Enhanced support for legacy devices

Elcomsoft iOS Forensic Toolkit 8.53 enhances support for legacy Apple devices, adding the ability to mount HFS images in Windows. In addition, the update brings multiple fixes in HFS extractions and general reliability enhancements.

iOS Forensic Toolkit 8.53 introduces improved low-level extraction and analysis capabilities for older Apple devices utilizing a 32-bit architecture. This update brings the ability to seamlessly mount HFS disk images extracted from these devices on Windows systems. The integration of HFS support into Windows required a custom implementation of a fused file system, which is supplied as a licensed version of WinFsp runtime. This new capability to mount HFS images on Windows empowers experts to efficiently process and analyze digital evidence extracted from legacy Apple devices on Windows-based computers.

In addition, the update adds a new option for safer operation, and brings several fixes to HFS drive imaging.

The updated legacy extraction method utilizes Elcomsoft proprietary Perfect HFS Acquisition process, which enables full access to the user’s data partition including the keychain. The process images and decrypts the entire data partition, enabling safe, repeatable, forensically sound extractions for 32-bit Apple devices.

Finally, we have developed a new robust method for determining the iOS version for checkm8-compatible devices based on 64-bit SoC. Previously, the iOS version information was extracted directly from the operating system itself. The new method uses information from the Secure Enclave Processor (SEP) instead. This new method allows us to completely exclude issues of OS and SEP version mismatch that could arise in specific scenarios, e.g. after an interrupted or unsuccessful update. If one relies on the OS version stored in the system, SEP fails to initialize, leading the device to a reboot. The new method fixes such situations completely.

iOS Forensic Toolkit 8.53 Release Notes

  • Legacy devices: added the ability to mount HFS images extracted from legacy 32-bit devices in Windows
  • checkm8: improved iOS version detection
  • checkm8: added support for iOS 16.7.5/15.8.1
  • Legacy devices: fixed HFS drive imaging under certain conditions; added an option for safer operation
  • Multiple small fixes and improvements

また見なさい