iOS Forensic Toolkit 4.0 features a major overhaul, adding physical extraction of iOS keychain and offering straightforward acquisition workflow for iOS devices ranging from the iPhone 5s through iPhone X. The update drops support of legacy devices, cleans up redundant code and offers a much cleaner look and a straightforward usage experience.
iOS Forensic Toolkit receives a major overhaul, adding the ability to extract and decrypt keychain items during physical extraction of jailbroken 64-bit iOS devices. In addition, the new release offers an option to disable automatic screen lock on the connected device and pulls crash logs. The tool prevents automatic screen lock of the iOS device during the acquisition to make sure that all files are extracted, even those with the strongest security attributes.
iOS Forensic Toolkit 4.0 is now providing all possible options for extracting and decrypting data from both jailbroken and non-jailbroken 64-bit devices, including the last generations of Apple hardware and software. Without a jailbreak, experts can perform logical extraction through iOS system backups as well as app data and media file extraction. If a jailbreak can be installed, experts can image the file system of 64-bit iPhones and iPads, extract crash logs and decrypt the keychain.
iOS keychain is an Apple’s solution for securely storing passwords, keys, certificates, payment data and app-specific credentials. The keychain is securely encrypted with a hardware-specific key. On 64-bit hardware (iPhone 5s and all newer iOS devices), this key is additionally protected with Secure Enclave.
iOS Forensic Toolkit 4.0 adds the ability to extract and decrypt keychain items during the course of physical acquisition, successfully bypassing Secure Enclave protection on jailbroken devices. Notably, the entire content of the keychain is decrypted including records secured with ThisDeviceOnly attribute. Such records are unavailable via logical acquisition. The tool prevents automatic screen lock of the iOS device during the acquisition to make sure that even those records with the strongest security attributes are successfully extracted and decrypted.
Access to Crash Logs
Crash logs are an important part of the evidence that are not included into a local backup but may be extractable from the device with logical acquisition methods. From a forensic point of view, crash logs may deliver the list of installed and uninstalled apps. Once the expert discovers a crash log entry created by an app that is no longer present in the system, one can safely assume that the app was installed on the device at least up to the date and time specified in the crash log entry. In addition, one can build a timeline of device usage based on all the timestamps discovered have in crash logs.
iOS Forensic Toolkit 4.0 adds the ability to extract crash logs from iOS devices with or without a jailbreak. Access to crash logs requires a paired device or access to a valid lockdown file.
New User Interface
iOS Forensic Toolkit 4.0 comes with completely new user interface featuring streamlined workflow targeting the recent crop of Apple devices (iPhone 5s, 6/6s/7/8/Plus, iPhone SE and iPhone X). While still console-based, the new user interface provides concise step-by-step workflow for consecutively performing activities connected with logical and physical acquisition. The new Toolkit drops support for legacy hardware, instead concentrating on devices that are currently in circulation. Experts who require support for older Apple devices must contact ElcomSoft to obtain a legacy build.
Komunikat prasowyElcomsoft Decrypts Secrets from iPhone Devices and Extracts User Passwords (po angielsku)
Czytaj więcejCzytać artykuł «iOS Forensic Toolkit 4.0 with Physical Keychain Extraction» na naszym blogu (po angielsku)