Elcomsoft iOS Forensic Toolkit 8.0 beta 9 adds checkm8 extraction of 14 iPad and iPod Touch devices

The ninth beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac brings forensically sound, checkm8-based extraction of ten iPad and four iPod Touch models, as well as two Apple TV models. The low-level extraction solution is available directly for most devices, with select models requiring a Raspberry Pi Pico board to apply the exploit.

Elcomsoft iOS Forensic Toolkit 8.0 beta 9 for Mac expands the range of supported devices, enabling low-level extraction support for a wide range of iPad and iPod Touch models. The updated extraction engine can now handle all iPad and iPod touch models susceptible to the checkm8 exploit and supports all versions of iOS compatible with a given device, up to and including iOS 15.5. The forensically sound extraction process is available directly for most devices, with select models requiring a Raspberry Pi Pico board with custom firmware to apply the checkm8 exploit.

The newly added iPad models include the full-size iPad 5, 6, and 7, the iPad Mini 2, 3, and 4, the iPad Air 1 and 2, and the iPad Pro 1 and 2 (9.7” and 12.9” models respectively). In addition, iPod Touch 6 and 7 and Apple TV 4 and 4K are also supported.

With this release, bootloader-level, forensically sound extraction becomes available on more Apple devices than ever, including all recent iPad and iPod Touch models that are susceptible to checm8 exploit. The low-level extraction enables access to a much broader range of evidence compared to logical acquisition, including the detailed health and activity history as well as the user’s passwords stored in the keychain. Additional information available via low-level extraction includes detailed location history, sandboxed application data, various system artifacts, and a lot more.

Our implementation of the checkm8 exploit offers the cleanest extraction yet. Our solution is derived directly from the source, with all the patching performed completely in the RAM. The original device firmware is left untouched and is not used during the boot process, and neither the system partition nor user data are altered in any way.

With this update, Elcomsoft iOS Forensic Toolkit expands the range of supported devices, becoming the most advanced iOS acquisition tool on the market, and the only truly forensically sound one delivering repeatable results after subsequent extractions.

Release notes

  • added checkm8 support for iPad 5/6/7
  • added checkm8 support for iPad Mini 2/3/4
  • added checkm8 support for iPad Air 1/2
  • added checkm8 support for iPad Pro ½
  • added checkm8 support for iPod Touch 4/5/6/7
  • added checkm8 support for Apple TV 4 and 4K
  • several checkm8 fixes and improvements
  • improved passcode cracking for legacy devices (A4/A5/A6)

Vedi anche