in ,

iOS Forensic Toolkit: macOS, Windows, and Linux Editions Explained


iOS Forensic Toolkit comes in three flavors, available in macOS, Windows, and Linux editions. What is the difference between these edition, in what ways is one better than the other, and which edition to choose for everyday work? Read along to find out.

macOS, Windows and Linux editions compared

iOS Forensic Toolkit is a true multi-platform tool, sharing the same user interface and almost the same features across the different platforms. While the macOS edition remains the most feature-rich, the Linux edition is not far behind, while the Windows edition is the most limited of the three. However, there is much more to it than just features. The three editions differ in system requirements (beyond the obvious platform/OS support), convenience, and compatibility. Let’s start with the feature comparison, and move on to the rest once we’re clear on the feature set.

Feature comparison

The Windows edition of iOS Forensic Toolkit supports logical and agent-based extraction methods, but lacks support for bootloader-based extractions, which are only available for macOS and Linux platforms. The ability to sign the extraction agent using a regular, non-developer Apple ID remains an exclusive feature of the Mac edition.

Feature/platform macOS Windows Linux
Extended device information
Logical extraction: backups
Logical extraction: media files and metadata
Logical extraction: diagnostic logs
Agent: low-level extraction with Apple developer account
Agent: low-level extraction with regular Apple ID
checkm8: bootloader-level extraction
Additional service features (e.g. SSH)

Please refer to the following chart to learn more about the differences between editions feature-wise.

Compatibility

The Windows edition can run on Windows 10 and Windows 11 (currently Intel only). Note that you must have iTunes (or Apple Devices app) installed on Windows computers; you must also ensure that iTunes/Apple Devices was launched at least once on that computer before you can use iOS Forensic Toolkit (you don’t have to have it running, just launch it once to ensure the system is properly initialized). You won’t need either tool on macOS or Linux computers.

The macOS edition supports macOS BigSur and newer releases. For macOS, Apple Silicon computers are preferred to the aging Intel platform, yet we still support the older Macs through the legacy build of iOS Forensic Toolkit. Note that you may need to re-connect the device on some Intel systems, while there is no such issue on Apple Silicon based computers. For Type-C only devices, a USB-C to USB-A hub will be required to connect both the device and the Toolkit’s USB dongle and, on some computers, the charging cable.

The Linux edition has been tested on multiple Linux distributions, officially supporting the current Debian, Ubuntu, Kali Linuxand Mint distros, ensuring seamless operation for forensic professionals using different Linux setups. We currently support Intel-based computers, yet a test ARMv8 build is already out for the Raspberry Pi 5 platform.

USB-C ports: you will need a USB-A port for the Toolkit’s USB dongle, and another USB-A port for checkm8 extractions. For other types of extractions (agent, extended logical) we strongly recommend using the USB-C port instead. Finally, yet another USB-C port may be needed on some MacBooks to connect the charging cord.

File systems: if you plan to use the extracted data on different computers, we strongly recommend formatting the media (such as external SSD drive) to exFATas exFAT is currently the only file system properly supported by all three OSes.

Convenience

While all three editions share the same powerful comman-line interface (CLI), there are plenty of things putting one or another edition ahead in some circumstances.

Installation is the easiest in Windows, where you can simply install iOS Forensic Toolkit and run it immediately (but do note that you’ll need iTunes or Apple Devices installed and launched at least once on that computer). The Linux edition requires additional dependencies that must be installed manually

The macOS requires removing the quarantine flag right after installing the Toolkit, which may be complex on modern Macs. On the other hand, the Mac edition supports a software firewall – a feature not available in Linux or macOS (you’ll have to use our Raspberry Pi based solution for that).

Reliability

Among the three platforms, the Mac edition wins hands down in the reliability department. This in part is due to the better drivers, and in part because of some things that can are native to the Mac but foreign to other platforms.

Conclusion

If you have a Mac, use it. If you can afford a Mac, buy it. If you cannot afford a Mac, the Linux edition is the next best thing with full checkm8 support (and we are working hard on the ARM edition that will allow running the thing on the affordable and highly portable Raspberry Pi 5 platform). In addition, we are about to document the Live edition of the Toolkit available to all registered users of iOS Forensic Toolkit. The Live version allows booting into the Linux edition of the tool from an external media. The Linux edition won’t let you use the agent without a developer account, which will be another $99/year investment. Finally, if Windows is all you have access to, do use what you have: iOS Forensic Toolkit will do great with advanced logical extractions and agent-based low-level extractions (if you have a developer account with Apple).

One more thing

As a provider of mobile forensic tools, we at Elcomsoft strongly believe in giving back to the community. Our iOS Forensic Toolkit (EIFT) is a highly complex and powerful mobile acquisition tool, consisting of almost eighty sub-projects, many of which are open source. While we have benefited from the contributions of the community, we also believe in contributing back to the open source community by publishing our changes to those projects as required by their permissive license.

As a company, we are wholly dedicated to providing a solution that complies with licensing regulations, meeting all pertinent legal requirements. In addition to fulfilling our legal obligations, we want to point out the other benefits to open sourcing some of our projects. Collaboration with the open source community can result in faster updates, improved features, and greater security. By sharing our efforts, we can help each other to build better tools, rather than reinventing the wheel. We welcome everyone to check out our GitHub account containing the relevant open-source projects:

REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

New Generative AI category added to Talos reputation services

Check Point released hotfix for actively exploited VPN zero-day