iOS Forensic Toolkit 8.0 beta 3: forensically sound checkm8 extraction of iPhone 7, iOS 15.2 support

The third beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac is released, bringing forensically sound checkm8 extraction to iPhone 7 and 7 Plus devices running iOS 10 through 13, with limited support for iOS 14 and 15. For older devices, iOS 15.2 support is added. Finally, we implemented keychain decryption for supported devices running iOS 15.x.

Elcomsoft iOS Forensic Toolkit 8.0 beta 3 for Mac expands the range of supported devices, adding the iPhone 7 and 7 Plus range. The new beta delivers forensically sound extraction of iPhone 5s, iPhone 6, 6 Plus, 6s, 6s Plus, iPhone SE (first generation), iPhone 7 and iPhone 7 Plus devices with a known or empty screen lock passcode. Compared to the second beta, EIFT 8.0 b3 brings support for iOS 15.2 (iPhone 6s/6s Plus/SE/7/7 Plus), enabling bootloader-based, forensically sound extraction of supported devices running the latest available versions of iOS. In addition, keychain decryption is now supported on all compatible devices running iOS 15.x.

The iPhone 7 support breaks down into the following parts. For iPhone 7 and 7 Plus devices that run iOS 10.0 through 13.x – the complete, forensically sound checkm8 extraction experience. The tool can extract the file system and decrypt the keychain with zero modifications to the device, thus helping maintain the chain of custody. There is no need to remove the passcode.

For iPhone 7 and 7 Plus devices running iOS 14 and 15 (up to and including iOS 15.2), you’ll have to remove the screen lock passcode to apply the exploit. Since removing the passcode requires booting the device into the original OS, this process is not forensically sound. Once the passcode is removed, the tool delivers file system extraction and keychain decryption.

To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. With Elcomsoft iOS Forensic Toolkit, we introduce a forensically sound extraction solution offering verifiable and repeatable results on subsequent extractions. When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.

The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process.

With this update, Elcomsoft iOS Forensic Toolkit expands the range of supported devices and versions of iOS, becoming the most advanced iOS acquisition tool on the market, and the only truly forensically sound one delivering repeatable results after subsequent extractions.

Release notes

  • Added full support for iPhone 7 and 7 Plus, iOS 10/11/12/13
  • Added partial support for iPhone 7 and 7 Plus, iOS 14 and 15 (up to 15.2)
  • Added iOS 15.2 support for iPhone 6s/SE
  • Added keychain extraction for all supported devices running iOS 15.x
  • checkm8 exploit fixes and stability improvements

Mais