The seventh beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac brings passcode unlock and forensically sound, checkm8-based extraction of iPhone 4s, iPad 2 and 3 devices. The low-level extraction solution employs a Raspberry Pi Pico board to apply the exploit.
Elcomsoft iOS Forensic Toolkit 8.0 beta 7 for Mac expands the range of supported devices, enabling passcode unlocking and low-level extraction support for the iPhone 4s, iPad 2 and 3. The forensically sound extraction process as well as the ability to break the screen lock passcode utilize the microcontroller in Raspberry Pi Pico boards. The hardware board is used to apply the exploit, enabling clean, bootloader-based extraction of legacy iOS devices. Future releases will utilize the Pico board to streamline the extraction workflow by simplifying the process of preparing the device for extraction.
The checkm8 exploit and the iPhone 4s have a complex relationship. Applying the exploit to an iPhone 4s requires the use of specific USB controllers that are not readily available in Windows or Mac computers. The checkm8 development team had only released the exploit for Arduino boards, while our solution is based on the Raspberry Pi Pico. Customers who need the iPhone 4s extraction will receive a custom firmware image for the Pico board.
The new functionality paves the way to subsequent releases. We plan expanding bootloader-level, forensically sound extraction support to more Apple devices while making the acquisition process a push-button effort greatly simplifying the existing workflow.
The low-level extraction enables access to a much broader range of evidence compared to logical acquisition, including the detailed health and activity history as well as the user’s passwords stored in the keychain. Additional information available via low-level extraction includes detailed location history, sandboxed application data, various system artifacts, and a lot more.
Our implementation of the checkm8 exploit offers the cleanest extraction yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process.
With this update, Elcomsoft iOS Forensic Toolkit expands the range of supported devices, becoming the most advanced iOS acquisition tool on the market, and the only truly forensically sound one delivering repeatable results after subsequent extractions.