Notizie da Elcomsoft


  • 21/02/2019

Elcomsoft iOS Forensic Toolkit 5.0 is a major update adding support for physical acquisition of Apple devices running iOS 12. The tool extracts the content of the file system and decrypts passwords and authentication credentials stored in the iOS keychain.

Elcomsoft iOS Forensic Toolkit 5.0 enables forensic experts to perform physical acquisition of Apple devices running all versions of iOS 12 up to and including iOS 12.1.2. The Toolkit enables file system extraction for all devices supported by the rootless jailbreak, and allows decrypting the keychain to extract stored passwords and authentication credentials.

For the first time, iOS Forensic Toolkit does not rely on a full stand-alone jailbreak to access the file system. Instead, the Toolkit makes use of a rootless jailbreak with significantly smaller footprint compared to traditional jailbreaks. Unlike traditional jailbreaks, a rootless jailbreak does not remount the file system and does not alter the content of the system partition. As a result, rootless jailbreak can be fully removed after the acquisition without requiring a system restore to return the system partition to its original unmodified state.

Elcomsoft iOS Forensic Toolkit supports all possible options for extracting and decrypting data from both jailbroken and non-jailbroken 64-bit devices, including the last generations of Apple hardware and software. Without a jailbreak, experts can perform logical extraction through iOS system backups, extract shared app data and media files. In certain cases, logical extraction is possible even if the iPhone is locked. If a jailbreak can be installed, experts can image the file system of 64-bit iPhones and iPads, extract protected application data and working databases.

Physical acquisition offers numerous benefits compared to all other acquisition options by enabling access to protected parts of the file system and extracting data that is not synced with iCloud or included in local backups. In particular, physical acquisition is the only method for decrypting keychain items targeting the highest protection class. File system extraction gains full access to application sandboxes and all system areas, extract secret chats and recover deleted messages. Downloaded email messages, chat databases and secrets from two-factor authentication apps, system logs and detailed location data are just a few things that are exclusively available with file system extraction.

At this time, rootless jailbreak is supported on most devices capable of running iOS 12. We expect the list of supported devices to grow in the course of further development.

Read out latest blog article to get more information and links to rootlessJB.

Get more information on Elcomsoft iOS Forensic Toolkit:
https://www.elcomsoft.it/eift.html

Get more information on Elcomsoft Mobile Forensic Bundle:
https://www.elcomsoft.it/emfb.html

Read a press release:
https://www.elcomsoft.it/PR/eift_190221_en.pdf

Read our blog post: Physical Extraction and File System Imaging of iOS 12 Devices