iOS Forensic Toolkit 8.60 enhances agent-based low-level extraction in Linux and Windows editions

Elcomsoft iOS Forensic Toolkit 8.60 brings significant advances to agent-based low-level extractions, aligning the capabilities of the Windows and Linux editions with the macOS version. This new update makes it possible to sideload and sign the extraction agent onto an iOS/iPadOS device from a Windows or Linux PC using a regular, non-developer Apple ID, a feature previously exclusive to the Mac edition.

Agent-Based Low-level Extraction: Background

Agent-based low-level extraction enables experts to acquire a full image of the device’s file system and a decrypted copy of the keychain. To perform low-level extraction, a small app (extraction agent) must be installed onto the device. The installation is implemented via sideloading, which is a method of installing apps onto an iOS or iPadOS device directly, bypassing the official App Store. Sideloading involves signing the app and verifying its digital signature with Apple, which in turn requires the use of an Apple ID.

In previous iOS Forensic Toolkit builds we supported sideloading in all three editions, yet the Mac edition was the only one that could be used to install the extraction agent using a regular, non-developer Apple ID. Users of Linux and Windows editions had to enroll their Apple ID into Apple’s paid development program, which requires an extra investment. Newly enrolled developer accounts provide little to no tangible benefits over free, non-developer Apple ID’s other than the ability to sideload apps from other operating systems.

iOS Forensic Toolkit 8.60 brings an end to this discrepancy, fully enabling the use of regular, free Apple IDs for the purpose of sideloading and signing the low-level extraction agent. This new feature closes the gap between the Linux and Mac editions, while bringing the Window version one step closer to the Mac build.

Differences Between Editions

There are very few functional differences left between the Mac, Windows, and Linux editions. The Mac and Linux editions are currently on-par feature wise, while the Windows edition offers the same functionality in high-level logical acquisition and low-level, agent-based extractions. The Windows edition still lacks support for bootloader-level extractions available for Apple devices based on older chips.

With this update, Elcomsoft iOS Forensic Toolkit has become the most advanced iOS acquisition tool on the market. The toolkit supports all possible acquisition methods including advanced logical and agent-based extraction, while the macOS and Linux editions additionally feature forensically sound low-level extraction based on the bootloader exploit.

New in this release:

  • Agent: regular Apple IDs can now be used to sideload the extraction agent in Linux and Windows editions
  • Minor bug fixes and improvements.

See also