iOS Forensic Toolkit 5.40: jailbreak-free extraction for iOS 11-13.3

Elcomsoft iOS Forensic Toolkit 5.40 offers direct, forensically sound extraction for Apple devices running all versions of iOS from iOS 11 through iOS 13.3. Agent-based acquisition provides full file system extraction and keychain decryption without a jailbreak and literally no footprint.

In Elcomsoft iOS Forensic Toolkit 5.40, we have expanded the range of compatible iOS devices supported by the new direct acquisition agent. The latest release plugs the gap of excepted and unsupported iOS releases, now covering the entire range of iOS versions from iOS 11 through iOS 13.3 for models from the iPhone 6s all the way up through the iPhone 11 range. iPhone 5s and iPhone 6 are also supported when running iOS 11, 12-12.2 and 12.4.

The acquisition agent can now extract data from previously unsupported devices and brings support for iOS 13.0 through 13.3 to the table. All 64-bit devices are supported including the last year’s iPhone Xr, Xs and Xs Max as well as the latest iPhone 11, iPhone 11 Pro and iPhone 11 Pro Max models. The corresponding iPad models running iOS 11 and 12 and iPad OS 13 through 13.3 are also supported.

The new extraction method utilizes a direct acquisition agent. Agent-based extraction is a newer, forensically sound alternative to traditional acquisition methods requiring a jailbreak. Based on direct access to the file system, agent-based extraction does not require jailbreaking the device. Using agent-based extraction, you can image the full file system and decrypt the keychain without the risks and footprint associated with third-party jailbreaks.

The new acquisition method utilizes an in-house extraction agent we’ve developed for the iOS platform. Once installed on the iOS device, the agent talks to the expert’s computer, delivering significantly higher speeds and greater reliability compared to jailbreak-based extraction. The direct acquisition agent is safe to use as it neither modifies the system partition nor remounts the file system. Installing the agent requires the use of an Apple ID registered in Apple’s Developer Program. More about that in our blog article Why Mobile Forensic Specialists Need a Developer Account with Apple.

Release notes:

  • Jailbreak-free file system extraction and keychain decryption support now available for the following versions of iOS:
    • iPhone 6s through iPhone 11: iOS 11 and 12 and iOS 13.0 through 13.3
    • iPhone 5s and iPhone 6: iOS 11, 12-12.2 and 12.4
  • Direct extraction agent offers safe, robust, forensically sound performance without a jailbreak for all Apple devices running iOS 11 through 13.3 without gaps or exception

See also