Elcomsoft iOS Forensic Toolkit 7.50 closes the gap in keychain extraction

Elcomsoft iOS Forensic Toolkit 7.50 extends agent-based keychain extraction support all the way up to iOS 15.1.1 on all supported devices. The new release fills the remaining gaps in iOS 14 support, adding agent-based keychain extraction for iOS 14.5 – 14.8.1 and iOS 15.0 – 15.1.1 devices.

Elcomsoft iOS Forensic Toolkit 7.50 brings low-level keychain extraction to Apple devices running previously unsupported versions of iOS. For all models capable of running these versions of iOS, the updated extraction agent can now decrypt the entire content of the keychain for iOS 14.5 – 14.8.1 and iOS 15.0 – 15.1.1. In addition, we added keychain decryption support for the M1-based iPad Pro 5, supporting all versions of iOS up to and including iOS 15.1. Using an Apple Developer account is required in Windows, optional but strongly recommended in macOS.

For most devices, agent-based keychain extraction is now available up to and including iOS 15.1.1, except for the M1-based iPad Pro, for which iOS 15.1 is the maximum supported version of the system. The updated toolkit now covers the entire range of iOS releases since iOS 9.0 all the way up to iOS 15.1.1 with no gaps or exclusions. The keychain can be decrypted on all 64-bit iPhone models based on the A11 through A15 generations SoC, including the iPhone 8/8 Plus, iPhone X, Xr, Xs, Xs Max, as well as the entire iPhone 11, 12, and 13 generations.

Please refer to the following chart for details on the types of extraction supported on the different platforms:

Agent-based extraction offers numerous benefits compared to other acquisition method. The agent does not make any changes to user data, offering the most forensically sound extraction among available acquisition methods. Compared to logical acquisition, the extraction agent extracts significantly more information and decrypts the entire content of the keychain including encryption keys and authentication tokens.

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. More about that in Why Mobile Forensic Specialists Need a Developer Account with Apple [article]. An optional workaround is available to Mac users, enabling the use of regular Apple ID’s for sideloading the extraction agent.

iOS Forensic Toolkit 7.50 release notes:

  • Added agent-based keychain extraction for iOS 14.5 – 14.8.1
  • Added agent-based keychain extraction for iOS 15.0 – 15.1.1
  • Agent acquisition: added support for iPad Pro 5th gen (based on M1), iOS up to 15.1
  • Keychain extraction now does not require the passcode
  • Fixed agent installation using some account types
  • Fixed iOS 9 agent support
  • 8 Beta 10: Added support for latest versions of watchOS
  • 8 Beta 10: Multiple checkm8 fixes and improvements

Mais