iOS Forensic Toolkit 8.0 beta brings forensically-sound checkm8 extraction for select iPhone & iPad models

Elcomsoft iOS Forensic Toolkit 8.0 beta for Mac brings support for forensically sound, RAM-based checkm8 extraction, enabling full file system extraction and keychain decryption from a wide range of Apple devices.

Elcomsoft iOS Forensic Toolkit 8.0 beta for Mac offers forensically sound extraction of iPhone 5s, iPhone 6, 6 Plus, 6s, 6s Plus, and iPhone SE (1.Gen) devices with a known or empty screen lock passcode. Instead of deriving from the base offered by the checkra1n jailbreak, our solution is derived directly from the checkm8 exploit. The patching of the device is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process.

The new extraction method is the cleanest yet. There are no log entries added on the device, and absolutely no changes are made to any area of the device storage, neither in the system nor in data partitions. The only exception when we must do an alteration is a situation of the file system being in the “dirty” state, in which case our solution must fix the file system to enable unlocking.

Our checkm8 solution supports all versions of iOS that can or could be installed on supported hardware up to and including iOS 14.5.1, with a sole exception of iOS 7 range (iPhone 5s). Most iOS betas are supported as well. Unofficial support is available for iPod touch (6.Gen), iPad Air (1.Gen), iPad mini 2/3/4, and iPad (5.Gen) devices.

Our new, direct extraction process offers a number of benefits compared to other extraction methods and competing solutions. We are offering a unique, forensically sound extraction process, with 100% of the patching occurring in the device RAM. Our process never boots the OS installed on the device, and never touches the system partition. Our tool does not bring any proprietary code along, providing links to download official Apple firmware matching the iOS version installed on the device (it will be patched and used to boot the device). Real-time guidance with instructions and countdowns is displayed to help install the exploit.

Checkm8-based extraction works with locked and disabled devices in BFU mode, while USB restricted mode can be completely bypassed.

With this update, Elcomsoft iOS Forensic Toolkit becomes the most advanced iOS acquisition tool on the market. The toolkit now supports all possible acquisition methods (with known limitations we’re working on). Agent-based extraction and checkm8-based extraction via device RAM are some of the tool’s unique features. The list of supported devices will be expanded in subsequent releases.

See also