Perform full file system and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.
Supports: all generations of iPhone, iPad, iPad Pro and iPod Touch with and without jailbreak; Apple Watch and Apple TV 4 and 4K; all versions of iOS from iOS 7 to iOS 15.x
New features
checkm8 extraction for select iPhone models
iOS Forensic Toolkit 8.0 beta for Mac introduces a new extraction method for select iOS devices based on the modified bootloader. The new extraction method is the cleanest yet, enabling repeatable, verifiable extractions and forensically sound workflow.
The fourth beta of iOS Forensic Toolkit 8.0 for Mac adds checkm8 extraction support for the latest generation of iPhone devices with a bootloader vulnerability, which includes the iPhone 8, 8 Plus, and iPhone X devices running all supported versions of iOS up to and including iOS 15.5. This completes the range of devices that can be extracted with iOS Forensic Toolkit 8.0 beta for Mac, which now includes all 64-bit iPhone models ranging from the iPhone 5s all the way to the iPhone X with no gaps or exclusions.
checkm8 support for the rest of iPad, iPod Touch and Apple TV models
The ninth beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac added support for iPad 5, 6, and 7, the iPad Mini 2, 3, and 4, the iPad Air 1 and 2, and the iPad Pro 1 and 2 (9.7” and 12.9” models respectively). In addition, iPod Touch 6 and 7 and Apple TV 3 and 4K are also supported. Currently, our checkm8 extraction solution supports all iPad and all iPod Touch models having the boot loader vulnerability with no exceptions.
Extraction agent gains low-level extraction support for iOS 15.2 through 15.3.1
Elcomsoft iOS Forensic Toolkit 7.60 brings low-level extraction support for multiple generations of Apple devices, adding full file system extraction for iOS 15.2 through 15.3.1 devices based on Apple A11-A15 and M1 chips.
In addition, we updated iOS Forensic Toolkit 8.0 beta 13, adding the same agent-based extraction support and extending forensically sound checkm8 extraction to the newly released iOS 15.6.1.
The updated toolkit now supports agent-based full file system extraction for the entire range of iOS releases since iOS 9.0 all the way up to iOS 15.3.1. In addition to file system extraction, keychain decryption is supported on multiple platforms for iOS 9.0 through iOS 15.1.1.
iOS Forensic Toolkit 8.0 beta 13 gets all the new features as Elcomsoft iOS Forensic Toolkit 7.40, and adds checkm8 acquisition support for the latest version of iOS 15.6.1.
Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.
The following extraction methods are supported:
Full File System Extraction and Keychain Decryption
A jailbreak-free extraction method based on direct access to the file system is available for a limited range of iOS devices. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.
Better yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction.
Both the file system image and all keychain records are extracted and decrypted. The agent-based extraction method delivers solid performance and results in forensically sound extraction. Removing the agent from the device after the extraction takes one push of a button.
You can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device's system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.
Installing and signing the extraction agent requires an Apple ID registered in the Apple Developer Program. The Mac edition drops this requirement, allowing using a regular Apple ID for signing and sideloading the extraction agent onto the iOS device.
Jailbreak-based Extraction
In addition to agent-based extraction, iOS Forensic Toolkit fully supports the extraction of all jailbroken devices for which a jailbreak is available. Full file system extraction and keychain decryption are available for jailbroken devices. All public jailbreaks are supported.
Forensically sound extraction for select iPhone and iPad models
To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. The new, bootloader-based extraction method delivers repeatable results across extraction sessions. When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.
The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process. Our unique direct extraction process offers the following benefits:
Notes: bootloader-level extractions are available exclusively in the Mac edition, requiring a macOS computer.
Unlocking and Imaging Legacy Devices: iPhone 4, 4s, 5, and 5c
Passcode unlock and imaging support is available for legacy iPhone models.
The Toolkit can be used to unlock encrypted iPhone 4, 4s (1), 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN. This DFU attack works at the speed of 13.6 passcodes per second on iPhone 5 and 5c devices, and takes only 12 minutes to unlock an iPhone protected with a 4-digit PINs. 6-digit PINs will take up to 21 hours. A smart attack will be used automatically to attempt cutting this time as much as possible. In less than 4 minutes, the tool will try several thousand most commonly used passcodes such as 000000, 123456 or 121212, followed by 6-digit PINs based on the dates of birth. With 74,000 of those, the smart attack takes approximately 1.5 hours. If still unsuccessful, the full brute force of the rest of the passcodes is initiated. (Note: passcode recovery runs at the speed of 6.6 passcodes per second on the iPhone 4).
Full physical acquisition is available for legacy iOS devices including the iPhone 4, 4s (1), 5 and 5c. For all supported models, the Toolkit can extract the bit-precise image of the user partition and decrypt the keychain. If the device is running iOS 4 through 7, the imaging can be performed even without breaking the screen lock passcode, while devices running iOS 8 through 10 require breaking the passcode first. For all supported models, the Toolkit can extract and decrypt the user partition and the keychain.
(1) The passcode unlock and forensically sound, checkm8-based extraction are available for the iPhone 4s, iPod Touch 5, iPad 2 and 3 devices via a custom flashed Raspberry Pi Pico board, which is used to apply the exploit. The firmware image is provided with iOS Forensic Toolkit; the Pico board is not supplied.
Notes: Mac edition only; iPhone 4s support requires a Raspberry Pi Pico board (not supplied) with custom firmware (supplied). For iOS 4 through 7, passcode recovery is not required for device imaging. For iOS 8 and 9, the passcode must be recovered before imaging (otherwise, limited BFU extraction available).
Extended Logical Acquisition
iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device, pulls media and shared files and extracts system crash logs. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.
We always recommend using logical acquisition in combination with physical for safely extracting all possible types of evidence.
Quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).
In addition to media files, iOS Forensic Toolkit can extract crash/diagnostics logs and stored files of multiple apps, extracting crucial evidence without a jailbreak. Extract Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record.
Logical acquisition is available for all devices regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started.
Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer.
If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Elcomsoft Phone Breaker is also required to view keychain records. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).
Using a lockdown (pairing) record, information can be extracted from locked iOS devices even after power-off or reboot. The following matrix applies to devices running iOS 8 and newer:
|
|
Basic device info |
Advanced device info |
App list |
Media |
iTunes-style backup |
|
Device locked, no lockdown record |
Yes |
No |
No |
No |
No |
|
Device never unlocked after reboot, lockdown exists |
Yes |
Yes |
No |
No |
No |
|
Device unlocked after reboot, lockdown exists |
Yes |
Yes |
Yes |
Yes |
Yes |
Supported Devices and Acquisition Methods
iOS Forensic Toolkit implements physical acquisition support for jailbroken devices from iPhone 5s through iPhone 13, 13 Pro, iPhone 13 mini and iPhone 13 Pro Max.
The following compatibility matrix applies:
Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.
Compatible Devices and Platforms
Logical acquisition includes:
System requirements
Windows
Apple macOS
The iOS Forensic Toolkit for Windows requires the latest version of iTunes installed. macOS version is not guaranteed to work on a virtual machine or Hackintosh. Please also note that some specific features of the product (physical acquisition for legacy 32-bit devices, agent installation using non-developer accounts, checkm8 acquisition) are available in macOS version only.
Release notes
Elcomsoft iOS Forensic Toolkit v.7.60
25 August, 2022
Uninstallation procedure: in order to uninstall the product, follow the standard procedure via Control Panel - Programs and features or use the corresponding Uninstall link from the product's folder in the Windows Start menu.
© Copyright 2000-2023 COGITO SOFTWARE CO.,LTD. All rights reserved
