Elcomsoft iOS Forensic Toolkit 8.0 beta 4: forensically sound checkm8 extraction of iPhone 8, 8 Plus and iPhone X

The fourth beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac introduces forensically sound checkm8 extraction of iPhone 8, 8 Plus, and iPhone X devices running iOS 11.0 through 15.3 (restrictions apply to iOS 14 and 15 extractions).

Elcomsoft iOS Forensic Toolkit 8.0 beta 4 for Mac expands the range of supported devices, adding the latest range of devices supported by the checkm8 exploit. The new beta delivers forensically sound extraction of iPhone 8, 8 Plus, and iPhone X devices with a known or empty screen lock passcode.

iPhone 8, 8 Plus, and iPhone X represent the last generation of devices susceptible to the checkm8 exploit. By bringing direct extraction to these device platforms, Elcomsoft iOS Forensic Toolkit now covers the entire range of 64-bit iPhone devices running all versions of iOS that can be installed on those devices.

While all versions of iOS ranging from the originally installed iOS 11.0 through the latest iOS 15.3 are supported, due to SEP hardening measures implemented in iOS 14 and 15, some restrictions apply to devices running a version of iOS that falls into this range.

For iOS 11.0 through 13.7, the full file system extraction and keychain decryption are available without the need to remove the passcode. iOS Forensic Toolkit can pull the data with zero modifications to the device, thus helping maintain the chain of custody.

If the device is running iOS 14 and 15 (up to and including iOS 15.3), experts will have to remove the screen lock passcode to apply the exploit. Since removing the passcode requires booting the device into the original OS, this process is not quite forensically sound. Once the passcode is removed, the tool delivers repeatable and verifiable file system and keychain extractions.

To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. With Elcomsoft iOS Forensic Toolkit, we introduce a forensically sound extraction solution offering verifiable and repeatable results on subsequent extractions. When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.

The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process.

With this update, Elcomsoft iOS Forensic Toolkit expands the range of supported devices and versions of iOS, becoming the most advanced iOS acquisition tool on the market, and the only truly forensically sound one delivering repeatable results after subsequent extractions.

Release notes

  • Added full support for iPhone 8, 8 Plus, and iPhone X running iOS 11/12/13
  • Added limited support for iPhone 8, 8 Plus, and iPhone X running iOS 14 and 15 (up to 15.3)
  • checkm8 exploit fixes and stability improvements

Mais