Elcomsoft iOS Forensic Toolkit 8.10 adds checkm8 extraction for iOS 16.2, fixes extraction agent signing

Elcomsoft iOS Forensic Toolkit 8.10 adds forensically sound checkm8 extraction support for iOS, iPadOS and tvOS 16.2. We are also bumping agent-based extraction support to iOS 15.5, and updating Elcomsoft iOS Forensic Toolkit 7.70 to fix the extraction agent installation issues in the Windows edition.

Elcomsoft iOS Forensic Toolkit 8.10 brings low-level file system extraction and keychain decryption support to Apple devices running iOS, iPadOS and tvOS 16.2. The new build enables forensically sound checkm8 extraction of compatible iPhone, iPad, and Apple TV devices up to and including the iPhone X range, as well as iPad and Apple TV devices built with the corresponding SoC.

The ability to use checkm8 extraction is limited on the iPhone 8, 8 Plus, and iPhone X devices. On these devices, the extraction only works if no screen lock passcode was ever used on the device since the initial setup. This limitation does not apply to any iPad or Apple TV models, yet you may have to remove the screen lock passcode when acquiring an iPadOS 16 device.

The new build also brings experimental agent-based low-level extraction support to iOS/iPadOS 15.5, albeit for A12 and newer devices only. The exploit used for iOS/iPadOS 15.5 is a complex one, so the stability of the extraction is not guaranteed. We’re sure to fix it in subsequent releases. For A11 and older devices the more advanced checkm8 extraction is available.

Elcomsoft iOS Forensic Toolkit 8.10 is only available for Mac computers for the time being. For this reason, we are also maintaining an older branch of the product, which is also available as a Windows edition. In this release, we’ve overhauled the extraction agent signing mechanism, which re-enables the ability to sideload the agent from a Windows PC. The new signing mechanism now employs regular Apple ID passwords instead of the previously used one-time passwords, but you still need an Apple ID enrolled in the Apple’s Developer Program to sideload and sign the extraction agent.

Please refer to the following chart for details on the types of extraction supported on the different platforms:

iOS Forensic Toolkit is the only solution on the market supporting checkm8 extraction of Apple TV models including the keychain. The Apple TV is the only model that cannot be protected with a passcode, making it a valuable source of accessible evidence.

checkm8-based extraction is the cleanest, safest, and most technologically advanced extraction method available for a range of Apple devices with a vulnerable bootloader. Compared to other acquisition methods, our implementation of checkm8 is the only true forensically sound solution that delivers repeatable and verifiable extractions. Compared to logical acquisition, low-level extraction delivers significantly more information and decrypts the entire content of the keychain including encryption keys and authentication tokens.

Elcomsoft iOS Forensic Toolkit 8.10 release notes:

  • Added agent acquisition for iOS up to 15.5 for A12 and newer devices
  • Extraction agent: improved the reliability of agent signing
  • checkm8: added full file system extraction support for iOS 16.2, iPadOS 16.2 and tvOS 16.2
  • Extraction agent: fixed agent uninstallation issues
  • Several small bugfixes

Elcomsoft iOS Forensic Toolkit 7.70 (Windows edition) release notes:

  • Added agent acquisition for iOS up to 15.5 for A12 and newer devices
  • Extraction agent: resolved the agent sideloading and signing issue. The updated signing mechanism uses a regular password instead of the app-specific one
  • Extraction agent: fixed agent uninstallation issues
  • Several small bugfixes

Elcomsoft iOS Forensic Toolkit 7.70 (macOS edition) release notes:

  • Added agent acquisition for iOS up to 15.5 for A12 and newer devices
  • Extraction agent: improved the reliability of agent signing
  • Extraction agent: fixed agent uninstallation issues
  • Several small bugfixes

Se också