Elcomsoft iOS Forensic Toolkit 5.10 is updated to support physical acquisition of Apple devices running iOS 12.2 and 12.4. The tool extracts the full file system and decrypts passwords and authentication credentials stored in the iOS keychain.
Elcomsoft iOS Forensic Toolkit 5.10 adds an ability to perform physical acquisition of Apple devices running iOS 12.2 and 12.4. The Toolkit enables file system extraction for all devices supported by unc0ver and Chimera jailbreaks including the iPhone Xr and iPhone Xs. In addition, the Toolkit allows decrypting the keychain to extract stored passwords and authentication credentials (with the exception of A12/A12X devices).
In order to perform physical acquisition, experts will need to install a jailbreak. Two jailbreak tools, unc0ver and Chimera, are available for iOS 12.2 and iOS 12.4. For the time being, we recommend using Chimera jailbreak for most devices, while unc0ver is currently the only option for the iPhone Xr/Xs and iPad Pro (3rd gen). The recommended version of unc0ver is 3.5.5. Unlike newer builds, it does not remount the file system and does not modify the system partition, exhibiting similar behavior to the RootlessJB.
If the device is running iOS 12.3, 12.3.1 or 12.3.2, updating the device to iOS 12.4 is required in order to install the jailbreak. At the time of this writing, Apple is still signing iOS 12.4; this is not expected to last much longer as iOS 12.4.1 that fixes the vulnerability is already out.
More information about iOS 12.4 jailbreaks and their implications for the forensic community in our blog: Why iOS 12.4 Jailbreak Is a Big Deal for the Law Enforcement