Belkasoft X Delivers Forensically Sound iOS Extraction via Unpatchable Exploit

The new release of Belkasoft X introduces forensically sound, jailbreak-free extraction of select iOS devices via a hard-coded, unpatchable exploit. Compatible devices include the range of iPhone devices powered by Apple’s A7 through A11 SoC (iPhone 5s through iPhone X). Supported iOS versions are 12.0 to 15.5.

Full File System iOS Acquisition

Belkasoft X makes use of a hard-coded vulnerability that exists in all Apple devices based on the A7 through A11 SoC generations. The checkm8 exploit that makes use of this vulnerability cannot be patched by Apple since the vulnerability itself exists in a hardware-protected, read-only area of the device memory.

The jailbreaking community released a public jailbreak based on this vulnerability. The checkra1n jailbreak can be used by Linux and macOS users. However, installing a jailbreak on a device being analyzed is a complex, unsafe and not quite forensically sound process.

What is the difference between checkm8 support in Belkasoft and checkra1n?

Belkasoft X provides direct access to the file system of affected devices without the need for a jailbreak. Direct access to the file system enables forensically sound extraction for the entire range of supported iOS devices. The functionality is available on Windows 10.

Read an overview article about checkm8 here.

Supported Devices and iOS Versions

The following iPhone and iPad device models are supported:

Supported range of iOS versions is 12.0 to 15.5.

Keychain Extraction

Keychain is the password management system developed by Apple. Without keychain you cannot decrypt various encrypted data extracted with full file system acquisition. checkm8-enabled version of Belkasoft X can extract keychain not only via checkm8-based acquisition but also from any jailbroken iPhone, no matter which jailbreak was used. Basing on the information extracted, various decryption tasks made possible. For instance, Belkasoft X can decrypt iOS Signal messenger out of the box.

Extraction of Locked iPhones

Due to the nature of the exploit, Belkasoft X can extract certain types of data even if the device is locked and the password is not known. This boot-mode extraction is available for all devices from the supported range regardless of their lock state. The data extracted from a locked device is immediately loaded and can be analyzed with Belkasoft X.

Starting build 5401 of Belkasoft version 9.9800, the product supports lifting USB restricted mode. Belkasoft X gets past the restrictions automatically during the acquisition process.

See Also

Checkm8 Acquisition Troubleshooting

belkasoft_checkm8

Webinar

Bypassing iPhone's USB restricted mode with Belkasoft X

During the webinar you will learn:

  • What is iOS USB restricted mode?
  • How Belkasoft X can help you to deal with it during an investigation?
  • What other features are available in Belkasoft X to help you to investigate iDevices and iOS?
belkasoft_bec

About Belkasoft X

Belkasoft X is a world renowned tool used by thousands of customers for conducting computer and mobile forensic investigations. Belkasoft X can automatically discover, extract and analyze evidence from a wide range of sources including computer hard drives and disk images in all popular formats, memory dumps, mobile devices and chip-off dumps.

Low-level access to hard disk and system structures means that even data that’s been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android, iOS and macOS file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft X can collect more evidence than any single competing tool in its class.

Apart from checkm8-based iOS acquisition, Belkasoft X supports acquiring iTunes backups, jailbroken phones full file system copying, as well as agent-based jailbreak-free acquisition.

Pricing and Availability

Belkasoft X is available immediately. Prospective customers are welcome to request a quote and contact us in case of any questions.