The latest update to the iOS Forensic Toolkit has expanded data extraction support for older models of Apple Watch, introducing low-level extraction capabilities for Apple Watch Series 0, Series 1, and Series 2. In a landscape where new devices are released on a yearly schedule, we stand committed to a balanced approach. While it’s easy for many to dismiss older devices, we recognize their significance as they frequently reappear in the labs of forensic experts. It is important to emphasize that, unlike many, we cater to the needs of experts who have to deal with legacy devices. This enhancement enables macOS and Linux users to delve deeper into these watches, retrieving crucial information such as passwords and complete file systems.

The bootloader vulnerability affecting several generations of Apple devices opens the door to forensically sound extraction. In today’s article we’ll discuss the compatibility and features of this exploit with different devices, iOS versions, and platforms. In addition, we’ll provide security professionals and researchers with valuable insight into potential issues and solutions when working with checkm8.

We have exciting news: iOS Forensic Toolkit 8 is now available for Windows users in the all-new Windows edition. The new build maintains and extends the functionality of EIFT 7, which is now approaching the end of its life cycle. In addition, we’ve made the Toolkit portable, eliminating the need for installation. Learn what’s new in the eights version of the Toolkit!

In this tutorial, we will address common issues faced by users of the iOS Forensic Toolkit when installing and using the low-level extraction agent for accessing the file system and keychain on iOS devices. This troubleshooting guide is based on the valuable feedback and data received by our technical support team.

We are excited to announce the release of an open-source software for Orange Pi R1 LTS designed to provide firewall functionality for sideloading, signing, and verifying the extraction agent that delivers robust file system imaging and keychain decryption on a wide range of Apple devices with iOS Forensic Toolkit. This development aims to address the growing security challenge faced by forensic experts when sideloading the extraction agent using regular and developer Apple accounts.

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit is the top choice for forensic experts. Its cutting-edge features and unmatched capabilities have made it the go-to software for investigating iOS devices. In a recent update, we expanded the capabilities of the low-level extraction agent to support full file system extraction and keychain decryption on Apple’s newest devices running iOS 16.5. This achievement represents a breakthrough, as the delay between Apple’s iOS updates and our forensic software release has significantly reduced.

Acquiring data from Apple devices, specifically those not susceptible to bootloader exploits (A12 Bionic chips and newer), requires the use of agent-based extraction. This method allows forensic experts to obtain the complete file system from the device, maximizing the amount of data and evidence they can gather using the iOS Forensic Toolkit. In this article, we will discuss some nuances of agent-based iOS device acquisition.

For forensic experts dealing with mobile devices, having a reliable and efficient forensic solution is crucial. Elcomsoft iOS Forensic Toolkit is an all-in-one software that aids in extracting data from iOS devices, yet it is still far away from being a one-button solution that many experts keep dreaming of. In this article, we will walk you through the preparation and installation steps, list additional hardware environments, and provide instructions on how to use the toolkit safely and effectively.

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit stands head and shoulders above the competition. With its cutting-edge features and unmatched capabilities, the Toolkit has become the go-to software for forensic investigations on iOS devices. The recent update expanded the capabilities of the tool’s low-level extraction agent, adding keychain decryption support on Apple’s newest devices running iOS 16.0 through 16.4.

A while ago, we introduced an innovative mechanism that enabled access to parts of the file system for latest-generation Apple devices. The process we called “partial extraction” relied on a weak exploit that, at the time, did not allow a full sandbox escape. We’ve been working to improve the process, slowly lifting the “partial” tag from iOS 15 devices. Today, we are introducing a new, enhanced low-level extraction mechanism that enables full file system extraction for the iOS 16 through 16.3.1 on all devices based on Apple A12 Bionic and newer chips.