Elcomsoft iOS Forensic Toolkit 5.40: file system acquisition without a jailbreak for iOS 11-13.3
The updated iOS Forensic Toolkit 5.40 brings full file system acquisition without a jailbreak to more devices than ever. The new agent-based extraction method is now available a large range of Apple devices up to and including the iPhone 11 range. Supported versions of iOS range from iOS 11 all the way through iOS 13.3 depending on the device. You still need a Developer account with Apple to install the extraction agent, but that is a small price to pay for the safe, reliable and forensically sound extraction.
Get Elcomsoft iOS Forensic Toolkit
What’s it all about
Physical acquisition of 64-bit iOS devices (file system imaging and keychain decryption) requires privilege escalation in order to enable low-level access to protected data. During the past years, we’ve been relying on public jailbreaks to obtain the required low-level access. iOS Forensic Toolkit 5.40 introduced jailbreak-free extraction, enabling direct acquisition on a limited range of devices and versions of iOS.
Today, it’s limited no more. iOS Forensic Toolkit 5.40 offers direct, forensically sound extraction without a jailbreak of virtually any iOS device up to and including the latest iPhone 11 range if one is running any version of iOS 11 through 13.3 (with few exceptions for the no longer supported iPhone 5s and 6).
We’ve also added support for corresponding iPad devices. Finally, agent-based extraction is also available on many beta versions of iOS in the iOS 11-13.3 range, for which no jailbreaks are available.
What about the limitations? You’ll have to use an Apple ID enrolled in Apple’s Developer Program in order to sign the extraction agent.
More about this release in our blog:
- Why Mobile Forensic Specialists Need a Developer Account with Apple
- Full file system and keychain extraction: now with iOS 13 and iPhone 11 support
The new agent-based, jailbreak-free acquisition method extracts exactly the same amount of data as jailbreak-based acquisition methods. In other words, the full file system image and all keychain records are extracted and decrypted.
Compatibility and requirements
Supported devices include the following models:
- iPhone 6s through iPhone 11, 11 Pro and 11 Pro Max: iOS 11-13.3 without gaps
- iPhone 5s and iPhone 6: iOS 11-12.2, iOS 12.4
- iPad models based on A9..A12/A12x SoC are also fully supported (iOS 11 to 13.3)
In addition, you have to use a valid Apple ID enrolled in Apple’s Developer Program to sign the agent.
Facebook activity log extraction is now supported by PC collector
For more information, please visit Cellebrite: