Welcome to part 2 of the Perfect Acquisition series! In case you missed part 1, make sure to check it out before continuing with this article. In this section, we will dive deeper into iOS data protection and understand the obstacles we need to overcome in order to access the data, which in turn will help us accomplish a Perfect Acquisition when certain conditions are met.

Forensic acquisition has undergone significant changes in recent years. In the past, acquisition was relatively easy, with storage media easily separable and disk encryption not yet widespread. However, with the rise of mobile devices and their built-in encryption capabilities, acquiring data has become increasingly challenging. Traditional approaches like disk dumps are no longer feasible, and software exploitation has become the industry standard. Despite these methods, there are limitations to mobile acquisition, including the need to collaborate with the device, the possibility of hardware defects or deliberate data tampering. As a result, there is a need for continuous innovation in forensic acquisition to address these challenges and ensure accurate and reliable data collection.

Agent-based low-level extraction of Apple mobile devices requires sideloading an app onto the device, which is currently far from seamless. One can only run sideloaded apps if they are signed with a device-specific digital signature, which must be validated by an Apple server. Establishing a connection to the server carries a number of potential risks. In this article, we are proposing a solution that reduces the risks by using a firewall script.

What does “forensically sound extraction” mean? The classic definition of forensically sound extraction means both repeatable and verifiable results. However, there is more to it. We believe that forensically sound extractions should not only be verifiable and repeatable, but verifiable in a safe, error-proof manner, so we tweaked our product to deliver just that.

Just before the turn of the year, we’ve made an important update to Elcomsoft iOS Forensic Toolkit, a low-level iOS file system extraction and keychain decryption tool. The update brings checkm8 support to iOS, iPadOS and tvOS 16.2 devices, and enables agent-based low-level extraction of iOS 15.5. We’ve also fixed what’s been long broken: the ability to sideload the extraction agent from Windows PCs, yet the two updates are delivered in different branches. Sounds confusing? We’re here to solve it for you.

The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.

iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

iOS Forensic Toolkit 8.0 is officially released! Delivering forensically sound checkm8 extraction and a new command-line driven user experience, the new release becomes the most sophisticated mobile forensic tool we’ve released to date.

We often write about full file system acquisition, yet we rarely explain what it is, when you can do it, and which methods you can use. We decided to clarify low-level extraction of Apple mobile devices (iPhones and iPads, and some other IoT devices such as Apple TVs and Apple Watches).

iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.