iOS Forensic Toolkit 5.21 extracts keychain from locked iOS devices

Elcomsoft iOS Forensic Toolkit 5.21 is updated to support the extraction of iOS keychain from locked and disabled devices. Before-first-unlock (BFU) extraction is available on select Apple devices via the checkra1n jailbreak.

Elcomsoft iOS Forensic Toolkit 5.21 is updated to support the extraction of iOS keychain from locked and disabled devices that have or not have been unlocked after a reboot. The ability to extract the keychain from BFU (before first unlock) devices is available for Apple devices built with A7 through A11 generation SoC. iOS Forensic Toolkit utilizes the checkra1n jailbreak to extract and decrypt the keychain from BFU devices. While the number of keychain items available before first unlock is limited, we’ve been able to access several email and account passwords.

Supported devices range from the iPhone 5s all the way up to the iPhone 8, 8 Plus and the iPhone X. Apple iPad devices running on the corresponding CPUs are also supported, which includes models ranging from the iPad mini 2 all the way up to the 2018 iPad, iPad 10.2, iPad Pro 12.9 (1.Gen) and iPad Pro 10.5. In addition, iOS Forensic Toolkit 5.20 supports Apple TV HD (ATV4) and Apple TV 4K.

iOS Forensic Toolkit 5.21 adds an important extra to the future-proof physical acquisition support we added in the previous release. The extraction is possible for supported Apple devices regardless of the version of iOS they are running due to the hardware nature of the exploit.

Keychain extraction requires a jailbreak to be installed. The checkra1n jailbreak is based on a hardware-bound, unpatchable vulnerability discovered in all Apple devices built with an Apple A7, A8, A9, A10 or A11 SoC. The checkra1n jailbreak can be installed on locked devices in DFU mode whether or not the expert knows the screen lock passcode.

In addition, we changed the naming convention for the file system image and keychain TAR files. While we previously named these files user.tar and keychaindump.tar, these names were ambiguous and were too easily overwritten with subsequent acquisitions. In this release, we’ve changed the naming convention and gave the two files non-ambiguous names. The file system images are now named UDID_timestamp.tar, while keychain dumps are named keychain_UDID_timestamp.xml. The unique device ID and timestamp make extracted file system images and keychain dumps easily archivable.

Release notes:

  • Added BFU (before first unlock) keychain extraction and decryption support for select Apple devices supported by the checkra1n jailbreak (up to and including iOS 13.3)
  • UX improvement: unambiguous file names for file system and keychain dumps (UDID_timestamp.tar and keychain_UDID_timestamp.xml respectively)

See also