iOS Forensic Toolkit 8.20 and 7.80 add partial file system extraction for iOS 16.1.2 and older

Elcomsoft iOS Forensic Toolkit 8.20 and 7.80 add low-level extraction support for a range of iOS versions, pulling parts of the file system. The newly supported iOS versions go all the way up to iOS 16.1.2. The new method supports devices built with the A11 through A16 Bionic chips, effectively covering the iPhone 8/X through iPhone 14 range, and supports many iPads including those based on Apple M1 and M2 chips.

Elcomsoft iOS Forensic Toolkit 8.20 (Mac only) and 7.80 (Mac and Windows) bring partial low-level extraction support to Apple devices based on the A11 through A16 Bionic chips. This includes models such as the iPhone 8, 8 Plus, iPhone X, all the way up to the current range of iPhone 14 through iPhone 14 Pro Max. In addition, the new method supports iPad models based on Apple M1 and M2 chips.

The new extraction method can extract parts of the file system, which includes sandboxes and working data set of third-party apps. Notably excluded are sandboxes and working sets of built-in and system apps and many system databases.

The limitations are caused by the exploit we used to build this extraction method. The exploit uses a vulnerability in the iOS virtual memory management to gain elevated privileges within the sandbox. At this stage, the exploit is not able to fully escape the sandbox as some protective mechanisms that affect access to a specific set of folders are implemented directly in the kernel. We will continue researching the vulnerability we used in this release to extend the amount of extractable information.

We recommend this newly added partial file system extraction method as complimentary to advanced logical acquisition. In addition to information extracted through the advanced logical process, the new low-level extraction method pulls sandboxed data and working sets of third-party apps that do not allow their data in local backups. This includes many instant messaging apps, third-party Web browsers and email clients, and multiple other apps. The local backup, on the other hand, will deliver information that cannot be obtained with partial file system extraction, which includes calendars, Safari browsing history, and, for password-protected backups, passwords and authentication data stored in the keychain.

Compatibility

The partial file system extraction method supports a wide range of hardware and iOS builds. On Apple A11 devices, which includes the iPhone 8 through iPhone X, partial file system extraction is available for iOS 15.4 through 15.7.1, and 16.0 through 16.1.2. On Apple A12 through A16 Bionic devices (the iPhone Xr/Xs to iPhone 14 range and some iPads), the new method supports iOS 15.6 through 15.7.1, and iOS 16.0 through 16.1.2. iPad models based on Apple M1 (iPadOS 15.6-16.1.2) and M2 (iPadOS 16.1-16.1.2) are supported.

Note: iOS Forensic Toolkit supports full file system extraction on A11 devices (up to iOS 15.3.1) and A12-A16 devices (up to iOS 15.5).

The new extraction method is available in Elcomsoft iOS Forensic Toolkit 8.20 (Mac only) and 7.80 (Mac and Windows editions). iOS Forensic Toolkit is the only solution on the market supporting low-level extraction on Apple devices based on the newest chips.

Elcomsoft iOS Forensic Toolkit 7.80 and 8.20 release notes:

Extraction agent: added partial file system extraction for several iOS versions

  • A11 (iPhone 8/X): iOS 15.4 - 15.7.1, 16.0 - 16.1.2
  • A12-A16 (iPhone Xr/Xs to iPhone 14, some iPads): iOS 15.6 - 15.7.1, 16.0 - 16.1.2
  • Apple M1 (iPad Air 5, iPad Pro 5): iPadOS 15.6 - 16.1.2
  • Apple M2 (iPad Pro 6): iPadOS 16.1 - 16.1.2

En plus