Elcomsoft iOS Forensic Toolkit

Forensic access to iPhone, iPad and iPod devices with Apple iOS operating system

Perform a complete forensic capture of user data from iPhone, iPad and iPod devices. Elcomsoft iOS Forensic Toolkit allows you to create an image of the device's file system to extract secret data (passcode locks, passwords and passcode keys) and access locked devices via lockdown records.

The following extraction methods are supported:

• Advanced logical capture (backup, media files, crash logs, shared files) (all devices, all versions of iOS)
• Direct agent-based extraction (all 64-bit devices, selected iOS versions)
• Forensically sound bootloader-based checkm8 extraction (selected devices)
• Passcode unlocking and real physical capture (select 32-bit devices)

Full file system extraction and keychain decryption

An extraction method based on direct access to the file system is available for a wide range of iOS devices and operating system versions. Using a specially developed extraction tool, this acquisition method installs an extraction agent on the device being acquired. The agent communicates with the expert's computer and offers robust performance and an extremely high extraction speed of over 2.5 GB of data per minute.

Using the extraction agent is basically safe for the device itself, as neither the system partition is modified nor the file system is remounted. The low-level extraction technique used by the extraction agent yields as much data as that obtained by physical extraction methods such as checkm8. Depending on the operating system version, both the file system image and all keychain records can be extracted and decrypted.

One can either extract the entire file system or use express extraction and retrieve only the files from the user partition. Express data extraction helps save time and disk space by retrieving only the contents of the data partition while skipping the system partition.

Windows and Linux users need an Apple ID registered with the Apple Developer Program to install and sign the extraction agent. macOS users can use common Apple IDs to load the extraction agents.

Forensically sound extraction with bootloader exploit

To preserve digital evidence, data immutability is enabled from the first point of data collection to ensure that digital evidence collected during investigations remains admissible in court by being virtually untouched. The new bootloader-based extraction method provides repeatable results across extraction sessions. When iOS Forensic Toolkit is used on a supported device, the checksum of the first extracted image will match the checksums of subsequent extractions, provided the device has never been rebooted and was stored in a powered-off state between extractions.

The new extraction method is the cleanest yet. Our implementation of the bootloader-based exploit is built from the ground up, meaning that we have implemented it based on our in-house technical research and it is not jailbreak based as is generally done so far. All work is performed entirely in RAM, and the operating system installed on the device remains unbooted during the extraction process. Our unique direct extraction method offers the following advantages:

• Repeatable results. Checksums of subsequent extractions match the first if the device remains powered off and iOS never boots between sessions.
• Supports iPhone X, iPhone 8/7/Plus, 6s/6/Plus, SE (Original), iPhone 5s.
• Supports a wide range of Apple models in total, including 25 iPhones, 40 iPads, 3 iPods, 4 Apple TV 4 and 4K, 4 Apple Watch models
• Wide iOS compatibility. iOS 3 to iOS 16 are supported (no support for all iOS 16 on A11 Bionic iPhones).
• Unchanged system and data partitions.
• Zero change policy: 100% of the patch is done in RAM.
• The installation process is fully guided and extremely robust.
• Locked devices are supported in BFU mode, while USB Restricted Mode can be completely bypassed.

compatibility: Bootloader-level extractions are available in the Mac and Linux editions.

Unlocking and imaging older devices: iPhone 3G/3GS, 4, 4s, 5 and 5c

Passcode unlocking and imaging support are available for older iPhone models.

The toolkit can be used to unlock encrypted iPhone 3G/3GS, 4, 4s (1), 5 and 5c devices protected with an unknown screen password. EIFT recovers the original 4-digit or 6-digit PIN. Unlocking an iPhone 5 protected with 4-digit PINs takes less than 12 minutes. Recovering 6-digit PINs takes up to 21 hours. For this reason, we have developed an intelligent attack on 6-digit passwords that first tries the list of most commonly used passwords. This list contains only 2910 entries, and it takes only about 4 minutes to test them all. Examples on this list include the globally popular combination 123456, repeated digits, as well as the digital passwords that represent specific combinations (e.g. 131313 or 287287). After this list come the 6-digit PINs based on the user's date of birth. After the program tries all these combinations, which takes about 1.5 hours, the tool starts the full brute force attack.

Full physical capture is available for older iOS devices including iPhone 3G/3GS, 4, 4s (1), 5 and 5c. For all supported models, the toolkit can extract the bit-perfect image of the user partition and decrypt the keychain. If the device is running iOS 4 to 7, imaging can be performed without recovering the passcode, while devices running iOS 8 to 10 will need to recover the passcode first. For all supported models, the toolkit can extract and decrypt the user partition and keychain.

(1) Passcode unlocking and forensically sound checkm8-based extraction are available for iPhone 4s, iPod Touch 5, iPad 2 and 3 devices. The low-level extraction solution uses a Raspberry Pi Pico board to apply the exploit. The firmware image is provided with the iOS Forensic Toolkit; the Pico board is not included.

Notes: Mac and Linux editions only; iPhone 4S support requires a Raspberry Pi Pico board (not included) with custom firmware (included). For iOS 4 through 7, device imaging does not require passcode recovery. For iOS 8 and 9, the passcode must be recovered before imaging (otherwise limited BFU capture is available). Unlock speed estimates are provided for iPhone 5. Attacks are slower on older devices.

Extended logical access

iOS Forensic Toolkit supports logical access, which is an easy and secure access method. Logical acquisition creates a standard iTunes-like backup of the information stored on the device, retrieves media and shared files, and extracts system crash logs. While the logical method yields less information than low-level extraction, experts are advised to create a logical backup of the device before applying more invasive acquisition techniques.

We always recommend using logical capture in combination with low-level extraction to securely obtain all possible types of evidence.

Quickly extract media files such as Camera Roll, books, voice recordings and iTunes library. Unlike creating a local backup which may be a tedious process, media extraction works quickly on all supported devices. Reading data from locked devices is possible by applying the lockdown file.

iOS Forensic Toolkit also provides the ability to access crash/diagnostic logs and saved files of many apps. Extract documents from Adobe Reader and Microsoft Office, MiniKeePass password database and much more. Extraction requires an unlocked device or unexpired lock record.

Logical access is available for all devices, regardless of hardware or iOS version. Experts must unlock the device with passcode lock or Touch ID or use an unexpired lockdown file from the user's computer.

If the device is configured to create password-protected backups, experts mustElcomsoft Phone Breakerto determine the password and remove the encryption. If no backup password has been set, the tool will automatically provide the system with a temporary password ("123") to be able to decrypt items from the keychain (the password will be reset after access).

Supported devices and collection methods

iOS Forensic Toolkit supports low-level extraction on jailbroken devices from iPhone 3G to iPhone 14, 14 Pro and iPhone 14 Pro Max.

The following compatibility patterns apply:

• Unlock passcode: Recovers 4-digit and 6-digit screen passcodes via DFU exploit. All iOS versions, iPhone 4, 4s, 5 and 5c devices.[1][2]
• older devices: Bit-accurate imaging and decryption of iPhone 4, 4s, 5 and 5c devices. Available in Mac Edition only.[1][2]
• agent: Full file system extraction and keychain decryption for many devices running iOS 12 to 16.5. The corresponding iPad models are also supported. Apple Developer registration is required (Windows) / optional (macOS).
• About Bootrom exploit (checkm8): Forensically sound file system and keychain capture for 76 Apple devices for all supported iOS versions[1].
• Other Apple devices: Advanced logical capture, shared files, and media extraction for devices running iOS versions not supported by the extraction agent. The device must be unlocked and paired with the expert's computer.

Perform physical and logical scanning of iPhone, iPad and iPod Touch devices. Image Device File System, extracts device contents (passwords, keys and protected data) and decrypts the file system image.

Compatible devices and platforms

• iPhone 3G/3GS, 4, 4s, 5 and 5c: Unlocking via DFU (macOS and Linux editions)
• iPhone 3G/3GS, 4, 4s, 5 and 5c: physical capture with bit-accurate device mapping and keychain decryption (macOS and Linux editions)(iPhone 4s extraction requires the use of a Raspberry Pi Pico board)
• iPhone 3G/3GS, 4, 4s, 5, 5c, 5s, 6, 6s, SE, 7, 8, X, iPod Touch 5, 6, 7, iPad 2, 3, 4, 5, 6, 7, iPad Mini 1, 2, 3, 4, iPad Air 1, 2, iPad Pro 1, 2, Apple TV 3, 4, 4K, Apple Watch S3: forensic bootloader level extraction (macOS and Linux editions)
• Partial capture of file systems and keychain for locked and deactivated iPhone models from iPhone 5s to iPhone X by BFU
• Apple TV 4 (cable connection) and Apple TV 4K (wireless connection via Xcode, macOS and Linux editions)
• Apple Watch (checkm8 for Apple Watch S3, limited logical extraction for Apple Watch S0 to S6); requires a third-party IBUS adapter, macOS and Linux editions
• HomePod (first generation); full checkm8 extraction; requires a custom 3D printable USB adapter (macOS and Linux editions)
• All devices: agent-based extraction for supported devices; only advanced logical data collection for all other devices[1]

Logical data capture includes:

• Complete information about the device
• Backup in iTunes format (contains many keychain items)
• List of installed apps
• Media files (even if the backup was locked with the code)
• Shared files (even if the backup was locked with the code)

Apple Watch, Apple TV and HomePod extraction

Elcomsoft iOS Forensic Toolkit is the only third-party tool available on the market to extract information from Apple TV, Apple Watch and first-generation HomePod devices. While experts attempt to create an iTunes-style backup of the user's iPhone paired with their Apple Watch, a local backup may not be available if the iPhone is securely locked. Extracting information directly from the Apple Watch allows you to access information even if the iPhone is locked or unavailable. Experts can access crash logs and media files including EXIF ​​and location data.

• An IBUS adapter is required to connect the Apple Watch.
• checkm8 extraction for Apple Watch S0 to S3
• Logical capture for Apple Watch S0 to S6

Apple TV devices can contain a local copy of the user's entire iCloud Photo Library if the user has iCloud Photos enabled on their iCloud account. Since Apple TV does not offer passcode protection, extraction is possible even if the user's iPhone is locked and the iCloud password is not known. Requires a wired connection for Apple TV 4, a wireless connection via Xcode for Apple TV 4K.

Forensically sound checkm8 extraction is supported for Apple TV 4K (1st generation) and earlier, Apple Watch S3 and earlier, and the first generation HomePod. A third-party adapter may be required.

Keychain extraction

Elcomsoft iOS Forensic Toolkit can extract keychain items, including those protected with the ThisDeviceOnly attribute, giving investigators access to highly sensitive data such as login/password information to websites and other resources (and in many cases, Apple ID).

The device must remain unlocked during the entire keychain acquisition process. iOS Forensic Toolkit implements a tool to disable automatic screen lock.

DFU / Recovery and Diagnostic Mode

Information about locked and disabled devices can be obtained in DFU, Recovery and Diagnostic modes. If the device is locked after 10 unsuccessful unlock attempts or if USB Restricted Mode is enabled, you can still put it into Recovery or DFU mode. Elcomsoft iOS Forensic Toolkit then allows you to extract important information about the device, including the device model ID, ECID/UCID, serial number and, in certain scenarios, IMEI number. In addition, Recovery Mode returns information about the bootloader version. By analyzing the bootloader version, the tool displays information about the iOS version or the range of versions of iOS installed on the device.

Automation with Raspberry Pi Pico

By using a Raspberry Pi Pico board flashed with ElcomSoft firmware, it is possible to automate some otherwise time-consuming and labor-intensive routines.

Auto DFU

Auto-DFU allows experts to automate the process of putting iPhone 8, iPhone 8 Plus and iPhone X devices into DFU, greatly simplifying the process that otherwise requires a sequence of button presses with precise timings. Auto-DFU mode is indispensable when one has a device with broken buttons that would otherwise have to be disassembled to place it in DFU. This feature requires the use of a pre-programmed Raspberry Pi Pico device.

Scrolling screenshots

This feature adds the ability to semi-automatically take long, scrollable screenshots. The new feature is available for all devices and versions of iOS.

Capturing screenshots can be a crucial step in mobile device investigations. By taking a series of screenshots of what is displayed on a connected iOS device, investigators can collect digital evidence that might not be accessible in any other way. For example, data or protected chat histories might not be available through advanced logical capture. In a way, the new feature can be seen as a new extraction tool alongside cloud, advanced logical and low-level extraction methods.

Functional firewall to secure agent sideloading

Sideloading and running the low-level extraction agent may require validating the app's digital signature through Apple servers, which requires online connectivity with associated risks. We have developed an open source solution based on a Raspberry Pi 4 that minimizes the risks by restricting the device's connection only to the server required for certificate verification.