Tag: Digital Forensics

Windows account passwords, or NTLM passwords, are among the easiest to recover due to their relatively low cryptographic strength. At the same time, NTLM passwords can be used to unlock DPAPI-protected data such as the user’s passwords stored in Web browsers, encrypted chats, EFS-protected files and folders, and a lot more. In this article we argue about prioritizing the recovery of NTLM hashes over any other types of encrypted data.

What are NTLM hashes?

In Windows, NTLM hashes are used to verify passwords when users sign in to their Windows accounts. Microsoft still uses the NTLM mechanism to store passwords in modern versions of Windows. These passwords are stored in the SAM database, or in the NTDS database on the domain controller. Interestingly, NTLM hashes are faster to break than the much older LM hashes due to the way the algorithm is implemented.

NTLM hashes protect local Windows accounts as well as the newer types of accounts introduced in Windows 8: the Microsoft Account sign-in. Windows caches the password hash and stores it locally on the computer. This allows users to log in to their computer while using it offline. On another hand, this also allows extracting the cached hash file and running an offline attack to recover the original password. The hashed Microsoft Account passwords are stored locally in the SAM database along with the rest of NTLM hashes. Technically, the locally cached Microsoft Accounts passwords are protected with the same NTLM mechanism as other types of cached credentials, which makes them just as easy and as fast to attack as local Windows passwords.

In layman’s terms, breaking an NTLM hash reveals the user’s plain-text Windows account or Microsoft account password, allowing the expert to sign in to that user’s computer and extract DPAPI-protected ata.

NTLM hashes are poorly salted. Microsoft uses cryptographic salt to protect LM and NTLM password hashes (what’s the difference?). However, the same salt is used to protect all LM and all NTLM passwords, which allows attacking all user accounts that present on a certain computer simultaneously. This only changed in Windows Hello PINs.

The NTLM hashes are among the weakest and fastest to attack. A CPU-only attack already demonstrates very impressive speeds, while employing a mid-range NVIDIA RTX 2070 board allows trying up to 23 billion password combinations per second. Such a speed allows breaking 8-character passwords that consist of an extended character set (small and capital letters, numbers, and special characters) in under 87 hours. A more typical 8-character password containing only small and capital English letters and numbers (no special characters) can be broken in under 3 hours. A more powerful GPU, multiple GPUs, or several computers in a distributed attack can be used to speed up the recovery.

What is DPAPI, and how is it related to NTLM?

Windows uses Data Protection Application Programming Interface (DPAPI) as a transparent way to access encryption keys protecting various system resources. Examples of such DPAPI-protected resources are online forms and authentication credentials (passwords) stored in Microsoft Edge and Google Chrome, EFS (Encrypted File System, or NTFS file encryption) keys, passwords to network shares and FTP resources, and a lot more.

DPAPI transparently protects sensitive information stored in each user’s Windows account. For example, if the user enables file encryption by ticking the “Encrypt contents to secure data” box in the Advanced Properties of a file or folder, the encrypted files will be transparently accessible to the authenticated user, but cannot be accessed when analyzing a disk image.

In addition, DPAPI protects authentication credentials cached in Microsoft Edge and Google Chrome browsers. This protection is also transparent; the user does not need to enter any additional password to access these authentication credentials, but such credentials cannot be extracted when analyzing a disk image without an authenticated Windows session.

The “NTLM first” strategy

This strategy prioritizes easily accessible data that can be used to break other passwords or to decrypt data, disregarding its potential value as evidence. In particular, this strategy prioritizes stored passwords (e.g. Web browser password storage, keychain, DPAPI-protected data etc.)

So why do we need the NTML password after all? It’s because of the other things that are protected with it. The users’ passwords stored in Windows Web browsers such as Microsoft Edge and Google Chrome are encrypted with a key protected with Windows DPAPI. Decrypting the key (and accessing stored passwords) requires a Windows account unlock, which in turn means we’ll need to break the NTLM password to sign into the user’s Windows account. NTLM passwords are notoriously fast to recover, which makes them the perfect target.

You’ll need to take several steps to make the best use of the strategy.

1. Analyze unencrypted data for any passwords that can be accessed.
2. Create or update the custom dictionary.
3. Use the custom dictionary to attack the NTLM password.
4. Access DPAPI-protected data (such as browser passwords, SMB passwords etc.) e.g. with Elcomsoft Internet Password Breaker
5. Update custom dictionary.
6. Analyze the dictionary of the user’s passwords. Any repeatable patterns? Shared passwords? Common templates? What kind of mutations would fit the user’s profile?
7. Update custom dictionary with “cleaned”, pattern-based passwords (e.g. for entries such as “Password123” use “password” and medium strength of “Digit” mutations).
8. When attacking files and documents, place the fastest/easiest to break files at the top of the queue. NTLM passwords are among the weakest, and should always make it to the top of the queue.

Additional information

If you are interested in unlocking DPAPI-protected data, check out the following presentation first:

In addition, we recommend the following articles:

We offer a tool for extracting DPAPI-protected passwords from all major Web browsers:

There is also a free tool that can extract DPAPI-protected keys in binary form:

Conclusion

The described strategy may seem counter-intuitive; it is far less obvious than strategies prioritizing the most important evidence. When choosing your strategy, consider that the most valuable evidence may feature the strongest protection that may not be recoverable with brute force.

Several generations of Apple TV devices have a bootloader vulnerability that can be exploited with checkm8 to extract information from the device. The vulnerability exists in the Apple TV 3 (2012 and 2013), Apple TV HD (formerly Apple TV 4) 2015 and 2021, and Apple TV 4K (2017). Newer generations of Apple TV do not have the vulnerability. This guide lists the tools and steps required to fully extract a compatible Apple TV device.

Apple TV: cheat sheet

To extract data from an Apple TV box, follow these steps:

1. Launch iOS Forensic Toolkit 8.0 (Mac)
2. Connect the device to the computer with a USB cable (you will need a custom adapter for connecting the Apple TV 4K device)
3. Place the Apple TV into DFU (see below)
4. Run ./EIFT_cmd boot
5. Run ./EIFT_cmd unlockdata -s
6. Run ./EIFT_cmd ramdisk keychain -o {filename} to extract the keychain
7. Run ./EIFT_cmd ramdisk tar -o {filename} to pull the file system image
8. Run ./EIFT_cmd ssh halt to power off the device

Placing Apple TV devices to DFU

Placing the three generations of Apple TV into DFU requires different steps. The Apple TV 3 can be placed into DFU with a matching IR remote, while the Apple TV HD (formerly Apple TV 4) require a Siri remote. Apple TV 4K requires an additional adapter to connect it to the computer (due to the lack of USB port). You will need yet another adapter to place the device to DFU, but once you have it, simply connecting the adapter to the box is enough to make it boot into DFU. Please refer to the following article for instructions: How to Put Apple TV 3 (2012-2013), Apple TV 4/HD (2015) and Apple TV 4K (2017) into DFU

Apple TV extraction steps explained

Once you connect the Apple TV device to the computer, place the device into DFU as explained in the previous chapter. Then apply the exploit with iOS Forensic Toolkit by running the following command:

./EIFT_cmd boot

iOS Forensic Toolkit will detect the Apple TV in DFU mode and automatically apply the exploit. The toolkit detects the tvOS version installed on the device, and provides a download link to an Apple firmware image. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop it onto the console window, then press ENTER. Alternatively, you can simply paste the firmware download link instead. If you do that, the tool will only download parts of the firmware image that are required to apply the exploit and boot the Apple TV. It may take several attempts to place the device into DFU.

Notably, full IPSW images for Apple TV devices are scarce. Our tool can use OTA update images for the purpose of applying the exploit.

In many cases, the tvOS version will be detected automatically by EIFT during the first stage of the exploit. The detection is based on the detected iBoot version and device hardware. However, in some cases the iBoot version may correspond to several OS builds. If the wrong build is used, you will have an option to either repeat the process with a different version of firmware, or continue with the current firmware image (which works in many cases).

Please note: applying the checkm8 exploit on the first-generation Apple TV 3 (A1427) requires a Raspberry Pi Pico board. The workflow is similar to the iPhone 4s. The newer Apple TV 3 (A1469) does not require an external microcontroller.

./EIFT_cmd ramdisk unlockdata -s

This command unlocks the data partition and mounts it read-only. Since the Apple TV does not have a passcode, you will not need to provide one.

./EIFT_cmd ramdisk keychain -o {filename}

This command extracts and decrypts the keychain. If no path is specified, it will be saved into the current folder. Note that the number of keychain records extracted can be limited compared to the content of an iPhone or iPad device. Since the Apple TV cannot have a passcode, the Apple TV devices cannot access any end-to-end encrypted data in iCloud, which includes the iCloud keychain. Any keychain records extracted from the Apple TV are going to be local, entered by the user on a specific device.

./EIFT_cmd ramdisk tar -o {filename}

This command images file system. The checksum (hash value) is calculated on the fly and displayed once the extraction is finished.

Analyzing Apple TV data

After extracting the data, load the file system image and a copy of the keychain in the forensic tool of your choice. For the time being, few if any third-party forensic tools have been optimized to support TV-specific data sets. Elcomsoft Phone Viewer fully supports Apple TV images. Alternatively, you can manually analyze the file system image by unpacking the resulting .tar archive. Please refer to Apple TV Forensics 03: Analysis for details.

checkm8 is the only extraction method available for the Apple Watch S3 allowing full access to essential evidence stored in the device. In this guide, we will talk about connecting the Apple Watch S3 to the computer, placing the watch into DFU mode, applying the checkm8 exploit and extracting the file system from the device with iOS Forensic Toolkit 8.0.

The Apple Watch Series 3 has set a record as the longest smartwatch that Apple kept around. Initially introduced in September 2017, this model remained on sale for five years until it was finally discontinued in 2022. This model is the last Apple Watch device compatible with the checkm8 exploit.

Please note: steps listed in this guide are provided for the release version of iOS Forensic Toolkit 8.0. The older article checkm8 Extraction of Apple Watch Series 3 is based on the fifth beta version of the tool, and has slightly outdated instructions. While the old instructions still work, please refer to this publication for all future Apple Watch extractions.

Before you begin

Unlike other Apple devices, the Apple Watch does not have a built-in USB port. The hidden diagnostic pins are available and can be used to attach the watch to the computer with an appropriate adapter. Make sure you have everything handy before you begin.

1. A Mac computer. You will need a Mac to install the exploit and perform the extraction. We support both Intel and M1-based Macs with a universal build of iOS Forensic Toolkit. At this time, Windows is not supported.
2. iOS Forensic Toolkit 8.0 for Mac. Currently, EIFT 8.0 is only available for Mac.
3. Apple Watch Series 3. The watch must be functional enough to be placed into DFU mode.
4. Apple Watch passcode must be known or empty. Otherwise, limited BFU extraction may be available, but very little information can be obtained this way.
5. A compatible USB adapter to connect the watch to the computer.
6. You must be able to download the official Apple firmware (download link will be provided during the extraction) that matches watchOS version installed on the device.

Note: while Apple had partially patched the vulnerability in iOS 14 and 15, watchOS 7 and 8, which are based on those versions of iOS, did not receive the same treatment. As a result, you will not have to remove the watch screen lock passcode in order to apply the exploit. We are not quite sure what’s going on here, but it does appear the patch was simply forgotten.

USB adapter

There are several types of Apple Watch adapters on the market that can be easily sourced from multiple vendors. We tested several adapters, and currently recommend one named S-Dock:

Note that some adapters may not support DFU mode. We recommend one of the adapters we tested in Apple Watch Forensics: The Adapters and Apple Watch Forensics: More on Adapters, which includes models by S-BUS, MagicAWRT and iBUS.

Cheat sheet: checkm8 extraction of Apple Watch 3

When extracting the Apple Watch, follow these steps:

1. Launch iOS Forensic Toolkit 8.0
2. Connect the Apple Watch 3 to the computer via a USB adapter (in a powered-off state)
3. Run ./EIFT_cmd boot -w
4. Place the Watch into DFU
5. iOS Forensic Toolkit will detect the watch and apply the exploit
6. Run ./EIFT_cmd ramdisk loadnfcd
7. Run ./EIFT_cmd ramdisk unlockdata -s (enter passcode when prompted, or ENTER if you don’t know the passcode)
8. Run ./EIFT_cmd ramdisk keychain -o {filename} to extract the keychain
9. Run ./EIFT_cmd ramdisk tar -o {filename} to extract the file system
10. Run ./EIFT_cmd ssh halt to power off the Apple Watch

Step by step instructions

Launch iOS Forensic Toolkit, then connect the Apple Watch to the computer by using a commercially available adapter. At this time, the watch must be powered down.

On the computer, launch EIFT in wait mode:

./EIFT_cmd boot -w

Then, place the watch into DFU. To do that, press and hold both the Digital Crown and the Side button for ten seconds, then release the Side button while still holding the Digital Crown for 10 more seconds. There will be no indication on the watch; the display should remain black. If you see an Apple logo, the timings were wrong, and you’ll have to repeat the procedure.

Once the watch is in DFU mode, the tool code detects the OS version installed on the watch, and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop it onto the console window, then press ENTER. Alternatively, you can simply paste the firmware download link instead. If you do that, the tool will only download parts of the firmware image that are required to apply the exploit and boot the watch. It may take several attempts to place the device into DFU.

Notably, full IPSW images for Apple Watch devices are scarce. Our tool can use OTA update images for the purpose of applying the exploit.

Once the exploit is applied, the watch screen will display the “Booting” message.

In many cases, the watchOS version will be detected automatically by EIFT during the first stage of the exploit. The detection is based on the detected iBoot version and device hardware. However, in some cases the iBoot version may correspond to several OS builds. If the wrong build is used, you will have an option to either repeat the process with a different version of firmware, or continue with the current firmware image (which works in many cases).

If the process was successful, you will see a confirmation.

The Watch will display the following screen:

./EIFT_cmd ramdisk unlockdata -s

This command unlocks the data partition and mounts it read-only. You may be prompted for the passcode; enter the passcode if you know it, or press ENTER to skip (limited DFU extraction will be performed in that case).

If you enter the wrong passcode, an error will be displayed. With correct passcode, the volume is fully unlocked and you can proceed with data (keychain and file system) extraction). If you don’t know the passcode, press ENTER on the screen below. In this case, a very limited BFU extraction will be performed.1

./EIFT_cmd ramdisk keychain -o {filename}

This command extracts and decrypts the keychain. If no path is specified, it will be saved into the current folder.

./EIFT_cmd ramdisk tar -o {filename}

This command images file system. The checksum (hash value) is calculated on the fly and displayed once the extraction is finished.

The SoC and USB controller in the Apple Watch are significantly slower than their iPhone counterparts, which results in comparatively slow extraction speeds of approximately 3 MB/s.

Limited BFU extraction

If you do not know the screen lock passcode, just press ENTER when prompted. Despite “Device is not unlockable” error, you will be still able to perform a limited BFU (Before First Unlock) extraction).

Analyzing Apple Watch data

After extracting the data, load the file system image and a copy of the keychain in the forensic tool of your choice. For the time being, few if any third-party forensic tools have been optimized to support watch-specific data sets. Elcomsoft Phone Viewer fully supports Apple Watch images.

The Apple Watch contains a significant amount of data that is neither included in backups nor synchronized with iCloud. Such unique data may include extensive location data, messages, notifications, and more.

The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.

For iOS and iPad OS devices, low-level extraction requires exploiting undocumented vulnerabilities in order to access the file system and some encryption keys required to decrypt the keychain. Such exploits are typically discovered in older hardware platforms and older versions of iOS. In general, devices released less than five years ago and running a recent version of iOS are immune to known public exploits and can be only extracted with logical acquisition. Logical acquisition is universally available on iOS and iPadOS devices regardless of their hardware platform and version of iOS. However, logical acquisition on devices running tvOS and watchOS will be limited as there is no backup services on such devices.

Low-level extraction methods are available on older platforms and versions of iOS. These methods include checkm8 (a booloader-based exploit) and Elcomsoft’s software-based low-level extraction agent. Please refer to the following table to determine which acquisition methods are available to your device:

Notes:

• The iPhone SE 3 (2022) was released with iOS 15.4 on board, which is not supported by the extraction agent.
• For iOS 15.2-15.3.1 the extraction agent can only extract the file system but not the keychain.
• checkm8 extraction of Apple A11 devices running iOS 14 and 15 is only possible once the screen lock passcode is empty.
• No agent-based extraction is available for checkm8-capable Apple TV devices.
• checkm8 support for iOS 16 devices is under development and will be available soon for all supported devices.
• The extraction agent is in active development, with full support for iOS 15.5 and lower (including keychain decryption) coming soon.

Choosing the right extraction method

When more than one extraction method is available, the order matters. We recommend the following workflow.

Note: logical extraction is available for all generations of Apple hardware and all supported versions of iOS.

For older devices compatible with checkm8 (this includes iPhone devices up to and including the iPhone 8, 8 Plus, and iPhone X, as well as the corresponding iPad, Apple Watch, and Apple TV models):

• Only use checkm8 extraction. Attempt other methods if and only if the checkm8 extraction fails.

The checkm8 extraction is the most sophisticated extraction method available for Apple devices that have a vulnerability in their bootloader. Our implementation of checkm8 offers clean, forensically sound extractions with repeatable, verifiable results. If you’ve used checkm8, you have already received the fullest set of data extractable from the device; there is no need to use any other acquisition method.

Using checkm8 extraction: checkm8 Extraction Cheat Sheet: iPhone and iPad Devices

For devices not compatible with checkm8 but running a version of iOS supporting the extraction agent (currently, iOS 9.0 through 15.3.1 for devices supporting these OS versions):

1. First, make a local backup with iOS Forensic Toolkit. If the backup is password-protected, make a backup nevertheless. Do not reset the backup password in device settings.
2. Use the extraction agent. The backup password will be extracted along with the rest of the data.

For all other devices that support neither checkm8 nor the extraction agent, including the iPhone 14 range:

1. First, make a local backup with iOS Forensic Toolkit. If the backup is password-protected, make a backup nevertheless. Do not reset the backup password in device settings. If the backup password is empty, the tool automatically sets a temporary password of “123”.
2. Extract all other data that can be obtained through the advanced logical process. This includes media files (photos, videos and metadata), shared application data, some system logs and device information.
3. If the backup has an unknown password, attempt a local attack with Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery. If unsuccessful, consider resetting the backup password through device settings. Mind the risks and consequences.

Using advanced logical extraction: Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet

Conclusion

This publication should help experts better understand their options when extracting Apple devices based on their hardware platform and OS.

iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

Introduction

Low-level extraction can be done differently. For older hardware, the checkm8 extraction delivers the cleanest results; our solution is unrivaled in providing truly forensically sound extractions for all compatible devices, which include a number of iPhone, iPad, Apple Watch and Apple TV devices. checkm8 extractions are great, but they aren’t compatible with newer devices. To deliver low-level extraction for newer iPhones and iPads, we developed an in-house extraction agent that comes as close to being forensically sound as possible. This method is highly dependent on kernel exploits, which are extremely difficult to implement. This is why low-level extraction almost never comes to the current, up-to-date and fully patched versions of iOS. For newer models starting with iPhone Xr/Xs, using the extraction agent is the only way to extract the file system and decrypt the keychain.

What is an extraction agent?

The extraction agent is an app sideloaded to the iPhone being extracted. The app establishes a communication channel between the device and the computer, escalates privileges, and gains access to the file and the encryption keys required to decrypt the content of the keychain.

Agent-based low-level extractions deliver the cleanest experience for newer devices without checkm8 support. While the process is not fully forensically sound, the modifications made to the data are minimal. Once the extraction agent is uninstalled, the only traces left on the device are several records representing agent-related events in the device’s diagnostic logs.

Extraction agent cheat sheet

Note: we recommend using a USB 3.0 port to speed up the extraction of certain devices.

On the computer, launch iOS Forensic Toolkit.

Connect the iPhone to the computer.

Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode.

If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:

./EIFT_cmd normal pair

Sideload the extraction agent onto the device by running the following command:

./EIFT_cmd agent install

On the iPhone: if you are using a non-developer Apple ID to sideload the agent, validate the signing certificate on the iPhone. (Note: this requires an active internet connection and carries certain security risks).

If an error message pops up (e.g. “all exploits failed”), restart the iPhone.

On the computer:

./EIFT_cmd agent keychain -o keychain.xml

./EIFT_cmd agent tar -o data.tar

 

Only if suspecting root-level malware:

./EIFT_cmd agent tar –system -o system.tar

On the computer (uninstall the extraction agent):

./EIFT_cmd agent uninstall

Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.

Installing the extraction agent

The extraction agent is an iOS app that must be sideloaded (installed) onto the iOS device. Note: if a previous version of the extraction agent is already installed, remove it from the device as you would uninstall any other app.

When installing the extraction agent, the iPhone must be unlocked and paired to the computer.

Sideloading the extraction agent requires an Apple ID login and password. We strongly recommend using an Apple ID account enrolled in Apple Developer Program. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the iPhone, which requires an active internet connection and brings the associated security risks

Pair the iPhone to the computer before sideloading the extraction agent. The pairing prompt is usually displayed automatically when you connect the iPhone to the computer. Confirm the pairing prompt and type the screen lock passcode on the device. If for any reason no pairing is established, run the following command:

./EIFT_cmd normal pair

On the iPhone: confirm pairing request and enter screen lock password when prompted.

Install the extraction agent by running the following command on the computer:

./EIFT_cmd agent install

You will be prompted for Apple ID credentials (login, password, and one-time code for passing two-factor authentication). A developer account is strongly recommended. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the device before you can launch the app. This in turn requires an active internet connection, placing the device at risk of unwanted synchronization and/or remote lock or remote erase. When using an Apple ID enrolled in Apple’s Developer Program, this check can be skipped, and the device can be kept offline.

Using the extraction agent

The extraction agent enables full file system extraction from all supported devices, as well as keychain decryption on select supported devices.

To use the extraction agent, install (sideload) the agent onto the iOS device according to the instructions, then touch its icon to launch the app. Make sure to keep the app open in foreground at all times during the extraction; do not switch to any other apps.

The extraction agent will automatically attempt to obtain elevated privileges. Since the agent uses unofficial exploits, on rare occasions the device may reboot. If this happens, wait until the device fully boots, unlock it, and run the agent app again. There is no need to reinstall the agent.

Keychain decryption

Extract the keychain into a file named keychain.xml:

./EIFT_cmd agent keychain -o keychain.xml

File system image

The extracted file system image is saved into a .tar archive. The process may take a while depending on the size of the file system. Make sure the agent app is open and runs in the foreground during the entire extraction.

The following command extracts and saves a file system image from the device into a file named “data.tar”. Only the user data will be copied.

./EIFT_cmd agent tar -o data.tar

You can also extract the system partition. Generally, you would only need to do it if you suspect that a rootkit or other system-level malware on the device.

./EIFT_cmd agent tar --system -o system.tar

Please note that you would normally only need to extract the data and not the system partition.

Finally, uninstall the extraction agent by either doing it regularly on the device or running the following command:

./EIFT_cmd agent uninstall

Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.

Extraction steps explained

When sideloading the extraction agent, we strongly recommend using an Apple ID registered in the Apple’s Developer Program. This allows keeping the device offline and disconnected from the network. If you must use a regular Apple ID, you will need to validate the signing certificate in the device settings, which in turn requires an active internet connection. If this is the case, make sure to configure a firewall to whitelist access to Apple signing services only. More in Extracting iPhone File System and Keychain Without an Apple Developer Account.

1. Download and install the latest version of Elcomsoft iOS Forensic Toolkit.
2. Launch iOS Forensic Toolkit on your computer.
3. Connect and pair the iOS device ./EIFT_cmd normal pair
4. Install the extraction agent ./EIFT_cmd agent install
   You will need an Apple ID (preferably enrolled in Apple’s Developer Program) with a login, password, and one-time two-factor authentication code to sideload the agent app.
5. If you used a regular, non-developer Apple ID, validate the signing certificate on the iPhone. This step is not needed when using a developer account.
6. Launch the extraction agent by tapping its icon. Keep the agent running in the foreground during the rest of the extraction process.
7. Extract and decrypt the keychain ./EIFT_cmd agent keychain -o keychain.xml
8. Extract user data ./EIFT_cmd agent tar -o data.tar
9. Optional: if suspecting malware or rootkit, extract system data ./EIFT_cmd agent tar –system -o system.tar
10. Uninstall the extraction agent regularly or by running ./EIFT_cmd agent uninstall

Conclusion

The extraction agent is a software-based low-level extraction solution available in iOS Forensic Toolkit for iPhone and iPad devices running compatible versions of iOS. We actively develop the extraction agent, planning full support for iOS 15.5 and lower (including keychain decryption) in near future.

Apple offers by far the most sophisticated solution for backing up, restoring, transferring and synchronizing data across devices belonging to the company’s ecosystem. Apple iCloud can store cloud backups and media files, synchronize essential information between Apple devices, and keep highly sensitive information such as Health and authentication credentials securely synchronized. In this article we’ll explain what kinds of data are stored in iCloud and what you need to access them.

iCloud: what’s inside?

Apple iCloud contains information belonging to several different categories.

iCloud backups. This is the classic cloud-based backup and restore mechanism introduced back in 2011. iCloud backups contain a set of system and application data that is similar to the content of passwordless local backups, with select exceptions for synchronized data. For example, if the user enables iCloud Photos (as a synchronized category), the photos may be no longer present in iCloud backups.

Apple only provides basic backup management, and does not allow downloading iCloud backups in any other way except restoring onto a physical Apple device. By logging in to an iCloud account (or accessing backups from any logged-in device), users can only view and delete backups with no other options available. One can restore a new device from almost any backup (the iOS version on the device being restored should be the same or newer than the OS version of the original device). Note that one can only restore from a cloud (or local) backup during the initial device setup (for new devices or devices after a factory reset).

Elcomsoft Phone Breaker was the first tool on the market to download iCloud backups without requiring authentic Apple hardware. Today, the tool can download backups created with devices running all versions of iOS up to and including iOS 16.x. To download an iCloud backup, you will need all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

Authentication tokens cannot be used to access iCloud backups. Downloading the initial backup may take a long time. Subsequent incremental backups are downloaded a lot faster. We do not recommend using a VPN during the download as the speed may suffer.

• How to open: Unless you enable the “restore original file names” option, iCloud backups will be downloaded in the standard iTunes format compatible with Elcomsoft and third-party forensic tools.

Note 1: you can download backups made by all devices registered with a given Apple ID. Due to the incremental nature of cloud backups, Apple keeps up to two most recent snapshots for each device. Elcomsoft Phone Breaker downloads all snapshots for the devices you specify.

Note 2: you can download the complete backup or selectively download only the essential parts. Selective download allows to speed up the investigation as a full download may take a while depending on the size of the backup.

Note 3: Apple attempts to detect and restrict non-Apple access to iCloud backups. During one time, Apple used to temporarily lock accounts from which iCloud backups were obtained. Currently this is not the case, and it never occurred when accessing other types of data.

Note 4: Apple only provides 5GB of free cloud space, which practically rules out the backup functionality of iCloud (with the exception of temporary iCloud backups). An iCloud+ subscription provides 50GB of cloud space, which might be enough to store cloud backups.

Temporary iCloud backups. This is a new type of backups that appeared in iOS 15 to solve the problem of insufficient space in the user’s iCloud account when transferring data to a new Apple device or restoring onto the same device after a factory reset. Temporary iCloud backups do not count against iCloud storage quota and are retained for 21 days, automatically deleted afterwards. Our tool can supports the extraction of temporary iCloud backups. More in iOS 15 Forensic Implications: Temporary iCloud Backups.

Downloading a temporary iCloud backup is subject to the same authentication rules and limitations as regular cloud backups.

Synchronized data. These data include calendars, contacts, notes, and many other types of data synchronized by Apple apps.

To download synchronized data from the user’s iCloud account, you will need all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

Alternatively, you may use a supported authentication token to access synchronized data.

• How to open: Synchronized data are downloaded raw, and stored in a custom SQLite database. Elcomsoft Phone Viewer is the only product that supports these data.

Files. iCloud also serves as a file storage. By default, any files downloaded by the user through Safari land into an iCloud-synced folder. iCloud Files also include files from macOS computers, Books, and more. iCloud Files are accessible on all devices sharing a common Apple ID.

Extracting files from the user’s iCloud account requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

Files can be also extracted with a supported authentication token.

iCloud Photos. This service uploads all of your photos and videos to iCloud and keeps them up to date across your devices. Technically, iCloud Photos belong to synchronized data, but we listed it separately because photos may belong to several different categories, sometimes simultaneously.

Downloading iCloud Photos requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account

iCloud Photos belong to the synchronized data category, and, as such, they can be accessed with a supported authentication token.

My Photo Stream. This is an older incarnation of the media storage service that uploads the most recent photos and keeps them in iCloud for 30 days. My Photo Stream is now legacy, and is no longer available for newly opened Apple ID’s. My Photo Stream and iCloud Photos can be enabled or disabled individually, which may result in two copies of the same picture stored in the cloud.

My Photo Stream is a legacy service that is not available for Apple IDs created during the past several years. For this reason, Elcomsoft Phone Breaker does not support the extraction of My Photo Stream.

End-to-end encrypted data. Technically, end-to-end encrypted records belong to synchronized data. However, these data are encrypted with a key that can be unlocked with a screen lock passcode (iOS) or macOS account password of one of the trusted devices. End-to-end encrypted data include iCloud keychain (authentication data and passwords), Health, Safari bookmarks and history, call history, iMessages, and several other categories.

Downloading end-to-end encrypted data requires all of the following:

• The user’s Apple ID and password
• One-time code for two-factor authentication, if enabled on the user’s account
• Screen lock passcode or system password of a trusted Apple device with the same Apple ID

You cannot use authentication tokens to access end-to-end encrypted data.

Authentication tokens

Authentication tokens are stored on the user’s computer to help installed Apple tools avoid re-authentication. In the past, authentication tokens were transferrable and could be used to access information in iCloud from another computer. Today, authentication tokens are non-transferrable, and can only be used on the computer they were originally created on. When it comes to Ecomsoft Phone Breaker, you can only use authentication tokens created on macOS computers (Windows tokens are useless), and only on the particular macOS computer the token was created on, which essentially limits the use of authentication tokens.

All previously created authentication tokens immediately expire if the user changes their Apple ID/iCloud password. In addition, the tokens are only valid for a limited time; we don’t know their exact lifespan.

Supported (non-expired, macOS, same physical computer) authentication tokens can be used to access the following types of data:

1. Synchronized data except end-to-end encrypted categories
2. iCloud Photos
3. iCloud files

iCloud extraction steps

To perform an iCloud extraction, you need all of the following.

1. Elcomsoft Phone Breaker (the latest version)
2. Basic authentication data: login, password, and a way to pass two-factor authentication
3. To access end-to-end encrypted data: screen lock passcode or system password from one of the user’s trusted devices (the list will be displayed in the extraction wizard)

First, run Elcomsoft Phone Breaker and select between iCloud backups and synchronized data. Since downloading an iCloud backup may lead to a temporary account lock, we recommend starting from obtaining synchronized data.

When selecting the types of data to extract, note the different check box colors. If a certain type of data is orange-colored, it means that the category is end-to-end encrypted, and you will require a screen lock passcode or a system password of one of the user’s trusted devices. If you don’t know the passcode, clear all end-to-end encrypted categories.

If you select at least one end-to-end encrypted type of data, Elcomsoft Phone Breaker will download the list of trusted devices.

You will need to select one of the trusted devices, then specify its screen lock passcode or system password to continue.

The data will be downloaded. The download may take a while depending on the size of the data and your Internet connection speed.

Downloading iCloud backups

To download iCloud backups, select the first option in Elcomsoft Phone Breaker.

Provide the user’s Apple ID and password.

Most Apple accounts nowadays are protected with two-factor authentication.

Specify the type of two-factor authentication. The most common types are “trusted device” (sends a push message to all of the user’s trusted devices that are online and connected to Internet), “text message” (an SMS to the trusted SIM card), and “code generator” (a time-limited one-time password generated from the Settings app on a trusted device, which may remain offline). The authentication process is self-explanatory.

Once you’ve passed two-factor authentication, you will be able to see the list of available backups. Some devices may have several snapshots, which are incremental backup copies. Currently, Apple keeps up to two snapshots per device. Click “See details” to view snapshot data. Elcomsoft Phone Breaker will download all snapshots, and produce the complete backups for each snapshot. The available options are:

Restore original file names: gives extracted files the same names as on the device. Select this option if you plan to manually analyze the backup. Keep it clear if you are planning to use a third-party forensic tool to analyze the data.

Download only specific data: selective download, allows quickly extracting only the essential bits and pieces. Keep it clear if you are planning to use a third-party forensic tool to analyze the data.

Click “Download” to download the backup. The process may take a while.

Once the backup is downloaded, you may open it in Elcomsoft Phone Viewer by clicking the “Open in EPV” link. Clicking on the “eye” icon opens the folder containing the backup in File Explorer (Win) or Finder (Mac). Third-party tools can be used to analyze iCloud backups downloaded with Elcomsoft Phone Breaker if you keep both options “Restore original file names” and “Download only specific data” clear.

Advanced logical acquisition is the most compatible and least complicated way to access essential evidence stored in Apple devices. In legacy versions of iOS Forensic Toolkit, we offered a 1-2-3 style, menu-driven extraction experience, while the updated release of iOS Forensic Toolkit 8.0 is driven by the command line. In this quick-start guide we will lay out the steps required to extract the most amount of data from Apple devices via the advanced logical process.

What is advanced logical acquisition?

Advanced (or “extended”) logical acquisition is an unofficial name for a set of data extraction methods available for all iPhone, iPad, and iPod Touch devices regardless of the version of iOS installed and regardless of the hardware platform. Advanced logical acquisition includes the extraction of a local backup, media files, shared files, and system crash logs and diagnostic logs. You must be able to unlock the device and pair it to the computer, which requires a screen lock passcode.

An iTunes-style backup is part of the logical extraction process. In iOS and iPadOS, local backups may be protected (and securely encrypted) with a password. Such password-protected backups have more information available to the examiner compared to unencrypted backups. For this reason, we recommend setting a temporary backup password (e.g., ‘123’) before creating a backup, which requires a confirmation with a screen lock passcode. Do not forget removing the temporary password when you are done; more on that in iOS Backups: Leftover Passwords.

Note that you can only change the backup password if the original backup password is known or empty. If the device has an unknown backup password, we recommend creating a backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).

Note: changing a backup password in recent versions of iOS requires a screen lock passcode.

In addition to local backups, extended logical acquisition returns media-files, some diagnostic logs and shared app data. Additional information on logical acquisition is available in the following articles:

Extended logical extraction cheat sheet

To perform complete logical extraction, follow the steps:

1. Connect the iPhone to the computer’s USB port.
2. Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode. If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:

   ./EIFT_cmd normal pair

   On the phone, confirm the “Trust this computer?” prompt.

3. On the phone, you may be prompted for a passcode if the device is running a recent version of iOS. Enter the screen lock passcode to confirm pairing.
4. Extract information about the device:

   ./EIFT_cmd info

5. Check if a backup password is set:

   ./EIFT_cmd normal backuppwcheck

   If you are using an external pairing record file, pass it in the command line. Note: if this is the case, you will have to use the -r switch along with the path to the pairing record for all subsequent commands:

   ./EIFT_cmd normal backuppwcheck -r record.plist

   Check the output, looking for “Backup password” status:

   Started logging Thread!
   Got device:
   Mode: [normal]
   BuildVersion: 16H50 
   DeviceName: iPhone 
   HardwareModel: N53AP 
   Paired: YES 
   PasswordProtected: NO
   ProductName: iPhone OS 
   ProductType: iPhone6,2 
   ProductVersion: 5.4
   SerialNumber:  udid: 
   Loading custom record from=record.plist 
   Checking backup password...
   Backup password is DISABLED 
   Done

6. If the backup password is enabled, make a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device). To reset the backup password, follow Apple instructions: “On the iPhone, go to [Settings] | [General] | [Reset]. Press [Reset All Settings]; Follow the steps (you will be prompted for device passcode).”
7. (optional step) If the backup password is empty, you may manually set a known temporary password such as ‘123’. If you don’t, iOS Forensic Toolkit will automatically set a temporary password ‘123’ before the extraction, and remove it afterwards. Either way, the device will prompt for a screen lock passcode. Make sure to enter one quickly as the prompt is only displayed for a limited time.

   ./EIFT_cmd normal backuppwset -p "123"

8. Make a backup (the last parameter specifies using the current folder; you may provide a different path instead of “./”)
   Note: if the backup password is empty, iOS Forensic Toolkit will automatically attempt to set a temporary backup password of ‘123’. During the process, the device will prompt for a screen lock passcode. Make sure to enter the passcode prompted. If you don’t, the prompt goes away in a few seconds, and the backup is created without a password.

   ./EIFT_cmd normal backup -o ./

   If you are creating a large backup, you may want to use an external disk as a destination. In that case, use the following syntax:

   ./EIFT_cmd normal backup -o /Volumes/DISKNAME

   DISKNAME is the name of the disk as displayed in Finder. Note that the backup contains multiple files. If you need to attack the backup password, you will only need a single file named manifest.plist.

9. If you have manually enabled a backup password during Step 7, remove that temporary backup password. If you haven’t, iOS Forensic Toolkit will automatically remove the temporary password. Either way, the device prompt for a screen lock passcode. The prompt will be shown for a limited time. If you miss the prompt, the command will finish, while the temporary password will  still be enabled on the devide. In this case, you will have to manually remove the backup password. In the example below, “123” is the previously set password. It must be provided as an argument:

   ./EIFT_cmd normal backuppwunset -p "123"

10. Extract media files via afc. Note that the afc protocol returns media files regardless of the backup password, and is available on Apple TV and Apple Watch devices as well as the iPhone and iPad. In addition to photos and videos, afc returns valuable metadata.

    ./EIFT_cmd normal dumpafc -o afcdump.tar

    If you need to save the file in a different folder or disk, use the following syntax (also applies to subsequent commands):

    ./EIFT_cmd normal dumpafc -o /Volumes/DISKNAME/afcdump.tar

11. On the iPhone, generate sysdiagnose logs. To do that, hold Vol+, Vol- and Power buttons for 250 milliseconds, then wait up to 5 minutes.
12. Pull crash logs and diagnostic (sysdiagnose) logs:

    ./EIFT_cmd normal dumpcrash -o crashlogs.tar

13. Extract shared files (the command below uses a file named “container.tar” in the current folder):

    ./EIFT_cmd normal dumpshared -o container.tar

14. Decrypt the backup with Elcomsoft Phone Breaker or open it directly in Elcomsoft Phone Viewer providing the known backup password (e.g., 123).

TL&DR

Here is the short list of all commands you will need most of the time to perform advanced logical acquisition:

./EIFT_cmd info
./EIFT_cmd normal backup -o ./
./EIFT_cmd normal dumpafc -o afcdump.tar
./EIFT_cmd normal dumpcrash -o crashlogs.tar
./EIFT_cmd normal dumpshared -o container.tar

Using lockdown records (pairing records)

Lockdown records, or pairing records, are files containing cached authentication data for accessing trusted iOS devices without the need to re-pair them to a computer. In specific circumstances (the device’s screen is locked, the screen lock passcode is unknown, and the device’s USB port is not locked with USB restricted mode), a lockdown record may be used to perform advanced logical acquisition of a locked device. Today, the use of lockdown files is limited since lockdown files expire quickly.

The lockdown files are stored in the following folders.

Windows Vista, 7, 8, 8.1, Windows 10 and 11:

%ProgramData%AppleLockdown

Windows XP:

%AllUsersProfile%Application DataAppleLockdown

macOS:

/var/db/lockdown

When performing live system analysis, a permission change is required to access lockdown files. More information on extracting lockdown files: Accessing Lockdown Files on macOS

When performing advanced logical acquisition, using a lockdown file requires an argument added to each command. For example, device information (also available in BFU mode) will use the following syntax (replace “record.plist” with a path to a lockdown file; please observe the UDID listed in the lockdown file, which must match the UDID of the device being extracted):

./EIFT_cmd info -r record.plist

If you were unable to unlock the device with a certain lockdown file, you may try other lockdown files obtained from that computer (once again, observe the UDID match). If still not successful, the lockdown record may be already expired, in which case you will need to unlock the device and establish a new pairing relationship, which requires a screen lock passcode.

In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.

Password-protected iOS backups

An iTunes-style backup is a major part of the logical extraction process. In iOS and iPadOS, local backups may be protected and securely encrypted with a password. If a backup is protected with a password, some information (such as the keychain) is encrypted with the same password as the rest of the backup. If, however, the backup is not protected with a password, iOS still encrypts the keychain using encryption keys specific to a particular device. This means that the keychain from the unencrypted backup can be only restored onto exactly the particular physical device the backup was captured from, while password-protected backups can be restored onto a the same or different hardware. In addition, certain sensitive information (such as Health, Safari history, etc.) is not included in unencrypted backups at all.

More information: About encrypted backups on your iPhone, iPad, or iPod touch – Apple Support

The issue of leftover passwords

Since password-protected backups offer more available information than unencrypted backups, we recommend setting a temporary backup password (e.g., ‘123’) when performing logical acquisition. The password must be created before creating a backup and removed after the backup is captured. iOS Forensic Toolkit attempts to automatically apply a temporary password before the extraction, and remove it once the process is finished. The process, however, requires some manual intervention as iOS prompts for a manual entry of the screen lock passcode on the device when setting or removing the backup password. The prompt is only displayed for a limited time. If the prompt expires without user input, the operation will continue without changing or removing the backup password.

The screen lock passcode must be manually entered on the iOS device when assigning and removing the backup password. The procedure is identical regardless of the tool; the same prompt will be displayed if you attempt to change or remove the backup password from iTunes or Finder. The prompt will be displayed on the iPhone for a limited time. If the expert skips the prompt before the extraction, the backup will be created without a password. If, however, the expert skips the prompt displayed after the extraction, the temporary backup password will be left on the device. For this reason, we strongly recommend checking the state of the backup password before and after the extraction, and removing the temporary backup password if one is accidentally left on the device.

Depending on the amount of data, making a local backup may take a while, which makes it possible for the expert to miss the end of the process and correspondingly miss the limited-time prompt on the device. If this happens, the temporary backup password cannot be removed from the device.

If the device you are extracting was previously extracted with a third-party forensic tool, it may have a ‘leftover’ backup password on it.

What can you do with an unknown backup password?

There are generally three approaches to unknown backup passwords.

1. Try one of the passwords that are commonly set by the different forensic tools.
2. Try attacking the password with Elcomsoft Phone Breaker. Note that the speed of the attack will be extremely slow (several passwords a minute) due to increased backup security in iOS 10.2.
3. Consider resetting the backup password. This should be only considered as the last resort due to multiple implications.

Leftover passwords set by forensic tools

iOS Forensic Toolkit as well as other forensic tools may automatically set a temporary password before the extraction. If a temporary password is not removed afterwards, try one of the following passwords:

• Elcomsoft iOS Forensic Toolkit: 123
• Cellebrite UFED: 1234
• MSAB XRY: 1234
• Belkasoft Evidence Center: 12345
• Oxygen Forensic Detective: 123456 (or oxygen for older versions)
• Magnet AXIOM: mag123
• MOBILedit Forensic: 123

Recovering the backup password

If none of the passwords match, you may attempt to attack the backup password using Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery. For this, produce a password-protected backup first, then open it in the tool of your choice. Since iOS 10.2, Apple hardened security of password-protected backups following the vulnerability discovered in iOS 10.0. A GPU-assisted attack performed on a single computer delivers the speed of up to hundred passwords per second (depending on the GPU), while a CPU-only attack can only try a handful of passwords per minute. For this reason, we can only realistically recommend attacks based on very short, targeted dictionaries.

Resetting the backup password: the last resort

If you were unable to guess or recover the backup password, we recommend saving a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).

Since iOS 11, Apple makes it possible to reset the backup password on the iPhone by using the following steps.

• Unlock the iPhone with Touch ID, Face ID or passcode.
• Open the Settings app and navigate to General.
• Scroll all the way down and tap Reset.
• Tap and confirm Reset All Settings 
• Enter the iPhone passcode if one is enabled

The “Reset All Settings” command will erase the following settings:

• Display brightness
• Whether or not to display battery percentage
• All Wi-Fi passwords (but not any other passwords or tokens stored in the Keychain)
• apple.wifi.plist
• iTunes backup password
• The passcode

Please note that the device’s screen lock passcode is also removed when you use the “Reset All Settings” command. Removing the screen lock passcode has multiple important implications as it disables certain iCloud-related features (such as end-to-end encryption and the synchronization of end-to-end encrypted data), erases certain types of data (such as Apple Pay transactions, Exchange downloaded mail and accounts, and more). For this reason, resetting the backup password should be only considered as a last resort.

The newly released iOS Forensic Toolkit 8.0 delivers forensically sound checkm8 extraction powered with a command-line interface. The new user experience offers full control over the extraction process, yet mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to perform a clean, forensically sound extraction of a compatible iPhone or iPad device.

Before you begin

Before you begin, make sure you have everything required to perform the extraction. Since checkm8 is a very specific exploit, you’ll need all of the following to do the job.

• A Mac computer. You will need a real Mac computer (no VMs) to install the exploit and perform the extraction. We support both Intel and M1-based Macs.
• iOS Forensic Toolkit 8 for Mac. Note that you will need the Mac edition of the tool.
• A supported iPhone or iPad device (the full list is available at the bottom of the page). The device must be functional enough to be placed into DFU mode. Locked and USB-restricted devices are supported.
• Screen lock passcode must be known or empty. Otherwise, limited BFU extraction may be available, but very little information can be obtained this way.
• A supported version of iOS. Note that iPhone devices running iOS 16.x only have a limited support for checkm8 extraction.
• A USB-A to Lightning cable. Type-C to Lightning cables are not supported. Use a USB-A to Type-C adapter or, better yet, a USB hub.
• You will have to determine the exact version and build number of iOS installed on the iPhone. EIFT will attempt to detect the iOS version and build number automatically during the procedure.

You must be able to download the official Apple firmware (download link will be provided during the extraction) that matches iOS version installed on the device.

Extracting iOS 15 and older devices

First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:

Power off the device if it is powered on.

Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.

On the computer, run the following command:

./EIFT_cmd tools autobootFalse

(Re-enable auto boot before returning a seized device with ./EIFT_cmd tools autobootTrue).

Run EIFT in wait mode:

./EIFT_cmd boot -w

If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.

From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit. After that, run the following commands:

./EIFT_cmd ramdisk loadnfcd

./EIFT_cmd ramdisk unlockdata -s

./EIFT_cmd ramdisk keychain -o {filename}

./EIFT_cmd ramdisk tar -o {filename}

Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):

./EIFT_cmd tools autobootTrue

Power off the device:

./EIFT_cmd ssh halt

Extracting iOS 16 devices

First, disable the auto boot feature of the device to avoid rebooting into iOS if the DFU sequence is wrong. To disable auto boot:

Power off the device if it is powered on.

Place the device in Recovery mode (see next chapter) and connect it to the computer. The device should display the “connect to iTunes” screen.

On the computer, run the following command:

./EIFT_cmd tools autobootFalse

(Re-enable auto boot before returning a seized device with ./EIFT_cmd tools autobootTrue).

Run EIFT in wait mode:

./EIFT_cmd boot -w

If the device is not in Recovery, place it into Recovery mode. Please refer to the next chapter for instructions.

From Recovery, place the device in DFU (refer to the next chapter for instructions). Once the device is in DFU, EIFT will automatically detect the device and apply the exploit.

Please note: you will need to download the matching firmware file from Apple servers, or specify a download link when prompted.

After that, run the following commands:

./EIFT_cmd ramdisk unlockdata

./EIFT_cmd ramdisk keychain -o {filename}

./EIFT_cmd ramdisk tar -o {filename}

Re-enable auto boot before returning a seized device (note: do not re-enable auto boot if you intend to continue working with the device):

./EIFT_cmd tools autobootTrue

Power off the device:

./EIFT_cmd ssh halt

Entering DFU mode

Placing the device in DFU mode can be tricky, especially if you’ve never done it before. Steps to enter DFU are different for different device models, and there is no on-screen indication of successfully entering DFU. You must follow the steps while carefully observing the timings, and the end result will be a blank screen. We strongly recommend placing the device in recovery mode first, and entering DFU from recovery.

iPhone 6s, 6s Plus and older

Step 1: enter Recovery

On the iPhone 7, iPhone 7 Plus:

• Make sure that the device is powered off. Of not, power it off normally.
• Press and hold the Vol-
• Keep holding the button; connect the iPhone to the computer.
• Still keep holding the button until the device displays the recovery screen.

On the iPhone 6s and older devices including iPhone SE (1^st generation):

• Make sure that the device is powered off. Of not, power it off normally.
• Press and hold the Home
• Keep holding the button; connect the iPhone to the computer.
• Still keep holding the button until the device displays the recovery screen.

Step 2: enter DFU

On the iPhone 6s and older devices including iPhone SE (1^st generation):

• Press the Power button (or the side button) and the Home (Touch ID) button. Hold for exactly 8 seconds.
• Release the Power (side) button; keep holding the Home button for exactly 8 seconds.

On the iPhone 7 and 7 Plus:

• Press the side button and the Vol- button. Hold for exactly 8 seconds.
• Release the side button; keep holding the Vol- button for exactly 8 seconds.

The iPhone screen will remain black. If you see the recovery screen or if the device starts booting into iOS, repeat the steps from the beginning.

iPhone 8, 8 Plus and iPhone X

Devices based on the A11 Bionic have two slightly different DFU modes. Placing the device in the correct DFU mode is critical for successful acquisition. The correct procedure involves the recovery mode as a required first step.

Step 1: enter Recovery

For iPhone 8, 8 Plus and iPhone X devices use the following sequence:

• Make sure that the device is powered off. Of not, power it off normally.
• Press and hold the side button.
• Keep holding the button and quickly connect the iPhone to the computer. If you are not fast enough, the device may begin the boot sequence.
• Still keep holding the button until the device displays the recovery screen:

Step 2: entering DFU for iPhone 8, 8 Plus and iPhone X devices

Keep the iPhone connected to the computer, then launch iOS Forensic Toolkit in wait mode:

./EIFT boot -w

On the iPhone 8, 8 Plus or iPhone X:

• Press and release Vol+ quickly
• Press and release Vol- quickly
• Press and hold the side button until iOS Forensic Toolkit prints “iPhone disconnected”. This message means the iPhone has been disconnected from the computer.
• While still holding the side button, press and hold Vol- for exactly 4 seconds.
• Release the side button (keep holding Vol-).
• iOS Forensic Toolkit will detect the iPhone in DFU mode. Once this happens, release Vol-.

Note: if you keep holding a button for longer than 4 seconds, the iPhone may reboot instead of entering DFU. Disable auto boot and practice with another device before the extraction.

Other ways to place an iPhone into DFU

If the device cannot be placed in DFU via regular means (for example, if one of the buttons is broken), use the following guide:

DFU steps for iPad, Apple TV, and iPod Touch devices:

Checkm8 extraction requires a certain level of practice, particularly with placing devices into DFU. A wrong DFU sequence may reboot the device into iOS.

Practice DFU mode with a known good device before the extraction!

If the device is running iOS 16, the extraction steps will be slightly different compared to older iOS versions.

Compatible devices

iOS Forensic Toolkit 8 supports checkm8 extraction for the following models:

• iPhone 5S (iPhone6,1): A1453, A1533
• iPhone 5S (iPhone6,2): A1457, A1518, A1528, A1530
• iPhone 6 (iPhone7,2): A1549, A1586, A1589
• iPhone 6 Plus (iPhone7,1): A1522, A1524, A1593
• iPhone 6s (iPhone8,1): A1633, A1688, A1691, A1700
• iPhone 6s Plus (iPhone8,2): A1634, A1687, A1690, A1699
• iPhone SE (iPhone8,4): A1662, A1723, A1724
• iPhone 7 (iPhone9,1 и iPhone9,3): A1778, A1660, A1780, A1779, A1853, A1866
• iPhone 7 Plus (iPhone9,2 и iPhone9,4): A1784, A1661, A1785, A1786
• iPhone 8 (iPhone10,1/iPhone10,4): A1863, A1905, A1906, A1907
• iPhone 8 Plus (iPhone10,2/iPhone10,5): A1864, A1897, A1898, A1899
• iPhone X (iPhone10,3/iPhone10,6): A1865, A1901, A1902, A1903

In addition, support is available for the following models:

• iPod Touch 6/7: A1574, A2178
• iPad Air 1/2: A1474, A1475, A1476, A1566, A1567
• iPad Mini 2/3/4: A1489, A1490, A1491, A1599, A1600, A1601, A1538, A1550
• iPad 5/6/7: A1822, A1823, A1893, A1954, A2197, A2198, A2200
• iPad Pro 1/2: A1584, A1652, A1670, A1671, A1673, A1674, A1675, A1701, A1709, A1821, A1852, A1934, A1979, A1980, A2013

checkm8 extraction is also supported for 32-bit devices such as the iPod Touch 5, iPad 2/3/4, and iPad Mini. However, the steps are slightly different, and some devices require an additional Raspberry Pi Pico board to apply the exploit.

The title says it all. In this article we’ll explain the steps required to put the listed Apple TV models into DFU mode. These Apple TV models are based on the A5, A8, and A10X chips that are susceptible to the checkm8 exploit and checkm8-based extraction with iOS Forensic Toolkit 8, and DFU mode is the required initial step of the process.

Why DFU?

Mobile forensics is not limited to phones and tablets. Many types of devices including wearables and IoT devices contain valuable evidence. Some Apple TV models are compatible with the familiar checkm8 exploit and the same low-level extraction method we use for extracting data from the iPhone. The initial step for applying the checkm8 exploit requires placing the device in DFU mode, which is exactly what we are writing about.

Note: there are two additional Apple TV 4K models released in 2021 (A12 Bionic) and 2022 (A15 Bionic). These models are no longer compatible with the checkm8 exploit.

Apple TV 3 (2012 and 2013)

There are two different Apple TV 3 models with slightly different A5 chips. The A1427 (2012) is based on the dual-core version of the A5 chip with one core disabled, while the updated 2013 model A1469 is based on a different A5 chip that only has a single physical core. Aside of the slightly lower power consumption of the newer chip, both models are otherwise identical. The Apple TV 3 is no longer sold by Apple. Both models are compatible with the checkm8 exploit and the extraction method used in iOS Forensic Toolkit 8.

The two models also share the same DFU process. To place an Apple TV 3 into DFU, you will only need its remote control unit. Unlike in newer models, there is no need to pair the remote to a particular device. The steps are:

1. Make sure the device is connected to power and is turned on
2. Make sure the device is connected to the computer using a micro-USB cable
3. Press and hold Down (1) and Menu (2) button until the LED starts flashing very quickly (6 seconds)
4. Release both buttons
5. Quickly press and hold Play (3) and Menu (2) button until the LED starts flashing very quickly (6 seconds)
6. Release both buttons

Note: It is important to actually release both buttons. It will not work if you just keep holding the Menu button without releasing it!

The Down, Menu and Play buttons are marked as (1), (2) and (3) respectively.

If you have done it correctly, the Apple TV should now be in DFU mode.

Important: applying the checkm8 exploit on the first-generation Apple TV 3 (A1427) requires a Raspberry Pi Pico board. The workflow is similar to the iPhone 4s. The newer Apple TV 3 (2013) does not require an external microcontroller.

Apple TV HD (4th Generation)

The original Apple TV 4 was released back in 2017, featuring the new Siri remote. In 2021, it was updated with a redesigned Siri remote control and renamed to Apple TV HD. The main unit remained largely unchanged; it is still based on the Apple A8 chip and still having the bootloader vulnerability unpatched. The Apple TV HD with new Siri remote is still present in Apple’s product range.

The remote control will be used to place the device into DFU. We tested both the original and new Siri remotes, and the steps are identical among the two. Please note that the Siri remote must be paired to the Apple TV device as it is no longer communicating with the box via the IR channel, even though the IR transmitter and receiver are still there. The Apple TV 4 and Apple TV HD feature a USB-C port that can be used to connect the device to the computer, which means you will need a Type-C cable to connect the device in addition to the remote control.

To place the Apple TV 4 or Apple TV HD into DFU, follow these steps.

1. Make sure the device is connected to power and is turned on
2. Connect the device to the computer using a USB-C cable
3. Press and hold the Menu and Play buttons until the LED starts flashing rapidly (6 seconds)
4. Release both buttons

The Menu and Play buttons are marked for Siri Remote 1 and Siri Remote 2 respectively.

Apple TV 4K (2017)

Released back in 2017, the first-generation Apple TV 4K was based in the A10X chip. The device is susceptible to the checkm8 exploit, and is supported by iOS Forensic Toolkit. Unlike previous models, the Apple TV 4K does not have a built-in USB port to connect the device to the computer. For this reason, you will need additional hardware to place the device into DFU and to connect it to the computer for the purpose of data extraction.

 

A hidden port was discovered under the Ethernet (RJ45) socket. A special connector is now available, the GoldenEye (or Foxlink X892), which is available for around 40€. With this adapter, you can connect your Apple TV 4K using a standard Lightning cable and perform logical acquisition. However, this adapter alone is not enough to perform the checkm8 extraction.

In order to apply the checkm8 exploit, the device must first be placed into DFU mode. The Apple TV 4 (Apple TV HD) and older models can be placed into DFU using the remote control with a special combination of buttons. This is not the case for the Apple TV 4K. While you can place the 4K model into DFU with a special breakout cable, its installation is difficult and requires soldering skills. Instead, we recommend a much easier solution that used the DCSD cable (The Mysterious Apple DCSD Cable Demystified). The adapter is easily available at around 20€.

To place the Apple TV 4K into DFU, use the following steps.

1. Disconnect the device from the power source
2. Connect the DCSD cable to the computer’s USB port
3. Connect the GoldenEye adapter to the DCSD cable (using Lightning)
4. Connect the GoldenEye to the Apple TV 4K
5. Connect the Apple TV 4K to the power source

After that, the Apple TV 4K is automatically boots into DFU:

Conclusion

Placing the three generations of Apple TV into DFU requires different steps. The Apple TV 3 can be placed into DFU with a matching IR remote, while the Apple TV 4 and Apple TV HD require a paired Siri remote. The first-generation Apple TV 4K requires additional adapters to place the device into DFU and connect it to the computer, but simply connecting the adapter to the box is enough to make it boot into DFU.