iOS Forensic Toolkit 5.30: jailbreak-free extraction for multiple Apple devices

Elcomsoft iOS Forensic Toolkit 5.30 delivers a brand-new, forensically sound extraction method for Apple devices running iOS 11 through 12.4. Full file system extraction with keychain decryption are available without the need to install a jailbreak.

Elcomsoft iOS Forensic Toolkit 5.30 is updated to support forensically sound, jailbreak-free extraction of iPhone and iPad devices running iOS 11 through 12.4. The new extraction method is based on direct access to the file system, and does not require jailbreaking the device. Users of EIFT 5.30 can perform the full file system extraction and decrypt the keychain without the risks and footprint associated with third-party jailbreaks.

Supported devices range from the iPhone 5s all the way up to the iPhone Xr, Xs and Xs Max if they run any version of iOS from iOS 11 through iOS 12.4 (except iOS 12.3 and 12.3.1). Apple iPad devices running on the corresponding SoC are also supported.

What’s it all about

iOS Forensic Toolkit 5.30 expands the range of available acquisition methods. In previous versions, the Toolkit offered the choice of advanced logical extraction (all devices) and full file system extraction with keychain decryption (jailbroken devices only). The second acquisition method required installing a jailbreak, which must’ve been obtained from a third-party source. The jailbreak is required to enable low-level access to the file system and the keychain, which allows extracting significantly more evidence compared to advanced logical acquisition based on iOS backups.

Version 5.30 introduces the third extraction method based on direct access to the file system. The new method installs an Elcomsoft extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 1 GB of data per minute. Better yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction. Both the file system image and all keychain records are extracted and decrypted.

The new agent-based extraction method delivers solid performance and results in forensically sound extraction. Removing the agent from the device after the extraction takes one push of a button.

In order to make use of the extraction agent, the Apple device being analyzed must be running iOS 11 through 12.4 (except iOS 12.3 and 12.3.1). We are working to add support for newer and older versions of iOS.

Release notes:

  • Added jailbreak-free full file system extraction and keychain decryption support for Apple devices running iOS 11.0 through 12.4 (except iOS 12.3 and 12.3.1)
  • Agent-based extraction offers safe, robust, forensically sound performance

See also