iOS Forensic Toolkit 7.10 adds low-level extraction for iOS 14.4 through 14.8

Elcomsoft iOS Forensic Toolkit 7.10 brings the ability to perform low-level file system extraction for select iPhone models running iOS versions 14.4 through 14.8. The list of supported devices includes models of A11, A12, and A13 generations. Using an Apple Developer account is required in Windows, optional but strongly recommended in macOS.

Elcomsoft iOS Forensic Toolkit 7.10 brings low-level file system extraction support for three generations of Apple devices based on the A11, A12, and A13 Bionic platforms. For these devices, the updated toolkit now covers the entire range of iOS releases since iOS 9.0 all the way up to iOS 14.8 with no gaps or exclusions. All 64-bit iPhone models based on the A11 through A13 generations SoC are supported, including the iPhone 8/8 Plus, iPhone X, Xr, Xs, Xs Max, as well as the entire iPhone 11 generation and the iPhone SE (2nd gen).

The low-level extraction approach relies on the acquisition agent, which enables low-level access to the phone’s data and extracts the complete file system image. Keychain decryption is still unavailable and in active research for these versions of iOS.

The result of this update is the complete low-level file system extraction support for iPhone devices without a jailbreak from iOS 9 onwards, up to and including iOS 14.8 on supported devices. For A11 devices, full file system extraction and keychain decryption is supported. For A12 and A13 devices, keychain decryption is only available for iOS versions up to and including iOS 14.4, 14.4.1, and 14.4.2.

All this makes the picture of supported platforms quite fragmented. Please refer to the following chart for details on the types of extraction supported on the different platforms:

Agent-based extraction offers numerous benefits compared to other acquisition methods. The agent does not make any changes to user data, offering the most forensically sound extraction among available acquisition methods.

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. More about that in Why Mobile Forensic Specialists Need a Developer Account with Apple. An optional workaround is available to Mac users, enabling the use of regular Apple ID’s for sideloading the extraction agent.

Release notes:

  • Added agent-based full file system acquisition for iOS 14.4 – 14.8 (A11/A12/A13)
  • Added agent-based keychain acquisition for iOS 14.4 ¬– 14.8 (A11)
  • Added agent-based keychain acquisition for iOS 14.4.x (A12/A13)
  • Fixed some problems with device pairing
  • Fixed logical acquisition for iOS 14.8 and 15 (some data was missing in Info.plist)
  • HFS+ decryption improvements and fixes (macOS version only) Minor bug fixes and improvements

See also