The new release of Belkasoft Evidence Center introduces forensically sound, jailbreak-free extraction of select iOS devices via a hard-coded, unpatchable exploit. Compatible devices include the range of iPhone and iPad devices powered by Apple’s A7 through A11 SoC (iPhone 5s through iPhone X and the corresponding iPad devices).
NEW: iOS 13.4 is supported what makes Belkasoft the only digital forensic tool in the world having this feature!
Belkasoft Evidence Center makes use of a hard-coded vulnerability that exists in all Apple devices based on the A7 through A11 SoC generations. The checkm8 exploit that makes use of this vulnerability cannot be patched by Apple since the vulnerability itself exists in a hardware-protected, read-only area of the device memory.
The jailbreaking community released a public jailbreak based on this vulnerability. The checkra1n jailbreak can be used by Linux and macOS users. However, installing a jailbreak on a device being analyzed is a complex, unsafe and not quite forensically sound process.
Belkasoft Evidence Center provides direct access to the file system of affected devices without the need for a jailbreak. Direct access to the file system enables forensically sound extraction for the entire range of supported iOS devices. The functionality is available on Windows 10.
Keychain is the password management system developed by Apple. Without keychain you cannot decrypt various encrypted data extracted with full file system acquisition. checkm8-enabled version of Evidence Center can extract keychain not only via checkm8-based acquisition but also from any jailbroken iPhone, no matter which jailbreak was used. Basing on the information extracted, various decryption tasks made possible. For instance, Evidence Center can decrypt iOS Signal messenger out of the box.
Due to the nature of the exploit, Belkasoft Evidence Center can extract certain types of data even if the device is locked and the password is not known. This boot-mode extraction is available for all devices from the supported range regardless of their lock state. The data extracted from a locked device is immediately loaded and can be analyzed with Belkasoft Evidence Center.
iPhone's DFU practical guide:
what it is, how to enable, forensic consequences
When: April 3
A third webinar about a new checkm8-based acquisition feature in Belkasoft Evidence Center, where we’re covering the process of entering the DFU mode on various iPhone models.
Locked iPhone acquisition with
Belkasoft Evidence Center
When: April 7
Find out what data could be extracted from a locked iOS device using the new checkm8-based acquisition feature in our upcoming webinar.
Belkasoft Evidence Center is a world renowned tool used by thousands of customers for conducting computer and mobile forensic investigations. Belkasoft Evidence Center can automatically discover, extract and analyze evidence from a wide range of sources including computer hard drives and disk images in all popular formats, memory dumps, mobile devices and chip-off dumps.
Low-level access to hard disk and system structures means that even data that’s been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android, iOS and macOS file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.
Apart from checkm8-based iOS acquisition, Evidence Center supports acquiring iTunes backups, jailbroken phones full file system copying, as well as agent-based jailbreak-free acquisition.