Elcomsoft iOS Forensic Toolkit 7.40 extends agent-based full file system extraction

Elcomsoft iOS Forensic Toolkit 7.40 extends agent-based extraction support all the way up to iOS 15.1 on all supported devices. The new release fills the gap in iOS 14 support, adding agent-based extraction for devices running iOS 14.8.1 for all devices and iOS 14.3 through 14.8.1 for models based on Apple A14 Bionic. Using an Apple Developer account is required in Windows, optional but strongly recommended in macOS.

Elcomsoft iOS Forensic Toolkit 7.40 brings low-level file system extraction to Apple devices running previously unsupported versions of iOS. For all models, the updated extraction agent now supports iOS 14.8.1, which is the last available iOS 14 build. For devices based on Apple A14 Bionic, the extraction agent adds support for the previously unsupported range of iOS builds 14.4 through 14.8.1.

For most devices, agent-based acquisition is now available up to and including iOS 15.1. For select devices, iOS 15.1.1 is supported. The updated toolkit now covers the entire range of iOS releases since iOS 9.0 all the way up to iOS 15.1 with no gaps or exclusions. All 64-bit iPhone models based on the A11 through A15 generations SoC are supported, including the iPhone 8/8 Plus, iPhone X, Xr, Xs, Xs Max, as well as the entire iPhone 11, 12, and 13 generations. Devices based on older generation SoC are supported via both agent-based and forensically sound checkm8 extraction (requires iOS Forensic Toolkit for Mac 8.0 beta 8).

In addition to file system extraction, keychain decryption is supported on some platforms. Please refer to the following chart for details on the types of extraction supported on the different platforms:

Agent-based extraction offers numerous benefits compared to other acquisition method. The agent does not make any changes to user data, offering the most forensically sound extraction among available acquisition methods.

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. More about that in Why Mobile Forensic Specialists Need a Developer Account with Apple [article]. An optional workaround is available to Mac users, enabling the use of regular Apple ID’s for sideloading the extraction agent.

iOS Forensic Toolkit 7.40 release notes:

  • Agent extraction: added support for iOS 14.4-14.8.1 (A14 devices)
  • Agent extraction: added support for iOS 14.8.1 (A11-A13 devices)

iOS Forensic Toolkit 8.0 beta 8 for Mac release notes:

  • Agent extraction: added support for iOS 14.4-14.8.1 (A14 devices)
  • Agent extraction: added support for iOS 14.8.1 (A11-A13 devices)
  • checkm8 extraction: added support for iOS 15.5
  • checkm8 extraction: added support for unsupported/beta iOS versions
  • checkm8 extraction: fixed BFU acquisition for 32-bit devices
  • checkm8 extraction: several under-the-hood improvements and fixes

See also