The latest update to Elcomsoft iOS Forensic Toolkit introduces support for extracting Apple Unified Logs, a valuable source of evidence available via advanced logical acquisition. In addition, the update delivers major performance improvements when extracting crash logs and media files.

Apple Unified Logs extraction

This release brings support for extracting Apple Unified Logs - an essential source of forensic insights and system-level activity. Unified Logs contain detailed information about processes, events, and app behavior, which can be instrumental in digital investigations.

Earlier builds of iOS Forensic Toolkit only extracted sysdiagnose logs, which typically cover the last 24 hours in detail but provide much less detailed information going back in time. Apple Unified Logs provide significantly more information about events occurred during the past days (exact retention rules for different types of events are pre-configured by Apple for various device types).

Addition information about sysdiagnose and Apple Unified Logs as well as their retention settings is available in the blog article on forensic implications of unified logs and sysdiagnose.

Accelerated media and sysdiagnose extraction

We’ve dramatically improved the performance of extracting media files (such as photos and videos) and sysdiagnose logs during advanced logical acquisition. By incorporating a range of low-level optimizations, media and sysdiagnose extraction during extended logical acquisition is now the whole order of magnitude faster. With these new optimizations, the full advanced logical acquisition becomes several times faster than in previous builds.

Other improvements

We’ve made several improvements to acquisition mechanisms for legacy 32-bit devices, extending support for edge-case model and version combinations, bringing us closer to full compatibility. In addition, we added support for the latest versions of iOS 15 (15.8.5) and iOS 16 (16.7.12) for devices compatible with checkm8.

iOS Forensic Toolkit 8.80 release notes

• logical acquisition: added support for Apple Unified Logs extraction
• logical acquisition: significantly accelerated media files and diagnostic log acquisition
• new: added a free Windows tool to mount acquired HFS images
• extraction agent: multiple fixes and improvements in Agent installation
• legacy devices: improved 32-bit extraction (edge-case model and version combinations)
• legacy devices: usability improvements to Perfect Acquisition for 32-bit devices
• checkm8: support for the latest versions of iOS 15 (15.8.5) and iOS 16 (16.7.12)