The extraction method or methods available for a particular iOS device depend on the device’s hardware platform and the installed version of iOS. While logical acquisition is available for all iOS and iPadOS devices, more advanced extraction methods are available for older platforms and versions of iOS. But what if more than one way to extract the data is available for a given device? In this guide, we’ll discuss the applicable acquisition methods as well as the order in which they should be used.
For iOS and iPad OS devices, low-level extraction requires exploiting undocumented vulnerabilities in order to access the file system and some encryption keys required to decrypt the keychain. Such exploits are typically discovered in older hardware platforms and older versions of iOS. In general, devices released less than five years ago and running a recent version of iOS are immune to known public exploits and can be only extracted with logical acquisition. Logical acquisition is universally available on iOS and iPadOS devices regardless of their hardware platform and version of iOS. However, logical acquisition on devices running tvOS and watchOS will be limited as there is no backup services on such devices.
Low-level extraction methods are available on older platforms and versions of iOS. These methods include checkm8 (a booloader-based exploit) and Elcomsoft’s software-based low-level extraction agent. Please refer to the following table to determine which acquisition methods are available to your device:
When more than one extraction method is available, the order matters. We recommend the following workflow.
Note: logical extraction is available for all generations of Apple hardware and all supported versions of iOS.
For older devices compatible with checkm8 (this includes iPhone devices up to and including the iPhone 8, 8 Plus, and iPhone X, as well as the corresponding iPad, Apple Watch, and Apple TV models):
The checkm8 extraction is the most sophisticated extraction method available for Apple devices that have a vulnerability in their bootloader. Our implementation of checkm8 offers clean, forensically sound extractions with repeatable, verifiable results. If you’ve used checkm8, you have already received the fullest set of data extractable from the device; there is no need to use any other acquisition method.
Using checkm8 extraction: checkm8 Extraction Cheat Sheet: iPhone and iPad Devices
For devices not compatible with checkm8 but running a version of iOS supporting the extraction agent (currently, iOS 9.0 through 15.3.1 for devices supporting these OS versions):
For all other devices that support neither checkm8 nor the extraction agent, including the iPhone 14 range:
Using advanced logical extraction: Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet
This publication should help experts better understand their options when extracting Apple devices based on their hardware platform and OS.
Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
The complete mobile forensic kit enables law enforcement, corporate and government customers to perform physical, logical and over-the-air acquisition of smartphones and tablets, break mobile backup passwords and decrypt encrypted backups, view and analyze information stored in mobile devices. Bundle consists of all currently available mobile forensic tools offering the best value on the market.
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.