New features

Full low-level extraction with keychain decryption for iOS 16.0 - 16.5

Low-level file system extraction and keychain decryption are now available for a wider range of iOS versions than ever. Full low-level extraction is now available for iOS 16 through 16.5. The new methods support devices built with the A11 and newer chips, effectively covering the iPhone 8/8 Plus/iPhone X, as well as the iPhone Xs/Xr through iPhone 14/14 Pro range, and supports many iPads including those based on Apple M1 and M2 chips.

Extended support for iPhone 8, iPhone 8 Plus and iPhone X

Previously available extraction methods for A11 Bionic devices (which includes the iPhone 8, 8 Plus, and iPhone X) proved to be challenging, limiting forensic specialists to partial file system extraction for iOS 15.4 - 16.1.2, without access to the keychain. The updated agent-based extraction method now allows to perform full file system extraction and decrypt the keychain on A11 devices running all versions of iOS 15 and 16 up to and including iOS 16.5.

Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.

The following extraction methods are supported:

Advanced logical acquisition (backup, media files, crash logs, shared files) (all devices, all versions of iOS)
Direct agent-based extraction (all 64-bit devices, select iOS versions)
Forensically sound bootloader-based checkm8 extraction (select devices)
Jailbreak-based extraction (all devices and versions of iOS with public jailbreaks)
Passcode unlock and true physical acquisition (select 32-bit devices)

See Compatible Devices and Platforms for details.

Full File System Extraction and Keychain Decryption

A low-level extraction method based on direct access to the file system is available for a wide range of iOS devices and OS versions. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.

Using the extraction agents is inherently safe for the device itself as it neither modifies the system partition nor remounts the file system; however, it is not as clean and forensically sound as checkm8, with minor alterations (e.g. some records in the system log) introduced during extraction. However, despite not being classified as a "physical" extraction, the low-level extraction technique employed by the extraction agent yields as much data as that obtained through physical extraction methods like checkm8. Both the file system image and all keychain records can be extracted and decrypted depending on the OS version.

One can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device's system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.

Windows users will need an Apple ID registered in the Apple Developer Program to install and sign the extraction agent. Mac users may use a regular Apple ID for signing and sideloading the extraction agent.

Jailbreak-based Extraction

In addition to agent-based extraction, iOS Forensic Toolkit fully supports the extraction of all jailbroken devices for which a jailbreak is available. Full file system extraction and keychain decryption are available for jailbroken devices. All public jailbreaks are supported.

Forensically sound extraction with bootloader exploit

To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. The new, bootloader-based extraction method delivers repeatable results across extraction sessions. When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.

The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is built from the ground up. All the work is performed completely in the RAM, and the operating system installed on the device is not booted during the extraction process. Our unique direct extraction process offers the following benefits:

Repeatable results. Checksums of subsequent extractions will match the first one if the device is kept powered off and never boots iOS between sessions.
Supports iPhone X, iPhone 8/7/Plus, 6s/6/Plus, SE (original), iPhone 5s
Supports a wide range of Apple models in total including 25 iPhones, 40 iPads, 3 iPods, 4 Apple TV and 4 Apple Watch models
Wide iOS compatibility. iOS 3 through iOS 16 are supported with limited support for iOS 16 on A11 devices.
Unaltered system and data partitions.
Zero data modification policy: 100% of the patching occurs in the RAM.
The installation process is fully guided and massively more reliable compared to jailbreaking.
Locked devices supported in BFU mode, while USB restricted mode can be completely bypassed.

Notes: bootloader-level extractions are available exclusively in the Mac edition, requiring a macOS computer.

Unlocking and Imaging Legacy Devices: iPhone 3G/3GS, 4, 4s, 5, and 5c

Passcode unlock and imaging support are available for legacy iPhone models.

The Toolkit can be used to unlock encrypted iPhone 3G/3GS, 4, 4s (1), 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN. This DFU attack works at the speed of 13.6 passcodes per second on iPhone 5 and 5c devices, and takes only 12 minutes to unlock an iPhone protected with a 4-digit PINs. 6-digit PINs will take up to 21 hours. A smart attack will be used automatically to attempt cutting this time as much as possible. In less than 4 minutes, the tool will try several thousand most commonly used passcodes such as 000000, 123456 or 121212, followed by 6-digit PINs based on the dates of birth. With 74,000 of those, the smart attack takes approximately 1.5 hours. If still unsuccessful, the full brute force of the rest of the passcodes is initiated. (Note: passcode recovery runs at the speed of 6.6 passcodes per second on the iPhone 4).

Full physical acquisition is available for legacy iOS devices including the iPhone iPhone 3G/3GS, 4, 4s (1), 5 and 5c. For all supported models, the Toolkit can extract the bit-precise image of the user partition and decrypt the keychain. If the device is running iOS 4 through 7, the imaging can be performed even without breaking the screen lock passcode, while devices running iOS 8 through 10 require breaking the passcode first. For all supported models, the Toolkit can extract and decrypt the user partition and the keychain.

(1) The passcode unlock and forensically sound, checkm8-based extraction are available for the iPhone 4s, iPod Touch 5, iPad 2 and 3 devices via a custom flashed Raspberry Pi Pico board, which is used to apply the exploit. The firmware image is provided with iOS Forensic Toolkit; the Pico board is not supplied.

Notes: Mac edition only; iPhone 4s support requires a Raspberry Pi Pico board (not supplied) with custom firmware (supplied). For iOS 4 through 7, passcode recovery is not required for device imaging. For iOS 8 and 9, the passcode must be recovered before imaging (otherwise, limited BFU extraction available).

Extended Logical Acquisition

iOS Forensic Toolkit supports logical acquisition, a simple and safe acquisition method. Logical acquisition produces a standard iTunes-style backup of information stored in the device, pulls media and shared files and extracts system crash logs. While logical acquisition returns less information than low-level extraction, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

We always recommend using logical acquisition in combination with low-level extraction for safely extracting all possible types of evidence.

Quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).

In addition to media files, iOS Forensic Toolkit can extract crash/diagnostics logs and stored files of multiple apps, extracting crucial evidence without a jailbreak. Extract Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record.

Logical acquisition is available for all devices regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started.

Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer.

If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Elcomsoft Phone Breaker is also required to view keychain records. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).

Using a lockdown (pairing) record, information can be extracted from locked iOS devices even after power-off or reboot. The following matrix applies to devices running iOS 8 and newer:

	Basic device info	Advanced device info	App list	Media	iTunes-style backup
Device locked, no lockdown record	Yes	No	No	No	No
Device never unlocked after reboot, lockdown exists	Yes	Yes	No	No	No
Device unlocked after reboot, lockdown exists	Yes	Yes	Yes	Yes	Yes

Supported Devices and Acquisition Methods

iOS Forensic Toolkit implements low-level extraction support for devices ranging from the iPhone 5s through iPhone 14, 14 Pro and iPhone 14 Pro Max range.

The following compatibility matrix applies:

Passcode unlock: Brute-forces 4-digit and 6-digit screen lock passcodes via DFU exploit. All iOS versions, iPhone 3G/3GS, 4, 4s, 5 and 5c devices. ^[1]^[2]
Legacy devices: Bit-precise imaging and decryption of iPhone 3G/3GS, 4, 4s, 5 and 5c devices. ^[1]^[2]
Agent: Full file system extraction and keychain decryption for many devices running iOS 12 through 16.5. The corresponding iPad models are also covered. Apple Developer registration required (Windows)/optional (macOS).
Via Bootrom exploit (checkm8): Forensically sound file system & keychain acquisition for 76 Apple devices for all supported iOS versions. ^[1]
Other Apple devices: Advanced logical acquisition, shared files and media extraction for devices running versions of iOS not supported by the extraction agent. Device must be unlocked and paired with the expert's computer.

Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

Only available in the Mac edition.
iPhone 4s support requires a custom-flashed Raspberry Pi Pico board.

Breaking into iOS 16.5: Extracting the File System and Keychain

Pushing the Boundaries: Low-Level Extraction of iOS 16.4 with Keychain Decryption

Low-level Extraction for iOS 16 with iPhone 14/14 Pro Support

Low-level Extraction for iOS 15

Automating DFU Mode with Raspberry Pi Pico

Elcomsoft End User License Agreement

Related Products

Elcomsoft Mobile Forensic Bundle

from $ 3495

Elcomsoft Phone Viewer

from $ 79

Elcomsoft Phone Breaker

from $ 199

EIFT. Extract and decrypt iOS keychain

Elcomsoft iOS Forensic Toolkit main window

Elcomsoft iOS Forensic Toolkit: Full File System Extraction

EIFT. Extracting debug & diagnostic logs

EIFT. Creating backup of the device

All Features and Benefits

Apple Watch, Apple TV and HomePod Extraction

Elcomsoft iOS Forensic Toolkit is the only third-party tool on the market to extract information from Apple TV, Apple Watch and first-generation HomePod devices. While experts may attempt creating an iTunes-style backup of the user’s iPhone paired with their Apple Watch, a local backup may not be available if the iPhone is securely locked. Extracting information directly from the Watch allows accessing information even if the iPhone is locked or unavailable. While Apple Watch does not offer standalone iTunes-style backups, experts can still access crash logs and media files including EXIF and location data.

A third-party IBUS adapter is required to connect the Watch
checkm8 extraction for Apple Watch S3
Logical acquisition for Apple Watch S0/S1/S2/S4/S5

Apple TV devices have no support for iTunes-style backups, but may contain a local copy of the user’s entire iCloud Photo Library if the user enabled iCloud Photos in their iCloud account. Since Apple TV does not feature passcode protection, the extraction is possible even if the user’s iPhone is locked down and the iCloud password is unknown. Requires wired connection for Apple TV 4, wireless connection through Xcode for Apple TV 4K.

Forensically sound checkm8 extraction is supported for Apple TV 4K (1st gen) and older and Apple Watch S3 and older devices as well as the first-generation HomePod. A custom adapter may be required.

Keychain Extraction

Elcomsoft iOS Forensic Toolkit can extract keychain items including those protected with ThisDeviceOnly attribute, opening investigators access to highly sensitive data such as login/password information to Web sites and other resources (and, in many cases, to Apple ID).

The device must remain unlocked during the entire keychain acquisition process. iOS Forensic Toolkit implements a tool to disable automatic screen lock.

DFU/Recovery Mode

Get information on locked and disabled devices through DFU or Recovery modes. Even if the device is locked after 10 unsuccessful unlock attempts, or if the USB restricted mode is activated, you can still switch it into Recovery or DFU. With Elcomsoft iOS Forensic Toolkit, you can then extract vital information about the device, including the device model identifier, its ECID/UCID, serial number and, in certain scenarios, the IMEI number. In addition, the Recovery mode returns information about the bootloader version, which helps determine the version of iOS or the range of versions of iOS installed on the device.

Automation Using Raspberry Pi Pico

Using a Raspberry Pi Pico board flashed with ElcomSoft firmware one can automate some otherwise time-consuming and labor-intensive routines.

Auto-DFU

Auto-DFU allows experts to automate the switching of iPhone 8, iPhone 8 Plus, and iPhone X devices into DFU, greatly simplifying the process that otherwise requires a sequence of button presses with precise timings. Automatic DFU mode is indispensable when one has a device with broken buttons, which would otherwise require disassembly to be placed into DFU. This feature requires the use of a pre-programmed Raspberry Pi Pico device.

Scrolling screenshots

This automation allows making long, scrollable screen shots in a semi-automatic fashion. This feature is available for all devices and versions of iOS.

Capturing screenshots can be a crucial step in mobile device investigations. By taking a series of screenshots of what is displayed on a connected iOS device, investigators can gather digital evidence that may not be accessible through other means, such as advanced logical acquisition, where the data such as protected chat histories may not be available. In a way, the new feature can be viewed as new extraction tool in addition to cloud, advanced logical, and low-level extraction methods.

Functional firewall for securing agent sideloading

Sideloading and running the low-level extraction agent may require validating the app's digital signature through Apple servers, which requires online connectivity with associated risks. We have developed an open-source solution based on a Raspberry Pi 4 that minimizes the risks by limiting the device’s connection solely to the server required for certificate verification.

Video Tutorial

Follow @elcomsoft

Compatible Devices and Platforms

iPhone 3G/3GS, 4, 5 and 5c: passcode unlock via DFU (macOS edition only)
iPhone 3G/3GS, 4, 4s, 5 and 5c: physical acquisition with bit-precise imaging and keychain decryption (macOS edition only) (iPhone 4s support requires a Raspberry Pi Pico board)
iPhone 3G/3GS, 4, 4s, 5, 5c, 5s, 6, 6s, SE, 7, 8, X, iPod Touch 5, 6, 7, iPad 2, 3, 4, 5, 6, 7, iPad Mini 1, 2, 3, 4, iPad Air 1, 2, iPad Pro 1, 2, Apple TV 3, 4, 4K, Apple Watch S3: forensically sound bootloader-level extraction (macOS edition only)
Partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X
Apple TV 4 (cable connection) and Apple TV 4K (wireless connection through Xcode, Mac only)
Apple Watch (checkm8 for Apple Watch S3, limited logical extraction for Apple Watch S0/S1/S2/S4/S5); requires a third-party IBUS adapter
HomePod (first generation); full checkm8 extraction; requires a custom 3D-printable USB adapter
No jailbreak: agent-based extraction for supported devices; advanced logical acquisition for all other devices ^[1]

Logical acquisition includes:

Extended information about the device
iTunes-format backup (includes many keychain items)
List of installed apps
Media files (even if the backup is password-protected)
Shared files (even if the backup is password-protected)

Logical acquisition works even with locked devices with unknown passcode if a valid pairing record is available.

Breaking into iOS 16.5: Extracting the File System and Keychain

Pushing the Boundaries: Low-Level Extraction of iOS 16.4 with Keychain Decryption

Low-level Extraction for iOS 16 with iPhone 14/14 Pro Support

Low-level Extraction for iOS 15

Automating DFU Mode with Raspberry Pi Pico

Elcomsoft End User License Agreement

System requirements

Windows

Windows 7/8/8.1/10/11

Apple macOS

macOS 10.13 High Sierra
macOS 10.14 Mojave
macOS 10.15 Catalina
macOS 11 Big Sur
macOS 12 Monterey
macOS 13 Ventura

The iOS Forensic Toolkit for Windows requires the latest version of iTunes installed. macOS version is not guaranteed to work on a virtual machine or Hackintosh. Please also note that some specific features of the product (physical acquisition for legacy 32-bit devices, agent installation using non-developer accounts, checkm8 acquisition) are available in macOS version only.

Release notes

Elcomsoft iOS Forensic Toolkit v.7.94

2 August, 2023
v.7.94

extraction agent: added support for iOS 16.4.1, 16.4.1 (a) and 16.5 (A12-A16, M1/M2)

extraction agent: added support for iOS 15.4 to 16.5 (A11)

extraction agent: improved reliability for some iOS 15 versions

enhancement: added the ability to check for current license status (expiration date) and renew licenses

v.8.40

extraction agent: added support for iOS 16.4.1, 16.4.1 (a) and 16.5 (A12-A16, M1/M2)

extraction agent: added support for iOS 15.4 to 16.5 (A11)

extraction agent: improved reliability for some iOS 15 versions

checkm8: added support for iOS/iPadOS/tvOS 16.6 and iOS/iPadOS 15.7.8

enhancement: added the ability to check for current license status (expiration date) and renew licenses

Uninstallation procedure: in order to uninstall the product, follow the standard procedure via Control Panel - Programs and features or use the corresponding Unistall link from the product's folder in the Windows Start menu.

Breaking into iOS 16.5: Extracting the File System and Keychain

Pushing the Boundaries: Low-Level Extraction of iOS 16.4 with Keychain Decryption

Low-level Extraction for iOS 16 with iPhone 14/14 Pro Support

Low-level Extraction for iOS 15

Automating DFU Mode with Raspberry Pi Pico

Elcomsoft End User License Agreement