Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to device secrets including passwords and encryption keys, and decrypt the file system with or without the original passcode. Physical and logical acquisition options for 64-bit devices running all versions of iOS. All versions of iPhone/iPad/iPod Touch devices running all versions of iOS are supported.

Your order includes one year of free technical support and one year of free upgrades.



Perform full file system and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

  • Full file system extraction and keychain decryption without a jailbreak
  • Logical acquisition extracts backups, crash logs, media and shared files
  • Passcode unlock and physical acquisition for legacy devices
  • Extracts and decrypts protected keychain items
  • Repeatable, forensically sound extraction for select iPhone and iPad models through modified bootloader
  • Automatically disables screen lock for smooth, uninterrupted acquisition

Supports: all generations of iPhone, iPad, iPad Pro and iPod Touch with and without jailbreak; Apple Watch and Apple TV 4 and 4K; all versions of iOS from iOS 7 to iOS 15.x


Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.

The following extraction methods are supported:

  • Advanced logical acquisition (backup, media files, crash logs, shared files) (all devices, all versions of iOS)
  • Direct agent-based extraction (all 64-bit devices, select iOS versions)
  • Forensically sound bootloader-based checkm8 extraction (select devices)
  • Jailbreak-based extraction (all devices and versions of iOS with public jailbreaks)
  • Passcode unlock and true physical acquisition (select 32-bit devices)

See Compatible Devices and Platforms for details.


Full File System Extraction and Keychain Decryption

A jailbreak-free extraction method based on direct access to the file system is available for a limited range of iOS devices. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.

Better yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction.

Both the file system image and all keychain records are extracted and decrypted. The agent-based extraction method delivers solid performance and results in forensically sound extraction. Removing the agent from the device after the extraction takes one push of a button.

You can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device’s system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.

Installing and signing the extraction agent requires an Apple ID registered in the Apple Developer Program. The Mac edition drops this requirement, allowing to use a regular Apple ID for signing and sideloading the extraction agent onto the iOS device.


Jailbreak-based Extraction

In addition to agent-based extraction, iOS Forensic Toolkit fully supports the extraction of all jailbroken devices for which a jailbreak is available. Full file system extraction and keychain decryption are available for jailbroken devices. All public jailbreaks are supported.


Forensically sound extraction for select iPhone and iPad models

To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. The new, bootloader-based extraction method delivers repeatable results across extraction sessions. When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.

The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process. Our unique direct extraction process offers the following benefits:

  • Repeatable results. Checksums of subsequent extractions will match the first one if the device is kept powered off and never boots iOS between sessions.
  • Supports iPhone 5s, 6/6s/Plus, SE (original), iPhone 7/8/Plus, iPhone X.
  • Supports iPad 5, 6, and 7, iPad Mini 2, 3, and 4, iPad Air 1 and 2, iPad Pro 1 and 2, iPod Touch 6 and 7, and Apple TV 4 and 4K
  • Wide iOS compatibility. iOS 8.0 through iOS 15.5 are supported.
  • Untouched system and data partitions.
  • Zero modification policy: 100% of the patching occurs in the RAM.
  • The installation process is fully guided and massively more reliable compared to jailbreaking.
  • Locked devices supported in BFU mode, while USB restricted mode can be completely bypassed.

Notes: bootloader-level extractions are available exclusively in the Mac edition, requiring a macOS computer.


Unlocking and Imaging Legacy Devices: iPhone 4, 4s, 5, and 5c

Passcode unlock and imaging support are available for legacy iPhone models.

The Toolkit can be used to unlock encrypted iPhone 4, 4s (1), 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN. This DFU attack works at the speed of 13.6 passcodes per second on iPhone 5 and 5c devices, and takes only 12 minutes to unlock an iPhone protected with a 4-digit PINs. 6-digit PINs will take up to 21 hours. A smart attack will be used automatically to attempt cutting this time as much as possible. In less than 4 minutes, the tool will try several thousand most commonly used passcodes such as 000000, 123456 or 121212, followed by 6-digit PINs based on the dates of birth. With 74,000 of those, the smart attack takes approximately 1.5 hours. If still unsuccessful, the full brute force of the rest of the passcodes is initiated. (Note: passcode recovery runs at the speed of 6.6 passcodes per second on the iPhone 4).

Full physical acquisition is available for legacy iOS devices including the iPhone 4, 4s (1), 5 and 5c. For all supported models, the Toolkit can extract the bit-precise image of the user partition and decrypt the keychain. If the device is running iOS 4 through 7, the imaging can be performed even without breaking the screen lock passcode, while devices running iOS 8 through 10 require breaking the passcode first. For all supported models, the Toolkit can extract and decrypt the user partition and the keychain.

(1) The passcode unlock and forensically sound, checkm8-based extraction are available for the iPhone 4s, iPod Touch 5, iPad 2 and 3 devices via a custom flashed Raspberry Pi Pico board, which is used to apply the exploit. The firmware image is provided with iOS Forensic Toolkit; the Pico board is not supplied.

Notes: Mac edition only; iPhone 4s support requires a Raspberry Pi Pico board (not supplied) with custom firmware (supplied). For iOS 4 through 7, passcode recovery is not required for device imaging. For iOS 8 and 9, the passcode must be recovered before imaging (otherwise, limited BFU extraction available).


Extended Logical Acquisition

iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device, pulls media and shared files and extracts system crash logs. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

We always recommend using logical acquisition in combination with physical for safely extracting all possible types of evidence.

Quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).

In addition to media files, iOS Forensic Toolkit can extract crash/diagnostics logs and stored files of multiple apps, extracting crucial evidence without a jailbreak. Extract Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record.

Logical acquisition is available for all devices regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started.

Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer.

If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Elcomsoft Phone Breaker is also required to view keychain records. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).

Using a lockdown (pairing) record, information can be extracted from locked iOS devices even after power-off or reboot. The following matrix applies to devices running iOS 8 and newer:

Basic device info Advanced device info App list Media iTunes-style backup
Device locked, no lockdown record Yes No No No No
Device never unlocked after reboot, lockdown exists Yes Yes No No No
Device unlocked after reboot, lockdown exists Yes Yes Yes Yes Yes


Supported Devices and Acquisition Methods

iOS Forensic Toolkit implements physical acquisition support for jailbroken devices from iPhone 5s through iPhone 13, 13 Pro, iPhone 13 mini and iPhone 13 Pro Max.

The following compatibility matrix applies:

  • Passcode unlock: Brute-forces 4-digit and 6-digit screen lock passcodes via DFU exploit. All iOS versions, iPhone 4, 4s, 5 and 5c devices. [1][2]
  • Legacy devices: Bit-precise imaging and decryption of iPhone 4, 4s, 5 and 5c devices. [1][2]
  • Agent (without a jailbreak): Full file system extraction and keychain decryption for devices running iOS 9 through 15.1.1 (iOS 15.1 for the M1-based iPad Pro 5). The corresponding iPad models are also covered. Apple Developer registration required (Windows)/optional (macOS).
  • With jailbreak: Physical acquisition for jailbroken devices running any version of iOS for which a jailbreak is available (iPhone 4s through iPhone 12 Pro Max, most iPad models, Apple TV 4 & 4K).
  • Via Bootrom exploit (checkm8): Forensically sound file system & keychain acquisition ranging from the iPhone 5s through iPhone X [1]
  • No jailbreak: Logical acquisition, shared files and media extraction for devices running versions of iOS without a jailbreak. Device must be unlocked with passcode, Touch ID or lockdown record

Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

  1. Only available in the Mac edition.  
  2. iPhone 4s support requires a custom-flashed Raspberry Pi Pico board. 



ElcomSoft offers a comprehensive range of tools for unlocking access to many types of data, recovering passwords and decrypting encrypted files and volumes. The company’s range of mobile forensic products enable forensically sound extraction of evidence from a wide range of smartphones and cloud services.

Additional information

Full Version

1-year Support & Upgrade included

**Please note that both trial and full versions of EIFT require the USB dongle to run. It is delivered by express mail service (usually FedEx) in two to three business days after placing an order. In rare cases, customs clearance may cause an additional delay.

New Features

checkm8 extraction for select iPhone models

iOS Forensic Toolkit 8.0 beta for Mac introduces a new extraction method for select iOS devices based on the modified bootloader. The new extraction method is the cleanest yet, enabling repeatable, verifiable extractions and forensically sound workflow.

The fourth beta of iOS Forensic Toolkit 8.0 for Mac adds checkm8 extraction support for the latest generation of iPhone devices with a bootloader vulnerability, which includes the iPhone 8, 8 Plus, and iPhone X devices running all supported versions of iOS up to and including iOS 15.5. This completes the range of devices that can be extracted with iOS Forensic Toolkit 8.0 beta for Mac, which now includes all 64-bit iPhone models ranging from the iPhone 5s all the way to the iPhone X with no gaps or exclusions.


checkm8 support for the rest of iPad, iPod Touch and Apple TV models

The ninth beta of Elcomsoft iOS Forensic Toolkit 8.0 for Mac added support for iPad 5, 6, and 7, the iPad Mini 2, 3, and 4, the iPad Air 1 and 2, and the iPad Pro 1 and 2 (9.7” and 12.9” models respectively). In addition, iPod Touch 6 and 7 and Apple TV 3 and 4K are also supported. Currently, our checkm8 extraction solution supports all iPad and all iPod Touch models having the bootloader vulnerability with no exceptions.


Extraction agent gains low-level extraction support for iOS 15.2 through 15.3.1

Elcomsoft iOS Forensic Toolkit 7.60 brings low-level extraction support for multiple generations of Apple devices, adding full file system extraction for iOS 15.2 through 15.3.1 devices based on Apple A11-A15 and M1 chips.

iOS Forensic Toolkit 8.0 beta 13 gets all the new features as Elcomsoft iOS Forensic Toolkit 7.40, and adds checkm8 acquisition support for the latest version of iOS 15.6.1.

Compatible Devices and Platforms

Compatible Devices and Platforms

  • iPhone 4, 5 and 5c: passcode unlock via DFU (macOS edition only)
  • iPhone 4, 4s, 5 and 5c: physical acquisition with bit-precise imaging and keychain decryption (macOS edition only) (iPhone 4s support requires a Raspberry Pi Pico board)
  • iPhone 5s, 6, 6 Plus, 6s, 6s Plus, SE (original), 7, 7 Plus, 8, 8 Plus, X: forensically sound checkm8 extraction (macOS edition only)
  • iPad 5, 6, and 7, iPad Mini 2, 3, and 4, iPad Air 1 and 2, iPad Pro 1 and 2, iPod Touch 6 and 7, and Apple TV 4 and 4K: forensically sound checkm8 extraction (macOS edition only)
  • 64-bit iOS devices with jailbreak: file system extraction, keychain decryption
  • Partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X
  • Apple TV 4 (cable connection) and Apple TV 4K (wireless connection through Xcode, Mac only)
  • Apple Watch (all generations); requires a third-party IBUS adapter
  • No jailbreak: agent-based extraction for supported devices; advanced logical acquisition for all other devices [1]

Logical acquisition includes:

  • Extended information about the device
  • iTunes-format backup (includes many keychain items)
  • List of installed apps
  • Media files (even if the backup is password-protected)
  • Shared files (even if the backup is password-protected)

  1. Logical acquisition works even with locked devices with unknown passcode if a valid pairing record is available. 

System Requirements


  • Windows 7/8/8.1/10

Apple macOS

  • macOS 10.13 High Sierra
  • macOS 10.14 Mojave
  • macOS 10.15 Catalina
  • macOS 11 Big Sur
  • macOS 12 Monterey

The iOS Forensic Toolkit for Windows requires the latest version of iTunes installed. macOS version is not guaranteed to work on a virtual machine or Hackintosh. Please also note that some specific features of the product (physical acquisition for legacy 32-bit devices, agent installation using non-developer accounts, checkm8 acquisition) are available in macOS version only.


There are no reviews yet.

Be the first to review “Elcomsoft iOS Forensic Toolkit”

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recently Viewed Solutions





PL/SQL Developer






ImmuniWeb® Discovery




ImmuniWeb® On-Demand