Elcomsoft iOS Forensic Toolkit 8.0 beta 12 improves iPhone 7 extraction

Elcomsoft iOS Forensic Toolkit 8.0 beta 12 improves checkm8-based low-level extraction support for the iPhone 7 and iPhone 7 Plus devices running the latest versions of iOS. The new beta drops the requirement to remove the device’s screen lock passcode prior to extraction, enabling a clean, forensically sound extraction process.

Elcomsoft iOS Forensic Toolkit 8.0 beta 12 improves the low-level file system extraction and keychain decryption process for the iPhone 7 and iPhone 7 Plus devices, eliminating the need to remove the screen lock passcode prior to extraction if the device is running iOS 14 or 15.

Background

At the time checkm8 was initially released, it was often referenced as a "permanent, unpatchable" exploit. However, Apple introduced new security measures in iOS 14 specifically for the newer devices including the iPhone 7, iPhone 8 and iPhone X range that changed the way the device boots and how the data volumes are unlocked. These patches had an immediate result on iOS forensics. To extract the file system and decrypt the keychain, the screen lock passcode had to be removed from the device prior to exploiting and unlocking, which brought several negative consequences.

The new build employs a SEP exploit to eliminate the need to remove the screen lock passcode, enabling forensically sound checkm8-based extraction of the iPhone 7 and iPhone 7 Plus devices running all versions of iOS that can be installed on these models.

checkm8-based extraction is the cleanest, safest, and most technologically advanced extraction method available for a range of Apple devices with a vulnerable bootloader. Compared to other acquisition methods, our implementation of checkm8 is the only true forensically sound solution that delivers repeatable and verifiable extractions. Compared to logical acquisition, low-level extraction delivers significantly more information and decrypts the entire content of the keychain including encryption keys and authentication tokens.

Elcomsoft iOS Forensic Toolkit 8.0 beta 12 release notes:

  • Improved iPhone 7 support: no need to remove the passcode prior to extraction
  • iOS 15.6 (release) detection
  • Multiple checkm8 fixes and minor improvements

See also