Elcomsoft iOS Forensic Toolkit 7.03 simplifies agent sideloading in macOS, improves support for legacy devices

Elcomsoft iOS Forensic Toolkit 7.03 is a minor update with several bugfixes and improvements, particularly addressing the extraction of 32-bit legacy devices.

In this build, we have made significant improvements to the handling of legacy (32-bit) iOS devices such as the iPhone 5 and 5c. Most importantly, we have nailed all the iPhone 5c physical acquisition issues. This model features a slightly different encryption method compared to that used in the iPhone 5. In addition, we’ve encountered some rare cases where the keychain header manifests a non-standard version number, and so iOS Forensic Toolkit would fail to decrypt the keychain. This has been fixed as well.

Next, we have improved jailbreak detection and handling for legacy models, which is particularly relevant for the iPhone 4s extraction. Since the iPhone 4s is still missing a working checkm8 implementation, the extraction options are currently limited to jailbreaking with subsequent file system and keychain extraction.

Agent-based acquisition for all 64-bit models (iPhone 5s through iPhone 12 Pro Max, iOS 9.0 through 14.3) becomes more flexible thanks to the improved agent signing/sideloading. If you are using a developer account and a macOS computer, you can now use an app-specific password when sideloading the extraction agent. Using an app-specific password allows skipping two-factor authentication when sideloading the extraction agent, which enables the automatic use of this password via the configuration file.

Finally, the disk image decryption engine for macOS has been rewritten from scratch. The new multi-threaded decryption engine gets significantly more robust, reliable and compatible when decrypting HFS+ partitions extracted from legacy 32-bit iPhones. In addition, the new engine offers lightning fast performance when decrypting HFS+ images under certain conditions (both the encrypted and de-crypted images are stored on the same APFS partition, and the image contains a lot of empty space or non-encrypted files).

Release notes:

  • macOS, developer Apple ID accounts: added the ability to sign acquisition agent with app-specific password
  • Fixed iPhone 5c image decryption
  • Fixed iPhone 5/5c keychain extraction with physical/checkm8 acquisition for some specific keychain versions
  • Fixed keychain extraction for jailbroken legacy iPhone and iPad models (32-bit models)
  • Improved jailbreak detection
  • Fixed output folders for some data if the Toolkit started from the console
  • Partition image decryption (legacy devices) is now blazing fast on APFS, just a few seconds

其他