Elcomsoft iOS Forensic Toolkit 8.12 adds checkm8 extraction support for iOS 16.3, 15.7.3, and 12.5.7

Elcomsoft iOS Forensic Toolkit 8.12 adds forensically sound checkm8 extraction support for iOS, iPadOS and tvOS 16.3, while also supporting the recent iOS 15.7.3 and 12.5.7 released for older devices.

Elcomsoft iOS Forensic Toolkit 8.12 brings low-level file system extraction and keychain decryption support to Apple devices running the latest iOS, iPadOS and tvOS 16.3. The new build enables forensically sound checkm8 extraction of compatible iPhone, iPad, and Apple TV devices that run the supported versions of iOS.

In addition to iOS 16.3, which is only available on the last generation of devices affected by the bootloader vulnerability utilized in the checkm8 exploit, Apple rolled out security patches to older devices, releasing iOS 12.5.7, iOS 15.7.3 and iPadOS 15.7.3. iOS 12.5.7 targets devices based on the Apple A7, A8, and A8X chip sets, which includes the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), while iOS 15.7.3 and iPadOS 15.7.3 target devices based on the A9/A9X and A10/A10X chip sets, which includes the iPhone 6s and iPhone 6s Plus, iPhone 7 and iPhone 7 Plus, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

iOS Forensic Toolkit 8.12 now fully supports the iOS/iPadOS 15.7.3 and 12.5.7 builds, enabling full file system extraction and keychain decryption for such devices.
Please refer to the following chart for details on the types of extraction supported on the different platforms:

Elcomsoft iOS Forensic Toolkit is the only solution on the market supporting checkm8 extraction of Apple TV models including the keychain. The Apple TV is the only model that cannot be protected with a passcode, making it a valuable source of accessible evidence.

checkm8-based extraction is the cleanest, safest, and most technologically advanced extraction method available for a range of Apple devices with a vulnerable bootloader. Compared to other acquisition methods, our implementation of checkm8 is the only true forensically sound solution that delivers repeatable and verifiable extractions. Compared to logical acquisition, low-level extraction delivers significantly more information and decrypts the entire content of the keychain including encryption keys and authentication tokens.

Elcomsoft iOS Forensic Toolkit 8.12 release notes:

  • checkm8: added support for iOS 12.5.7
  • checkm8: added support for iOS/iPadOS 15.7.3
  • checkm8: added support for iOS/iPadOS/tvOS 16.3
  • checkm8: fixed Apple Watch S3 extraction
  • checkm8: fixed Apple TV 4 iOS 16 extraction
  • Several minor fixes and improvements