Forensic Implications of Apple’s “Stolen Device Protection”
March 10th, 2025 by Oleg Afonin
With the release of iOS 17.3, Apple introduced a new security feature called “Stolen Device Protection.” This functionality is designed to prevent unauthorized access to sensitive data in cases where a thief has gained knowledge of an iPhone’s passcode. While this feature significantly enhances security for end users, it simultaneously creates substantial obstacles for digital forensic experts, complicating lawful data extraction.
Breaking into iOS 16.5: Extracting the File System and Keychain
August 2nd, 2023 by Oleg Afonin
When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit is the top choice for forensic experts. Its cutting-edge features and unmatched capabilities have made it the go-to software for investigating iOS devices. In a recent update, we expanded the capabilities of the low-level extraction agent to support full file system extraction and keychain decryption on Apple’s newest devices running iOS 16.5. This achievement represents a breakthrough, as the delay between Apple’s iOS updates and our forensic software release has significantly reduced.
Best Practices in Mobile Forensics: Separating Extraction and Analysis
July 31st, 2023 by Oleg Afonin
In the ever-evolving landscape of digital investigations, mobile forensics has become a critical aspect of law enforcement work. The challenges of extracting, handling, and analyzing data obtained from various sources have led to a growing demand for universal solutions. We’d like to emphasize the importance of every stage of mobile forensics, the significance of extraction, and the critical importance of expertise in this field.
Apple iCloud Acquisition: A Lifeline for Forensic Experts
July 25th, 2023 by Oleg Afonin
Acquiring data from locked, broken, or inaccessible devices poses significant challenges. However, there are ways to retrieve valuable information from such devices by obtaining the data from iCloud, including old data that has been deleted with no chance of recovery. In this article, we will explore the classic acquisition methods available for iOS devices and focus on the crucial role of Apple iCloud in forensic investigations.
iOS Device Acquisition: Installing the Extraction Agent
July 21st, 2023 by Vladimir Katalov
Acquiring data from Apple devices, specifically those not susceptible to bootloader exploits (A12 Bionic chips and newer), requires the use of agent-based extraction. This method allows forensic experts to obtain the complete file system from the device, maximizing the amount of data and evidence they can gather using the iOS Forensic Toolkit. In this article, we will discuss some nuances of agent-based iOS device acquisition.
iOS Forensic Toolkit Tips & Tricks
July 17th, 2023 by Vladimir Katalov
For forensic experts dealing with mobile devices, having a reliable and efficient forensic solution is crucial. Elcomsoft iOS Forensic Toolkit is an all-in-one software that aids in extracting data from iOS devices, yet it is still far away from being a one-button solution that many experts keep dreaming of. In this article, we will walk you through the preparation and installation steps, list additional hardware environments, and provide instructions on how to use the toolkit safely and effectively.
Accelerating Computer Forensics: Elcomsoft System Recovery and the Low-Hanging Fruit Strategy
July 14th, 2023 by Oleg Afonin
In the world of digital investigations, the sheer volume of data and the challenge of identifying valuable evidence can be overwhelming. Often, investigators find themselves faced with the need for optimization — the ability to quickly and seamlessly identify what is valuable and requires further examination. We aim to fulfill this need by introducing a new forensic toolkit in Elcomsoft System Recovery, a powerful bootable tool designed to speed up investigations, quickly identify and collect digital evidence right on the spot.
Pushing the Boundaries: Low-Level Extraction of iOS 16.4 with Keychain Decryption
July 10th, 2023 by Oleg Afonin
When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit stands head and shoulders above the competition. With its cutting-edge features and unmatched capabilities, the Toolkit has become the go-to software for forensic investigations on iOS devices. The recent update expanded the capabilities of the tool’s low-level extraction agent, adding keychain decryption support on Apple’s newest devices running iOS 16.0 through 16.4.
Low-level Extraction for iOS 16 with iPhone 14/14 Pro Support
June 30th, 2023 by Oleg Afonin
A while ago, we introduced an innovative mechanism that enabled access to parts of the file system for latest-generation Apple devices. The process we called “partial extraction” relied on a weak exploit that, at the time, did not allow a full sandbox escape. We’ve been working to improve the process, slowly lifting the “partial” tag from iOS 15 devices. Today, we are introducing a new, enhanced low-level extraction mechanism that enables full file system extraction for the iOS 16 through 16.3.1 on all devices based on Apple A12 Bionic and newer chips.
Open-Sourcing Raspberry Pi Software for Firewall Functionality: Secure Sideloading of Extraction Agent
June 19th, 2023 by Elcomsoft R&D
We are excited to announce the release of an open-source software for Raspberry Pi 4 designed to provide firewall functionality for sideloading, signing, and verifying the extraction agent that delivers robust file system imaging and keychain decryption on a wide range of Apple devices. This development aims to address the growing security challenge faced by forensic experts when sideloading the extraction agent using regular and developer Apple accounts.
Safeguarding Digital Evidence: Don’t Shut It Down!
June 16th, 2023 by Oleg Afonin
In the digital age, where information is a precious commodity and evidence is increasingly stored in virtual realms, the importance of preserving digital evidence has become a must in modern investigative practices. However, the criticality of proper handling is often overlooked, potentially jeopardizing access to crucial data during an investigation. In this article, we will once again highlight the importance of meticulous preservation techniques and live session analysis to prevent the loss of digital evidence.
