Blog

The ninth beta of iOS Forensic Toolkit 8.0 for Mac introduces forensically sound, checkm8-based extraction of sixteen iPad, iPod Touch and Apple TV models. The low-level extraction solution is now available for all iPad and all iPod Touch models susceptible to the checkm8 exploit.

checkm8 is applicable to all devices with bootloader vulnerability, yet there are technical differences when it comes to implementing the exploit on the various devices. In this update we are targeting non-iPhone devices, spending efforts to support the many iPads equipped with the corresponding SoCs. While other vendors have been offering their own implementations of checkm8 extraction for quite a while, we found their solutions to lack in device/iOS version coverage and miss the “forensically sound” mark.

Typically, service life of an iPad is several times as long as an iPhone of the same generation. This is reflected in the number of supported battery charge cycles. While Apple claims that a typical iPhone battery is designed to retain up to 80% of its original capacity at 500 complete charge cycles, an iPad battery is designed to retain similar capacity at 1000 complete charge cycles. In other words, despite their age, many of these tablets are still actively used – and can now be extracted.

In addition to extended service life, iPads are real workhorses compared to the iPhone. They are actively used in companies and as BYOD. Unlike iPhones, which are designated as media consumption devices, iPads (especially the Pro lineup) are made for creative tasks, which results in a lot of highly valuable potential evidence.

Compatibility

The newly added iPad models include the full-size iPad 5, 6, and 7, the iPad Mini 2, 3, and 4, the iPad Air 1 and 2, and the iPad Pro 1 and 2 (9.7” and 12.9” models respectively). In addition, iPod Touch 6 and 7 are also supported. This is in addition to previously supported iPad and iPod Touch models. Currently, our checkm8 extraction solution supports all iPad and all iPod Touch models having the bootloader vulnerability with no exceptions.

All versions of iOS up to and including iOS 15.5 are supported. Here is the full list of supported iPad models:

Technical notes

For most devices the exploit can be applied directly. However, there are several requirements when it comes to some other devices.

The Apple TV 4K does not have a USB port anymore. Connecting it to the computer requires additional hardware and some soldering skills.

For iPad 6/7 and iPad Pro 2 devices running iOS 14 or 15, the passcode must be removed prior to the extraction. Follow this guide to disable the passcode: How to Remove The iPhone Passcode You Cannot Remove

Will I need the Pico board?

In the seventh beta, we introduced a hardware/software solution to help place the iPhone 4s into PwnedDFU. The solution requires a Raspberry Pi Pico board with custom firmware. You won’t need the Pico board to work with most iPad and iPod Touch models except those based on the same USB controller as the iPhone 4s.

Please refer to the following table for devices requiring the Raspberry Pi Pico board to utilize our checkm8 extraction solution:

Conclusion

It is difficult to underestimate the importance of checkm8 for mobile forensic specialists. Our solution is the only one on the market supporting forensically sound checkm8 extraction for all Apple devices with the bootloader vulnerability, including all compatible iPhone, iPad, and iPod Touch models, as well as the Apple TV and Apple Watch devices.

 

iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.

What’s it all about

Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.

Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone models running iOS 9 through iOS 14.8, iOS 15-15.1, and iOS 15.1.1 on select platforms. For the A14 platform specifically, the extraction agent supported iOS 14.0-14.3, and 15.0-15.1, making the entire range of iOS 14 builds missing. This made for a rather fragmented support matrix. In this release, we closed the two remaining gaps, once again offering truly gapless file system extraction for all supported platforms. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.1 for all iPhone and iPad models that can run these versions of iOS, and iOS 15.1.1 on some models.

Benefits of agent-based extraction

There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.

Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

iOS 14.8.1

In earlier versions of iOS Forensic Toolkit, we supported iOS versions up to and including iOS 14.8. We also supported iOS 15.0-15.1 on all compatible devices, and iOS 15.1.1 on some platforms. iOS 14.8.1 was notably missing from the list due to the lack of a proper exploit.

For other iOS versions including iOS 15, the extraction agent relied on kernel exploits that are publicly available. The situation is different with iOS 14.8.1, which does not have a public exploit. For this iOS build we incorporated a new, unpublished exploit, making our extraction agent the first tool of its kind to support this version of iOS.

iOS 14.4-14.8.1 (Apple A14)

Prior to this release, we supported iOS 15.0-15.1 on all platforms, and iOS 15.1.1 on some devices. Notably, on Apple A14 Bionic devices the entire range of iOS 14.4-14.8.1 was not supported. iOS Forensic Toolkit 7.40 brings iOS 14.4-14.8.1 support to A14 devices, now offering gapless coverage all compatible devices and all versions of iOS ranging from iOS 9.0 through 15.1.1.

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.

Steps to extract the file system and decrypt the keychain

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.40 or newer.
3. On the computer, sideload the extraction agent by using the corresponding command in iOS Forensic Toolkit.
4. On the iPhone, launch the extraction agent by tapping its icon.
   Windows: developer account required. Use app-specific password.
   macOS: developer account not required but strongly recommended.
5. If supported, extract the keychain. Extract file system image (full file system or data partition). We recommend extracting the data partition only; the full image may be usable e.g. to check the system partition for persistent malware.
6. On the iPhone, uninstall the extraction agent in a regular way.
7. You may now disconnect the iPhone and start analyzing the data.