The second beta of iOS Forensic Toolkit 8.0 has arrived, offering repeatable, verifiable extraction for a limited range of iOS devices. The new release introduces a brand-new user interface, which differs significantly from the selection-driven console we’ve been using for the past several years. This article describes the new workflow for performing forensically sound extractions with iOS Forensic Toolkit 8.0 beta2.

Compatibility

The bootloader-level extraction is still exclusively available in the Mac edition due to technical limitations. You still need a real, physical Mac computer, no VMs and no Hackintosh builds. Both Intel and Apple Silicon are supported. At this time, iOS Forensic Toolkit has been tested on the following versions of macOS: 10.13 High Sierra, 10.14 Mojave, 10.15 Catalina, 11 Big Sur, and 12 Monterey.

The vulnerability exploited by checkm8 exists in a large number of devices ranging from the iPhone 4s all the way to the iPhone 8/8 Plus/X generation. However, our tool does not support the iPhone 4s due to the USB controller requirements; the iPhone 7, 7 Plus, 8, 8 Plus, and iPhone X are not currently supported due to SEP hardening. You may still extract these devices by other means such as using the extraction agent or going through a jailbreak.

At this time, forensically sound bootloader-level extractions are available for the following devices:

• iPhone 4 (iPhone3,1/iPhone3,2/iPhone3,3): A1332, A1349
• iPhone 5 (iPhone5,1): A1428, A1429, A1428
• iPhone 5c (iPhone5,4): A1507, A1526, A1529, A1516
• iPhone 5S (iPhone6,1/iPhone6,2): A1453, A1533, A1457, A1518, A1528, A1530
• iPhone 6 (iPhone7,2): A1549, A1586, A1589
• iPhone 6 Plus (iPhone7,1): A1522, A1524, A1593
• iPhone 6s (iPhone8,1): A1633, A1688, A1691, A1700
• iPhone 6s Plus (iPhone8,2): A1634, A1687, A1690, A1699
• iPhone SE (iPhone8,4): A1662, A1723, A1724
• iPod touch 6th gen: A1574
• AppleTV 3 (AppleTV3,2): A1469

Our tool supports all versions of iOS from iOS 8.0 to 15.1 (only release versions, no betas).

Installing iOS Forensic Toolkit 8.0

The installation procedure has changes since previous releases. To install iOS Forensic Toolkit 8.0 beta 2, follow these steps:

• Mount the DMG image specific to your version of macOS, supplying the password (you will receive the password in your order confirmation email)
• Drag the “EIFT8B2” folder to the desktop
• Open console
• Run xattr to remove quarantine:

  xattr -r -d com.apple.quarantine <path to folder>

• Alternatively, you can type part of the command (xattr -r -d com.apple.quarantine ), and drop the image onto the console window. Please note the whitespace at the end of the command.
• cd Desktop/EIFT8B2
• You can now launch /EIFT_ cmd to run the tool

The DMG image is different for macOS Catalina and older versions and the newer Bit Sur and Monterey. The file names are as follows:

• iOS-Toolkit-8-beta2-Mac-legacy.dmg for Catalina and older
• iOS-Toolkit-8-beta2-Mac.dmg for Bit Sur and Monterey

Command line parameters

For the past several years, iOS Forensic Toolkit was distributed with console-based, menu-driven UI. In EIFT 8.0 beta2, we have replaced the old UI with a console-based, command-line driven tool. There was a good technical reason for this, but please reserve your questions until the final release version of iOS Forensic Toolkit 8.0.

The available parameters include:

Main commands

Please do not use any of the following commands unless instructed:

• ssh
• scp
• serial
• tools

Device information

Commands related to logical acquisition

Commands for agent-based extraction

Commands for jailbreak-based extraction

Ramdisk-related commands (when extracting via bootloader exploit)

Additional commands: ssh, scp

Bootloader-level extraction cheat sheet

Technically speaking, bootloader-level extraction was the most challenging to implement in code. This extraction methods requires experts to possess a certain level of skills and experience in handling iOS devices and placing them into DFU. The cost of a mistake is high: shall you fail to follow the sequence of precisely timed key presses, and the device may start booting iOS, which breaks the “forensically sound” part of the extraction. For this reason:

Practice DFU mode and familiarize yourself with the extraction process on a different iPhone device before you start the extraction.

Once you’re able to place the iPhone into DFU 10 times out of 10, follow these steps with the real device.

Below are the steps for the following 64-bit devices: iPhone 5s/6/6s/SE.

1. Place device into DFU
2. ./EIFT_cmd boot
3. ./EIFT_cmd loadnfcd
4. ./EIFT_cmd unlockdata
5. ./EIFT_cmd ramdisk keychain -o {filename}
6. ./EIFT_cmd ramdisk tar -o {filename}
7. ./EIFT_cmd ssh halt

Bootloader-level extraction step by step

First, place the device DFU (several methods described in DFU Mode Cheat Sheet). The recommended method:

• Connect the device to a computer using a USB cable (USB-A cables only! If connecting to a Type-C port, use a Type-C to USB-A adapter, and a USB-A cable; no hubs, no Type-C to Lightning cables!)
• Hold down both the Home button and Lock button
• After 8 seconds, release the Lock button while continuing to hold down the Home button (шf the Apple logo appears, the Lock button was held down for too long)
• Nothing will be displayed on the screen when the device is in DFU mode. If open, iTunes will alert you that a device was detected in recovery mode (If your device shows a screen telling you to connect the device to iTunes, retry these steps)

Note that, unlike the checkra1n jailbreak, our tool does not require going through Recovery first before entering DFU.

After that, execute the following command:

./EIFT_cmd boot

The command launches the exploit. The code detects the iOS version installed on the device and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop the ipsw file onto the console window.

Our extraction solution does not use the operating system installed on the iPhone to boot the device. Instead, a separate, patched version of the original Apple firmware is booted in the device RAM. This process requires you to have a copy of the original Apple firmware image that matches the device’s iOS version and build number exactly.

In many cases, the iOS version will be detected automatically by EIFT during the first stage of the exploit. The detection is based on the detected iBoot version and device hardware. However, in some cases the iBoot version may correspond to several iOS builds. If the wrong build is used, EIFT will be able to detect and display the correct build number at a later stage of the exploit. You will then have an option to either repeat the exploit with a different version of firmware, or continue with the current firmware image (which works in about 99% of cases).

If the exploit successfully loads the firmware, you will see the following information:

The iPhone will display the following screens:

./EIFT_cmd loadnfcd

This command executes the code to bypass Secure Enclave protection. This must be done before you can mount the data partition.

./EIFT_cmd unlockdata

This command unlocks the data partition and mounts it read-only.

If you enter the wrong passcode, an error will be displayed. With correct passcode, the volume is fully unlocked and you can proceed with data (keychain and file system) extraction).

If you don’t know the passcode, press ENTER on the screen below. In this case, a very limited BFU extraction will be performed.

After 5 or 6 wrong passcode entries, the iPhone will be locked for 1, 5, 15 and 60 minutes in succession. You must wait for the block to expire. After 10 unsuccessful unlock attempts, regardless of the wait time, the system will wipe the encryption metadata, making subsequent extraction attempts futile.

./EIFT_cmd ramdisk keychain -o {filename}

This command extracts and decrypts the keychain. If no path is specified, it will be saved into the current folder. There are specific considerations for some iOS versions:

• iOS 15: keychain decryption is currently not available.
• iOS 8 through 14: all keychain records decrypted except a small number of system records.

./EIFT_ cmd ramdisk tar -o {filename}

This command images file system. The checksum (hash value) is calculated on the fly and saved alongside with the image file once the extraction is finished.

./EIFT_cmd ssh halt

This command powers off the iPhone. Always use this command at the end of the extraction as it is not possible to power off the iPhone with the buttons from DFU. If you try pressing and holding the power button, the iPhone will reboot and load the installed version of iOS, which breaks forensically sound extraction.