.
iOS 14 Forensics: What Has Changed Since iOS 13.7?
September 24th, 2020 by Oleg Afonin
iOS 14 is officially out. It’s a big release from the privacy protection standpoint, but little had changed for the forensic expert. In this article, we’ll review what has changed in iOS 14 in the ways relevant for the forensic crowd.
It’s Hashed, Not Encrypted
September 9th, 2020 by Oleg Afonin
How many times have you seen the phrase: “Your password is securely encrypted”? More often than not, taking it at face value has little sense. Encryption means the data (such as the password) can be decrypted if you have the right key. Most passwords, however, cannot be decrypted since they weren’t encrypted in the first place. Instead, one might be able to recover them by running a lengthy attack. Let’s talk about the differences between encryption and hashing and discuss why some passwords are so much tougher to break.
Extracting iPhone File System and Keychain Without an Apple Developer Account
September 3rd, 2020 by Oleg Afonin
Last year, we have developed an innovative way to extract iPhone data without a jailbreak. The method’s numerous advantages were outweighed with a major drawback: an Apple ID enrolled in the paid Apple’s Developer program was required to sign the extraction binary. This is no longer an issue on Mac computers with the improved sideloading technique.
Setting Up Restricted Internet Connection for iPhone Extraction
September 3rd, 2020 by Vladimir Katalov
Regular or disposable Apple IDs can now be used to extract data from compatible iOS devices if you have a Mac. The use of a non-developer Apple ID carries certain risks and restrictions. In particular, one must “verify” the extraction agent on the target iPhone, which requires an active Internet connection. Learn how to verify the extraction agent signed with a regular or disposable Apple ID without the risk of receiving an accidental remote lock or remote erase command.
Behind the iPhone 5 and 5c Passcode Cracking
August 25th, 2020 by Vladimir Katalov
Smartphones are used for everything from placing calls and taking photos to navigating, tracking health and making payments. Smartphones contain massive amounts of sensitive information which becomes essential evidence. Accessing this evidence can be problematic or expensive, as was clearly demonstrated during the FBI-Apple encryption dispute, which was about the iPhone 5c used by the San Bernardino shooter in December 2015. With modern technological advances, iPhone 5c unlocks are no longer an issue.
iPhone 5 and 5c Passcode Unlock with iOS Forensic Toolkit
August 25th, 2020 by Oleg Afonin
We have discovered a way to unlock encrypted iPhones protected with an unknown screen lock passcode. Our method supports two legacy iPhone models, the iPhone 5 and 5c, and requires a Mac to run the attack. Our solution is decidedly software-only; it does not require soldering, disassembling, or buying extra hardware. All you need is iOS Forensic Toolkit (new version), a Mac computer, and a USB-A to Lightning cable. In this guide, we’ll demonstrate how to unlock and image the iPhone 5 and 5c devices.
Breaking LUKS Encryption
August 18th, 2020 by Oleg Afonin
LUKS encryption is widely used in various Linux distributions to protect disks and create encrypted containers. Being a platform-independent, open-source specification, LUKS can be viewed as an exemplary implementation of disk encryption. Offering the choice of multiple encryption algorithms, several modes of encryption and several hash functions to choose from, LUKS is one of the tougher disk encryption systems to break. Learn how to deal with LUKS encryption in Windows and how to break in with distributed password attacks.
