iOS Forensic Toolkit 6.30: jailbreak-free iOS 9 support, user data extraction

Elcomsoft iOS Forensic Toolkit 6.30 expands jailbreak-free extraction all the way back to iOS 9, now supporting all 64-bit devices running all builds of iOS 9. In addition, the new release can now extract user data only, speeding up the acquisition process by skipping the static system files.

In Elcomsoft iOS Forensic Toolkit 6.30, we have further expanded the capabilities of jailbreak-free extraction. The latest release significantly expands the range of supported versions of iOS, adding the ability to process 64-bit Apple devices running all versions of iOS 9 without a jailbreak. Agent-based extraction now delivers full keychain decryption and file system extraction support without a jailbreak for systems as old as iOS 9.0 running on any supported 64-bit hardware.

Originally released with the iPhone 6s, iOS 9 is supported on a relatively wide range of Apple devices. iOS 9.0 through 9.3.5 is available on the iPhone 5s, iPhone 6 and 6 Plus, iPhone 6s and 6s Plus models. The original 4-inch iPhone SE was released with iOS 9.3 on board. The corresponding iPad versions are also supported, including iPad Air, iPad Air 2, iPad Mini 2 through 4, and the first-generation iPad Pro. While one is hardly likely to encounter an iOS 9 device in the wild, forensic labs still process devices running the older version of the OS.

Jailbreak-based extraction options had existed for some of these devices. However, iOS 9 jailbreaks are difficult and unsafe to install; moreover, they are only available for iOS 9.0 through 9.3.3, leaving the two most recent builds (iOS 9.3.4 and 9.3.5) unsupported. Elcomsoft extraction agent brings support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS we could reach including the two most difficult versions, iOS 9.3.4 and 9.3.5.

Installing the agent requires the use of an Apple ID registered in Apple’s Developer Program. More about that in our blog article Why Mobile Forensic Specialists Need a Developer Account with Apple.

This update brings a new acquisition option: file system extraction of user data. This new extraction option helps experts save time and disk space by pulling only the content of the data partition while leaving the static system partition behind. Data in the system partition contains read-only executable files, system libraries and other data required for the operating system to run. Unless jailbroken, the content of the system partition does not vary across devices of the same model running the same version of iOS and is far less relevant for the investigation compared to user data. For small-capacity iPhones, the new option can speed up the extraction two to three times compared to full device extraction. Higher capacity devices offer comparatively lesser time savings, yet the user-targeted set is still easier to analyze.

Release notes:

  • Added jailbreak-free file system and keychain acquisition with extraction agent for iOS 9
  • Added the ability to extract user data only (skipping system files)

其他