Do you have to know which SoC a certain Apple device is based on? If you are working in mobile forensics, the answer is positive. Along with the version of iOS/watchOS/iPadOS, the SoC is one of the deciding factors that affects the data extraction paths available in each case. Read this article to better understand your options for each generation of Apple platforms.
It’s been more than a year since we compiled essential information on Apple mobile devices into a single easy-to-use table; see Apple Mobile Devices Cheat Sheet. There have been several updates since then, and we added more information on the available acquisition methods.
We covered the possible acquisition scenarios in iPhone Acquisition Methods Compared, but that article is slightly outdated too. The compatibility matrix currently looks as follows:
What do the colors mean?
checkm8 acquisition is something very special. Our tools support it for iPhones up to and including the iPhone X. At this time, the following devices are not supported even if their SoC has the bootloader vulnerability exploited by checkm8:
On the other side, we do support the Apple Watch Series 3. It does not appear in the table, yet the S3 model is compatible with the checkm8 exploit, and we can extract the keychain and the file system for all watchOS versions. To make it easier, here is the full list of devices with checkm8 support (in fact, iPhone 4 is handled with another bootloader exploit):
Agent acquisition is 100% compatible with all iPod models “corresponding” to the iPhones.
As for the iOS versions, there are some notes too:
Sounds confusing? With the number of models and OS versions, it is virtually impossible to provide a straightforward roadmap, step by step instructions, or implement a single push button solution.
“We have a tool for that!” For everything low-level, including agent-based and checkm8-based extractions, use Elcomsoft iOS Forensic Toolkit. Note that you’ll need the Mac edition of the tool for checkm8 extractions. Also use the Toolkit for advanced logical extractions as well as file system imaging with jailbreaks. Finally, if you have a legacy 32-bit iPhone protected with an unknown passcode, Elcomsoft iOS Forensic Toolkit is the tool to use to unlock the device.
Use Elcomsoft Phone Breaker for everything cloud related. Cloud backups, iCloud Photos, synchronized data, iCloud Keychain and other end-to-end encrypted data can be extracted with this tool. We are constantly working to keep it up to date with the latest changes in Apple’s communication and encryption protocols.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.