The new release of Belkasoft Evidence Center introduces forensically sound, jailbreak-free extraction of select iOS devices via a hard-coded, unpatchable exploit. Compatible devices include the range of iPhone devices powered by Apple’s A7 through A11 SoC (iPhone 5s through iPhone X). Supported iOS versions are 12.3 to 13.6 (14 for limited model range).
NEW: iOS 14 is supported for iPhones 6s, 6s Plus and SE (1st gen)!
Belkasoft Evidence Center makes use of a hard-coded vulnerability that exists in all Apple devices based on the A7 through A11 SoC generations. The checkm8 exploit that makes use of this vulnerability cannot be patched by Apple since the vulnerability itself exists in a hardware-protected, read-only area of the device memory.
The jailbreaking community released a public jailbreak based on this vulnerability. The checkra1n jailbreak can be used by Linux and macOS users. However, installing a jailbreak on a device being analyzed is a complex, unsafe and not quite forensically sound process.
Belkasoft Evidence Center provides direct access to the file system of affected devices without the need for a jailbreak. Direct access to the file system enables forensically sound extraction for the entire range of supported iOS devices. The functionality is available on Windows 10.
Read an overview article about checkm8 here.
Keychain is the password management system developed by Apple. Without keychain you cannot decrypt various encrypted data extracted with full file system acquisition. checkm8-enabled version of Evidence Center can extract keychain not only via checkm8-based acquisition but also from any jailbroken iPhone, no matter which jailbreak was used. Basing on the information extracted, various decryption tasks made possible. For instance, Evidence Center can decrypt iOS Signal messenger out of the box.
Due to the nature of the exploit, Belkasoft
Evidence Center can extract certain types of data even if the device is
locked and the password is not known. This
boot-mode extraction is available for all devices from the supported range
regardless of their lock state. The data extracted from a locked device
is immediately loaded and can be analyzed with Belkasoft Evidence Center.
Starting build 5401 of Belkasoft version 9.9800, the product supports lifting USB restricted mode. Belkasoft Evidence Center gets past the restrictions automatically during the acquisition process.
Bypassing iPhone's USB restricted mode with Belkasoft Evidence Center
During the webinar you will learn:
Belkasoft Evidence Center is a world renowned tool used by thousands of customers for conducting computer and mobile forensic investigations. Belkasoft Evidence Center can automatically discover, extract and analyze evidence from a wide range of sources including computer hard drives and disk images in all popular formats, memory dumps, mobile devices and chip-off dumps.
Low-level access to hard disk and system structures means that even data that’s been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android, iOS and macOS file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft Evidence Center can collect more evidence than any single competing tool in its class.
Apart from checkm8-based iOS acquisition, Evidence Center supports acquiring iTunes backups, jailbroken phones full file system copying, as well as agent-based jailbreak-free acquisition.