The new year is fast approaching, and of course we are curious to know what it has in store for us in the field of computer, mobile, and cloud forensics. But before 2022 is over, we invite you to take a moment to reflect on what 2022 has been like for us. More research, development and updates remained our top priority, as it has been in all previous years. We have continued with constant improvement to our solutions by launching new features and expanding product capabilities. We’ve also got a chance to attend some conferences to meet with you in person and share our expertise. So, here’s our take on the results of 2022.

Several generations of Apple TV devices have a bootloader vulnerability that can be exploited with checkm8 to extract information from the device. The vulnerability exists in the Apple TV 3 (2012 and 2013), Apple TV HD (formerly Apple TV 4) 2015 and 2021, and Apple TV 4K (2017). Newer generations of Apple TV do not have the vulnerability. This guide lists the tools and steps required to fully extract a compatible Apple TV device.

checkm8 is the only extraction method available for the Apple Watch S3 allowing full access to essential evidence stored in the device. In this guide, we will talk about connecting the Apple Watch S3 to the computer, placing the watch into DFU mode, applying the checkm8 exploit and extracting the file system from the device with iOS Forensic Toolkit 8.0.

The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.

iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.

In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

The title says it all. In this article we’ll explain the steps required to put the listed Apple TV models into DFU mode. These Apple TV models are based on the A5, A8, and A10X chips that are susceptible to the checkm8 exploit and checkm8-based extraction with iOS Forensic Toolkit 8, and DFU mode is the required initial step of the process.

iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.