Posts Tagged ‘low-level extraction’

The latest update of iOS Forensic Toolkit brought an all-new Linux edition, opening up a world of possibilities in mobile device analysis. The highly anticipated Linux edition preserves and expands the features previously available to macOS and Windows users. Forensic professionals can now perform advanced logical and low-level extractions with the aid of a custom extraction agent and extract information using the bootloader-level exploit, making forensic analysis more accessible on Linux platforms.

The bootloader vulnerability affecting several generations of Apple devices opens the door to forensically sound extraction. In today’s article we’ll discuss the compatibility and features of this exploit with different devices, iOS versions, and platforms. In addition, we’ll provide security professionals and researchers with valuable insight into potential issues and solutions when working with checkm8.

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit is the top choice for forensic experts. Its cutting-edge features and unmatched capabilities have made it the go-to software for investigating iOS devices. In a recent update, we expanded the capabilities of the low-level extraction agent to support full file system extraction and keychain decryption on Apple’s newest devices running iOS 16.5. This achievement represents a breakthrough, as the delay between Apple’s iOS updates and our forensic software release has significantly reduced.

When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit stands head and shoulders above the competition. With its cutting-edge features and unmatched capabilities, the Toolkit has become the go-to software for forensic investigations on iOS devices. The recent update expanded the capabilities of the tool’s low-level extraction agent, adding keychain decryption support on Apple’s newest devices running iOS 16.0 through 16.4.

We are excited to announce the release of an open-source software for Raspberry Pi 4 designed to provide firewall functionality for sideloading, signing, and verifying the extraction agent that delivers robust file system imaging and keychain decryption on a wide range of Apple devices. This development aims to address the growing security challenge faced by forensic experts when sideloading the extraction agent using regular and developer Apple accounts.

Welcome to Part 4 of the Perfect Acquisition series! In case you missed the other parts (1, 2, and 3), please check them out for more background information, or dive straight in and learn how to perform Perfect HFS Acquisition yourself. This section contains a comprehensive guide on how to perform the Perfect HFS Acquisition procedure.

Welcome to Part 3 of the Perfect Acquisition series! If you haven’t read Part 1 and Part 2 yet, be sure to check them out before proceeding with this article. In this section, we will introduce our newly developed Perfect HFS Acquisition method, which enables the extraction of data from legacy iOS devices that do not have SEP and utilize the HFS file system.

Welcome to part 2 of the Perfect Acquisition series! In case you missed part 1, make sure to check it out before continuing with this article. In this section, we will dive deeper into iOS data protection and understand the obstacles we need to overcome in order to access the data, which in turn will help us accomplish a Perfect Acquisition when certain conditions are met.

Forensic acquisition has undergone significant changes in recent years. In the past, acquisition was relatively easy, with storage media easily separable and disk encryption not yet widespread. However, with the rise of mobile devices and their built-in encryption capabilities, acquiring data has become increasingly challenging. Traditional approaches like disk dumps are no longer feasible, and software exploitation has become the industry standard. Despite these methods, there are limitations to mobile acquisition, including the need to collaborate with the device, the possibility of hardware defects or deliberate data tampering. As a result, there is a need for continuous innovation in forensic acquisition to address these challenges and ensure accurate and reliable data collection.

Agent-based low-level extraction of Apple mobile devices requires sideloading an app onto the device, which is currently far from seamless. One can only run sideloaded apps if they are signed with a device-specific digital signature, which must be validated by an Apple server. Establishing a connection to the server carries a number of potential risks. In this article, we are proposing a solution that reduces the risks by using a firewall script.