Elcomsoft iOS Forensic Toolkit 8.0 beta 5: forensically sound checkm8 extraction of Apple Watch 3

The fifth beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac brings forensically sound, checkm8-based extraction of Apple Watch Series 3. The low-level extraction helps access crucial evidence stored on the Watch without altering any of the data.

Elcomsoft iOS Forensic Toolkit 8.0 beta 5 for Mac expands the range of supported devices, enabling low-level extraction support for the Apple Watch Series 3. The unique, forensically sound extraction process utilizes the checkm8 exploit, enabling bootloader-based extraction of AW3 devices via commercially available adapters regardless of the version of WatchOS installed.

The Apple Watch may become a crucial source of evidence, especially if the Watch is the only personal digital device collected from the crime scene. Elcomsoft pioneered the logical extraction of Apple Watch devices via commercially available USB adapters. While being the easiest and the most compatible extraction method, logical acquisition of Apple Watch devices returns a very limited set of data including media files and accompanying metadata, the list of installed apps, and diagnostic logs.

The low-level extraction enables access to a much broader range of evidence compared to logical acquisition, including the detailed health and activity history, low-level location logs, as well as the user’s passwords stored in the Watch keychain. Additional information available via low-level extraction includes contacts and messages (SMS/iMessage), call logs, Wallet items, as well as many system events such as app activities, network and Bluetooth usage, unlock events, and a lot more.

The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process.

In addition, the low-level extraction agent for iPhone and iPad devices received support for iOS 15.0 and 15.0.1 on A11–A13 generations of devices (the iPhone 8/X through iPhone 11 range).

With this update, Elcomsoft iOS Forensic Toolkit expands the range of supported devices, becoming the most advanced iOS acquisition tool on the market, and the only truly forensically sound one delivering repeatable results after subsequent extractions.

Release notes

  • Added full support for Apple Watch Series 3
  • Extraction agent: added iOS 15.0 and 15.0.1 support for A11–A13 generations of devices
  • checkm8 exploit fixes and stability improvements

Mais