Elcomsoft iOS Forensic Toolkit 8.0 beta 11 adds forensically sound checkm8-based low-level extraction support for the latest iOS, iPadOS and tvOS 15.6 RC, while also supporting watchOS 8.7 RC. In addition, several fixes are made to the checkm8 extraction engine.
Elcomsoft iOS Forensic Toolkit 8.0 beta 11 brings low-level file system extraction and keychain decryption support to Apple devices running the latest RC builds of iOS, iPadOS and tvOS. The new build enables forensically sound checkm8-based extraction of compatible iPhone, iPads and Apple TV devices running iOS/iPadOS/tvOS 15.6 RC. Supported devices include the iPhone range up to and including the iPhone X, as well as iPad and Apple TV devices built with the corresponding SoC. In addition, we’ve added support for compatible Apple Watch devices running watchOS 8.7 RC.
We published a comprehensive manual on placing the Apple TV into DFU, applying the checkm8 exploit and extracting the data.
iOS Forensic Toolkit is the only solution on the market supporting checkm8 extraction of Apple TV models including the keychain. The Apple TV is the only model that cannot be protected with a passcode, making it a valuable source of accessible evidence.
For supported device models capable of running iOS 15.6 RC, the updated checkm8 extraction engine can extract the full file system and decrypt the entire content of the keychain without modifying the content of the device.
While iOS 15.6 is currently a Release Candidate, minimal changes are expected in the final release, making iOS Forensic Toolkit compatible with iOS 15.6 out of the box. Please note that installing the exploit requires downloading a clean build or iOS/iPadOS/tvOS 15.6 RC from Apple’s Web site. Accessing Release Candidate builds requires an Apple Developer account (including free accounts). Once officially released, the build will become publicly available from Apple’s Web site.
Please refer to the following chart for details on the types of extraction supported on the different platforms:
checkm8-based extraction is the cleanest, safest, and most technologically advanced extraction method available for a range of Apple devices with a vulnerable bootloader. Compared to other acquisition methods, our implementation of checkm8 is the only true forensically sound solution that delivers repeatable and verifiable extractions. Compared to logical acquisition, low-level extraction delivers significantly more information and decrypts the entire content of the keychain including encryption keys and authentication tokens.
Elcomsoft iOS Forensic Toolkit 8.0 beta 11 release notes: