10 February, 2022

ElcomSoft Brings Repeatable, Forensically Sound checkm8 Extraction to iPhone 8, iPhone X and Apple Watch Series 3

ElcomSoft Co. Ltd. rolls out an update to iOS Forensic Toolkit for Mac, the company’s mobile forensic tool for extracting data from a range of Apple devices. The new release adds the ability to perform forensically sound, repeatable and verifiable file system extractions of the iPhone 8, 8 Plus, iPhone X and Apple Watch Series 3 devices.

Elcomsoft iOS Forensic Toolkit for Mac now delivers forensically sound extraction for the entire range of 64-bit iPhone devices that have the bootloader vulnerability exploitable with checkm8. This includes the 5s, iPhone 6/6s/7/8 as well as the corresponding Plus versions, first-generation iPhone SE as well as the iPhone X running any version of iOS up to and including the latest iOS 15.3. In addition, bootloader-based, forensically sound extraction is also available for all Apple Watch Series 3 models running any version of watchOS.

Background

The iPhone 8, 8 Plus and iPhone X devices belong to the last generation of Apple iPhones that have a hardware-based vulnerability in the bootloader. The vulnerability can be exploited to enable low-level access to the device’s file system and stored secrets, including a copy of the keychain. The update to iOS Forensic Toolkit enables checkm8-based extraction of this iPhone generation.

Smart wearable devices frequently appear in crime scenes. The Apple Watch and the data they collect helped solve numerous cases and helped in many criminal investigations. Among multiple Apple Watch models, the Apple Watch Series 3 occupies a special spot. Introduced back in 2017, this model is still available new, occupying the niche of the most affordable wearable device in Apple’s ecosystem. All that makes the Series 3 one of the most common Apple Watch models. The latest update to iOS Forensic Toolkit enables low-level extraction of the Apple Watch 3 using the checkm8 exploit.

Forensically Sound Extraction

With Elcomsoft iOS Forensic Toolkit, ElcomSoft introduces a forensically sound extraction solution offering verifiable and repeatable results on subsequent extractions. The new method extracts everything from the device down to the last bit, including app sandboxes and encrypted app data, secret chats, some deleted records and a lot mode.

When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match the checksums of subsequent extractions provided that the device never rebooted and is stored in the powered-off state between extractions.

The new extraction method is the cleanest yet. ElcomSoft’s implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process.

Additional information and step-by-step instructions are available in the following blog articles:

checkm8 Extraction of iPhone 8, 8 Plus and iPhone X
checkm8 Extraction of Apple Watch Series 3
Analyzing Apple Watch 3

With this update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iOS acquisition tool on the market, and the only truly forensically sound one delivering repeatable results after subsequent extractions. The list of supported devices will be expanded in subsequent releases.

About Elcomsoft iOS Forensic Toolkit

Elcomsoft iOS Forensic Toolkit provides forensic access to encrypted information stored in popular Apple devices running iOS, offering file system imaging and keychain extraction from the latest generations of iOS devices. By performing low-level extraction of the device, the Toolkit offers instant access to all protected information including SMS and email messages, call history, contacts and organizer data, Web browsing history, voicemail and email accounts and settings, stored logins and passwords, geolocation history, the original plain-text Apple ID password, conversations carried over various instant messaging apps such as Skype or Viber, as well as all application-specific data saved in the device.

About ElcomSoft Co. Ltd.

Founded in 1990, ElcomSoft Co.Ltd. is a global industry-acknowledged expert in computer and mobile forensics providing tools, training, and consulting services to law enforcement, forensics, financial and intelligence agencies. ElcomSoft pioneered and patented numerous cryptography techniques, setting and exceeding expectations by consistently breaking the industry’s performance records. ElcomSoft is Microsoft Certrified Partner, and Intel Software Premier Elite Partner.

Contatos

Elcomsoft s.r.o.

Československé armády 371/11,
Praha 6-Bubeneč,
Czech Republic, PSČ 160 00

Formulário de feedback com os representantes oficiais da Elcomsoft.

As one of the industry leaders, our job involves complex research and constant monitoring of industry news. We love sharing our findings with our followers. Follow us on a social network of your choice, and we’ll deliver quality content straight to your news feed.