Breaking into iOS 16.5: Extracting the File System and Keychain


When it comes to iOS data acquisition, Elcomsoft iOS Forensic Toolkit is the top choice for forensic experts. Its cutting-edge features and unmatched capabilities have made it the go-to software for investigating iOS devices. In a recent update, we expanded the capabilities of the low-level extraction agent to support full file system extraction and keychain decryption on Apple’s newest devices running iOS 16.5. This achievement represents a breakthrough, as the delay between Apple’s iOS updates and our forensic software release has significantly reduced.


Agent-based extraction is an advanced “consent extraction” method used to obtain the complete file system and keychain data from modern iOS and iPadOS devices, namely iPhones and iPads. “Consent extraction” is a term meaning that it can only be used when the device passcode is known or not set. Although agent extraction may not be considered completely “forensically sound” like the acquisition method based on the bootloader exploit, it stands as the sole available technique for the latest Apple devices equipped with A12-A16 Bionic and M1/M2 SoC, and even remains the only working extraction technique for A11 devices (iPhone 8/8 Plus/iPhone X) running iOS 16, for which bootloader-based methods fail. By employing agent-based extraction, investigators can retrieve the maximum amount of data, making it a valuable source of forensic evidence.

Read more…