iCloud Extraction Turns Twelve

May 15th, 2024 by Oleg Afonin

Twelve years ago, we introduced an innovative way of accessing iPhone user data, retrieving iPhone backups straight from Apple iCloud. As our iCloud extraction technology celebrates its twelfth anniversary, it’s a fitting moment to reflect on the reactions it has provoked within the IT community. Let us commemorate the birth of the cloud extraction technology, recap the initial reactions from the forensic community, and talk about where this technology stands today.

Read the rest of this entry »

Low-level Extraction for iOS 15

May 2nd, 2023 by Oleg Afonin

Last month, we introduced a new low-level mechanism, which enabled access to parts of the file system from many Apple devices. The partial extraction process relies on a weak exploit that did not allow full sandbox escape. Today, the limitations are gone, and we are proud to offer the full file system extraction and keychain decryption for the entire iOS 15 range up to and including iOS/iPadOS 15.7.2.

Read the rest of this entry »

Analyzing iPhone PINs

April 18th, 2023 by Oleg Afonin

In recent years, Apple had switched from 4-digit PINs to 6 digits, while implementing blacklists of insecure PIN codes. How do these measures affect security, how much more security do six-digit PINs deliver compared to four-digit PINs, and do blacklists actually work? Let’s try to find out.

Read the rest of this entry »

Automating Scrolling Screenshots with Raspberry Pi Pico

April 13th, 2023 by Oleg Afonin

The recent update to iOS Forensic Toolkit brought two automations based on the Raspberry Pi Pico board. One of the new automations makes it possible to make long, scrollable screen shots in a semi-automatic fashion. In this article we will show how to build, program, and use a Raspberry Pi Pico board to automate scrolling screenshots.

Read the rest of this entry »

Automating DFU Mode with Raspberry Pi Pico

April 12th, 2023 by Vladimir Katalov

The latest update to iOS Forensic Toolkit brings two new features, both requiring the use of a Raspberry Pi Pico board. The first feature automates the switching of iPhone 8, iPhone 8 Plus, and iPhone X devices into DFU, while the second feature adds the ability to make long, scrollable screen shots in a semi-automatic fashion. In this article we will show how to build, program, and use a Raspberry Pi Pico board to automate DFU mode.

Read the rest of this entry »

Perfect Acquisition Part 4: The Practical Part

April 11th, 2023 by Elcomsoft R&D

Welcome to Part 4 of the Perfect Acquisition series! In case you missed the other parts (1, 2, and 3), please check them out for more background information, or dive straight in and learn how to perform Perfect HFS Acquisition yourself. This section contains a comprehensive guide on how to perform the Perfect HFS Acquisition procedure.

Read the rest of this entry »

Perfect Acquisition Part 3: Perfect HFS Acquisition

April 6th, 2023 by Elcomsoft R&D

Welcome to Part 3 of the Perfect Acquisition series! If you haven’t read Part 1 and Part 2 yet, be sure to check them out before proceeding with this article. In this section, we will introduce our newly developed Perfect HFS Acquisition method, which enables the extraction of data from legacy iOS devices that do not have SEP and utilize the HFS file system.

Read the rest of this entry »

HomePod Forensics III: Analyzing the Keychain and File System

April 4th, 2023 by Oleg Afonin

In the previous articles we explained how to connect the first-generation HomePod to a computer, apply the exploit, extract a copy of the file system and decrypt the keychain. Since the HomePod cannot be protected with a passcode and does not allow installing apps, we were wondering what kinds of data the speaker may have and what kinds of passwords its keychain may store.

Read the rest of this entry »

Obtaining Serial Number, MAC, MEID and IMEI of a locked iPhone

March 31st, 2023 by Oleg Afonin

Obtaining information from a locked iPhone can be challenging, particularly when the device is passcode-protected. However, four critical pieces of information that can aid forensic analysis are the device’s International Mobile Equipment Identity (IMEI), Mobile Equipment IDentifier (MEID), MAC address of the device’s Wi-Fi adapter, and its serial number. These unique identifiers can provide valuable insights into a device’s history, including its manufacture date, hardware specifications, and carrier information.

Read the rest of this entry »

Understanding Partial File System Extraction: What Data Can and Cannot be Accessed on iOS 15.6-16.1.2 Devices

March 30th, 2023 by Oleg Afonin

Elcomsoft iOS Forensic Toolkit 8.20 for Mac and 7.80 for Windows now includes a new mechanism for low-level access, which enables the extraction of certain parts of the file system from the latest Apple devices. This partial extraction raises questions regarding what data can and cannot be extracted and how missing information can be accessed. Learn about the partial file system extraction, its benefits and limitations.

Read the rest of this entry »

Perfect Acquisition Part 2: iOS Background

March 29th, 2023 by Elcomsoft R&D

Welcome to part 2 of the Perfect Acquisition series! In case you missed part 1, make sure to check it out before continuing with this article. In this section, we will dive deeper into iOS data protection and understand the obstacles we need to overcome in order to access the data, which in turn will help us accomplish a Perfect Acquisition when certain conditions are met.

Read the rest of this entry »