Jun 09, 2022 / By Wael Alnahari / in Digital Forensics
iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.
Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.
Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone models running iOS 9 through iOS 14.8, iOS 15-15.1, and iOS 15.1.1 on select platforms. For the A14 platform specifically, the extraction agent supported iOS 14.0-14.3, and 15.0-15.1, making the entire range of iOS 14 builds missing. This made for a rather fragmented support matrix. In this release, we closed the two remaining gaps, once again offering truly gapless file system extraction for all supported platforms. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.1 for all iPhone and iPad models that can run these versions of iOS, and iOS 15.1.1 on some models.
There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.
Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.
What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).
In earlier versions of iOS Forensic Toolkit, we supported iOS versions up to and including iOS 14.8. We also supported iOS 15.0-15.1 on all compatible devices, and iOS 15.1.1 on some platforms. iOS 14.8.1 was notably missing from the list due to the lack of a proper exploit.
For other iOS versions including iOS 15, the extraction agent relied on kernel exploits that are publicly available. The situation is different with iOS 14.8.1, which does not have a public exploit. For this iOS build we incorporated a new, unpublished exploit, making our extraction agent the first tool of its kind to support this version of iOS.
Prior to this release, we supported iOS 15.0-15.1 on all platforms, and iOS 15.1.1 on some devices. Notably, on Apple A14 Bionic devices the entire range of iOS 14.4-14.8.1 was not supported. iOS Forensic Toolkit 7.40 brings iOS 14.4-14.8.1 support to A14 devices, now offering gapless coverage all compatible devices and all versions of iOS ranging from iOS 9.0 through 15.1.1.
You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:
Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.
To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.
By Oleg Afonin at 2022-06-09 10:55:31 Source ElcomSoft blog:
May 31, 2024 by Wael Alnahari
May 15, 2024 by Wael Alnahari
WGN | وغن