Elcomsoft iOS Forensic Toolkit 8.51: improved compatibility and enhanced functionality

The latest maintenance release of Elcomsoft iOS Forensic Toolkit 8.51 primarily focuses on addressing minor issues and introducing significant enhancements for older devices, particularly 32-bit devices with HFS filesystems. In addition, checkm8 extraction now supports iOS 16.7.3 and 16.7.4 where available.

We recognize the number of legacy Apple devices within forensic labs and the critical need for seamless extractions for those devices. We are dedicated to ensuring that forensic experts can perform their crucial tasks efficiently, rolling out the latest update to Elcomsoft's iOS Forensic Toolkit 8.51. The new update is designed to resolve several issues, primarily concerning legacy Apple devices. We have also added checkm8 extraction support for added support for iOS 16.7.3 and 16.7.4 on compatible devices.

Enhanced compatibility with legacy devices and improved handling of relocated blocks

We've resolved boot issues encountered on some specific legacy devices, ensuring seamless functionality during the forensic process.

Our team has dedicated extensive efforts to fix the previously unresolved issue related to legacy devices with a large number of relocated blocks. We have successfully resolved this issue, enabling smoother device handling when processing legacy 32-bit devices.

Improvements to extraction agent

The extraction agent is one of the most advanced methods for accessing the file system and decrypting iOS keychain in the low level. The agent obtains the required elevated level of privileges by using a chain of exploits, some of which can be less reliable in certain situations. This update improves agent reliability by significantly lowering the chance of getting a kernel panic.

Other updates

Low level extraction is only available for a wide but limited range of devices and versions of iOS. Newer models and latest iOS builds are rarely supported by low-level extraction. While we are restlessly working on adding support for newer OS builds, including iOS 17, logical extraction remains the fallback method of choice for those devices without low-level access. In this release, we fixed small things in the logical extraction process, making the extraction status clearer and making it possible to save the complete device information into a file that can be used for investigations.

About Elcomsoft iOS Forensic Toolkit

Elcomsoft iOS Forensic Toolkit is one of the most advanced iOS acquisition tools on the market. Available for all three major platforms, Windows, Linux, and macOS, the toolkit supports all possible acquisition methods including advanced logical and agent-based extraction. The macOS and Linux editions additionally feature forensically sound low-level extraction based on the bootloader exploit.

iOS Forensic Toolkit 8.51 release notes:

  • checkm8: added support for iOS 16.7.3 and 16.7.4
  • Extraction agent: improved agent reliability (fewer kernel panics)
  • Legacy devices: fixed the problem booting and unlocking some legacy devices
  • Legacy devices: improved support for devices with remapped HFS blocks
  • Logical extraction: fixed redirection to file for the "info" command (with -a and -s switches)
  • Improvement: improved progress output when acquiring device backup

See also