You can either extract the complete file system or use the express extraction option, only acquiring files from the user partition.
Removing the agent from the device after the extraction takes one push of a button. The agent-based extraction method delivers solid performance and results in forensically sound extraction. Agent-based extraction does not make any changes to user data, offering forensically sound extraction.īoth the file system image and all keychain records are extracted and decrypted. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.īetter yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired.
Full File System Extraction and Keychain Decryption Without a JailbreakĪ jailbreak-free extraction method based on direct access to the file system is available for a limited range of iOS devices.
See Compatible Devices and Platforms for details. Passcode unlock and true physical acquisition (select 32-bit devices).Jailbreak-based extraction (all devices and versions of iOS with public jailbreaks).Forensically sound bootloader-based checkm8 extraction (select devices).Direct agent-based extraction (all 64-bit devices, select iOS versions).Advanced logical acquisition (backup, media files, crash logs, shared files) (all devices, all versions of iOS).The following extraction methods are supported: Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records. Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices.
Additional information includes contacts and messages (SMS/iMessage), call logs, Wallet items, as well as many system events such as app activities, network and Bluetooth usage, unlock events, and a lot more.įorensic Access to iPhone/iPad/iPod Devices running Apple iOS
The low-level extraction enables access to a much broader range of evidence compared to logical acquisition, including the detailed health and activity history, geolocation logs, as well as the user’s passwords stored in the Watch keychain.
The unique, forensically sound extraction process utilizes the checkm8 exploit, enabling bootloader-based extraction of AW3 devices via commercially available USB adapters regardless of the version of WatchOS installed.
IOS Forensic Toolkit 8.0 beta 5 for Mac enables low-level extraction support for the Apple Watch Series 3. This completes the range of devices that can be extracted with iOS Forensic Toolkit 8.0 beta for Mac, which now includes all 64-bit iPhone models ranging from the iPhone 5s all the way to the iPhone X with no gaps or exclusions. The fourth beta of iOS Forensic Toolkit 8.0 for Mac adds checkm8 extraction support for the latest generation of iPhone devices with a bootloader vulnerability, which includes the iPhone 8, 8 Plus, and iPhone X devices running all supported versions of iOS up to and including iOS 15.3. The new extraction method is the cleanest yet, enabling repeatable, verifiable extractions and forensically sound workflow. IOS Forensic Toolkit 8.0 beta for Mac introduces a new extraction method for select iOS devices based on the modified bootloader. Checkm8 extraction for select iPhone models