The new release of Belkasoft X introduces forensically sound, jailbreak-free extraction of select iOS devices via a hard-coded, unpatchable exploit. Compatible devices include the range of iPhone devices powered by Apple’s A7 through A11 SoC (iPhone 5s through iPhone X). Supported iOS versions are 12.0 to 15.5.
Belkasoft X makes use of a hard-coded vulnerability that exists in all Apple devices based on the A7 through A11 SoC generations. The checkm8 exploit that makes use of this vulnerability cannot be patched by Apple since the vulnerability itself exists in a hardware-protected, read-only area of the device memory.
The jailbreaking community released a public jailbreak based on this vulnerability. The checkra1n jailbreak can be used by Linux and macOS users. However, installing a jailbreak on a device being analyzed is a complex, unsafe and not quite forensically sound process.
Belkasoft X provides direct access to the file system of affected devices without the need for a jailbreak. Direct access to the file system enables forensically sound extraction for the entire range of supported iOS devices. The functionality is available on Windows 10.
Read an overview article about checkm8 here.
The following iPhone and iPad device models are supported:
Supported range of iOS versions is 12.0 to 15.5.
Keychain is the password management system developed by Apple. Without keychain you cannot decrypt various encrypted data extracted with full file system acquisition. checkm8-enabled version of Belkasoft X can extract keychain not only via checkm8-based acquisition but also from any jailbroken iPhone, no matter which jailbreak was used. Basing on the information extracted, various decryption tasks made possible. For instance, Belkasoft X can decrypt iOS Signal messenger out of the box.
Due to the nature of the exploit, Belkasoft
X can extract certain types of data even if the device is
locked and the password is not known. This
boot-mode extraction is available for all devices from the supported range
regardless of their lock state. The data extracted from a locked device
is immediately loaded and can be analyzed with Belkasoft X.
Starting build 5401 of Belkasoft version 9.9800, the product supports lifting USB restricted mode. Belkasoft X gets past the restrictions automatically during the acquisition process.
Belkasoft X is a world renowned tool used by thousands of customers for conducting computer and mobile forensic investigations. Belkasoft X can automatically discover, extract and analyze evidence from a wide range of sources including computer hard drives and disk images in all popular formats, memory dumps, mobile devices and chip-off dumps.
Low-level access to hard disk and system structures means that even data that’s been deleted by the suspect cannot escape from investigators. Supporting Windows, Unix/Linux, Android, iOS and macOS file systems, natively mounting images created in EnCase, FTK, X-Ways, DD and SMART formats, UFED and chip-off binary dumps, and many popular virtual machines without using these or any third-party tools, Belkasoft X can collect more evidence than any single competing tool in its class.
Apart from checkm8-based iOS acquisition, Belkasoft X supports acquiring iTunes backups, jailbroken phones full file system copying, as well as agent-based jailbreak-free acquisition.