Elcomsoft iOS Forensic Toolkit 8.50 expands capabilities for Linux users and legacy devices

Elcomsoft iOS Forensic Toolkit 8.50 is now available for Linux users in the all-new Linux edition. This new update implements logical acquisition, as well as agent-based and bootloader-based low-level extraction methods in a single tool for common Linux distros. In addition, the update brings low-level extraction for Apple Watch S0, S1, and S2 and improves bootloader level extractions for all supported devices.

Linux Edition

One big change is that the Toolkit can now be used on Linux computers. The highly anticipated Linux edition of Elcomsoft iOS Forensic Toolkit 8 retains and extends all the features of EIFT 8 for macOS, offering advanced logical and low-level extraction with the help of the custom extraction agent. The Linux edition now supports forensically sound bootloader-level extraction, previously a feature exclusive to macOS.

The release of the Linux edition is a final step towards true multiplatform compatibility. The tool has been tested on multiple Linux distributions, officially supporting the current Debian, Ubuntu, Kali Linux, and Mint Linux distros.

Differences Between Editions

The Linux edition receives many features previously available in the Mac edition. The Windows edition supports logical and agent-based extraction methods, but lacks support for bootloader-based extractions, which are only available for macOS and Linux platforms, while the ability to sign the extraction agent using a regular, non-developer Apple ID remains an exclusive feature of the Mac edition.

Support for Legacy Models of Apple Watch

The update also adds support for older models of Apple Watches, allowing macOS and Linux users to get more data like passwords and complete file systems from these watches. Newly supported models include the original Apple Watch, which is often called the “S0”, as well as Apple Watch Series 1 and Series 2, while Apple Watch Series 3 has been already supported. Bootloader-level extraction makes it possible to obtain the full file system image as well as extract a copy of the keychain.

Speaking of older Apple devices, the update makes things faster for iPhone and iPad models built with 32-bit chips. The update speeds up the unlocking and extraction processes for these devices.

Accurate iOS Version Identification for Bootloader-Level Extraction

The update brings a significant improvement in precise iOS version identification during bootloader-level extraction. Formerly, the toolkit attempted to guesstimate the installed iOS version based on the version of iBoot. This approach sometimes resulted in multiple download links in cases where we could not pinpoint the exact version of iOS. The new approach implemented in iOS Forensic Toolkit 8.50 achieves a nearly 100% accurate identification of the iOS version, eliminating any ambiguity in the extraction process.

Installing the Linux edition

iOS Forensic Toolkit 8 for Linux does not require installation. Experts can start using the product by unpacking the archive using the password provided in the registration email and running a single command to download and install dependencies.

Command-line interface

iOS Forensic Toolkit for Linux uses the same command-line interface first introduced in macOS and Windows editions, sharing commands and switches across platforms. Leveraging the command line provides complete control throughout the extraction workflow, allowing experts to stay in control if any step of the process requires additional attention.

With this update, Elcomsoft iOS Forensic Toolkit has become the most advanced iOS acquisition tool on the market. The toolkit supports all possible acquisition methods including advanced logical and agent-based extraction, while the macOS and Linux editions additionally feature forensically sound low-level extraction based on the bootloader exploit.

New in this release:

  • Linux edition: iOS Forensic Toolkit for Linux is now available.
  • Added support for iOS 17 (extended logical acquisition)
  • Apple Watch: added support for Apple Watch S0/S1/S2 (keychain & full file system).
  • Bootloader-level extraction: added support for several minor iOS releases.
  • Bootloader-level extraction: improved iOS version detection.
  • Legacy devices: improved disk imaging speed for 32-bit devices.
  • Minor bug fixes and improvements.

Mais