Posts Tagged ‘iPhone’

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.

DFU (Device Firmware Update) is a special service mode available in many Apple devices for recovering corrupted devices by uploading a clean copy of the firmware. Forensic specialists use DFU during checkm8 extractions (Elcomsoft iOS Forensic Toolkit). Unlike Recovery, which serves a similar purpose, DFU operates on a lower level and is undocumented. Surprisingly, there might be more than one DFU mode, one being more reliable than the others when it comes to forensic extractions. The method described in this article works for the iPhone 8, 8 Plus and iPhone X.

A pre-requisite to successful forensic analysis is accurate information about the device being investigated. Knowing the exact model number of the device helps identify the SoC used and the range of available iOS versions, which in turn pre-determines the available acquisition methods. Identifying the iPhone model may not be as obvious as it may seem. In this article, we’ll go through several methods for finding the iPhone model.

While we continue working on the major update to iOS Forensic Toolkit with forensically sound checkm8 extraction, we keep updating the current release branch. iOS Forensic Toolkit 7.30 brings low-level file system extraction support for iOS 15.1, expanding the ability to perform full file system extraction on iOS devices ranging from the iPhone 8 through iPhone 13 Pro Max.

The second beta of iOS Forensic Toolkit 8.0 has arrived, offering repeatable, verifiable extraction for a limited range of iOS devices. The new release introduces a brand-new user interface, which differs significantly from the selection-driven console we’ve been using for the past several years. This article describes the new workflow for performing forensically sound extractions with iOS Forensic Toolkit 8.0 beta2.

Switching the iPhone into DFU mode is frequently required during the investigation, especially for older devices that are susceptible to checkm8 exploit. However, switching to DFU requires a sequence of key presses on the device with precise timings. If the device is damaged and one or more keys are not working correctly, entering DFU may be difficult or impossible. In this guide, we offer an alternative.

In just a few weeks, the new iPhone range will be released. Millions of users all over the world will upgrade, migrating their data from old devices. While Apple has an ingenious backup system in place, it has quite a few things behind the scenes that can make the migration not go as smooth as planned. How do you do the migration properly not to lose anything?

True physical acquisition is back – but only for a handful of old devices. We’re adding support for unlocking and forensically sound extraction of some of Apple’s legacy iPhones. For iPhone 4, 5, and 5c devices, we’re adding software-based passcode unlocking and device imaging functionality. Moreover, on some models you won’t even need to break the passcode in order to make a full disk image! In this walkthrough we’ll describe the steps required to image an iPhone 4, iPhone 5 or iPhone 5c device.

DFU Mode Cheat Sheet

January 14th, 2021 by Oleg Afonin

The Device Firmware Upgrade mode, or simply DFU, just got a second breath. The ability to image the file system, decrypt the keychain and even do passcode unlocks on some older iPhone models has been made possible thanks to the checkm8 exploit and the checkra1n jailbreak, both of which require switching the phone into DFU. The procedure is undocumented, and the steps are different for the various devices.