Acquiring iOS device
Acquiring mobile device
Using this option, you can acquire a smart device connected to your machine.
After clicking on Apple, you will see the list of acquisition types.
This is the standard way to backup iOS device data. It requires iTunes to be installed on the machine where Belkasoft X is running.
Note: Encrypted backup contains more data. Belkasoft X automatically turns on encryption if no password is set in iTunes.
To continue acquisition, you need to unlock smartphone or determine the path to the lockdown file.
Specify the Target path (for the folder where the smartphone image will be stored) and click Start - acquisition will begin.
If the password in iTunes was not set, during the acquisition enter the iPhone Unlock password on smartphone twice: at the beginning of the acquisition and at the end.
Agent-based acquisition of iOS devices
This method copies the contents of the file system through the installation of a special agent application. The amount of extracted data will be the same as with Full logical backup of jailbroken iOS devices acquisition or Checkm8-based acquisition of iOS devices (including data from keychain).
Supported iPhone models:
- 6 / 6 Plus
- 6S / 6S Plus
- 7 / 7 Plus
- 8 / 8 Plus
- iPhone X
- XS / XS Max
- 11 / 11 PRO / 11 PRO MAX
- SE (2nd)
- 12 / 12 mini
- 12 PRO / 12 PRO MAX
The functionality is also supported on iPads with chips similar to the ones found in the iPhone models above.
Supported iOS versions: starting from iOS 10 down to iOS 14.3.
Before you start acquisition with the agent backup, check and confirm that:
- Computer has internet access if you are using an Apple Developer ID
- Smartphone has internet access if you are using an Apple ID (free)
- Antivirus is stopped or paused
You will see the window below after selecting Agent backup in the window Add data source| Please select the acquisition type:
If you are using an Apple Developer ID (an Apple ID that participates in the Apple Developer Program) enter it and the App-specific password. Or use Free Apple ID and Password.
Unlock the iPhone or iPad using its passcode and connect the device to PC using a USB cable (port 3.0 is preferred). When you see the Trust this computer message on the iPhone, click Trust.
Specify the Target path and click Start - acquisition will begin.
If an Apple ID has two-factor authentication, enter the verification code in the Two-factor authentication window:
Follow the instructions in window Acquire a mobile device:
In order for the application to work, the certificate must be confirmed in the device settings:
- In the iOS Settings scroll down and tap 'General'
- Scroll down and tap 'Profiles, Profiles & Device Management' or 'Device Management', depending on the iOS version.
- Select a profile with Apple ID.
- Tap 'Trust [Apple ID]' and confirm your choice.
- Waiting for the profile to be trusted.
After the Agent is downloaded to the smartphone, enter the smartphone password.
Jailbroken device image
This acquisition method is only available for jailbroken iOS devices; however, it allows extracting much more data than by using standard iTunes backup.
This requires iTunes to be installed on the machine running Belkasoft X.
After choosing Jailbroken device image and connecting smartphone, you will see the window below:
After clicking on the Next button, the jailbreak status of the phone will be checked. If Jailbreak has not been completed on the device, a message will appear:
If Jailbreak has been completed on the device you will see:
Then select Target folder, click Start, and the acquisition process begins. Once the process reaches completion, you will see the iPhone or iPad image, which comes out as a TAR archive housing all the acquired data (including keychain).
Checkm8-based acquisition of iOS devices
The Apple Checkm8 function provides direct access to the file system of iPhones and allows for forensically sound extraction of data from the devices.
Compatible devices include the range of iPhone devices powered by Apple’s A7 through A11 SoC.
Supported iPhone models:
- 6/6 Plus; 6S/6S Plus
- 7/7 Plus
- X/8/8 Plus
Supported iOS versions:
- iOS builds starting from iOS 12.0 till iOS 14.7.
Note: To run Belkasoft X and perform the task here, you need a Windows 10 PC with the latest iTunes version installed on it.
After selecting Apple Checkm8, connect the iPhone to your PC using a USB cable.
- The cable must be original
- Use a USB 3.0 port
- It is better if the phone is password-protected - in this case, more data will be extracted (of course, if the password is known).
- Confirm the correct settings are set on the phone: Settings - Display & Brightness - Auto-Lock should be Never.
Choose the device iOS and iPhone model.
Specify the Target path, click Start and follow the steps required to get the iPhone into Recovery and then into DFU mode.
After clicking on the Complete button, Belkasoft X will communicate with the device and run the exploit.
The events log will be displayed.
You should pay attention to them. Belkasoft X might prompt you to enter the passcode for the iPhone. If the password is known, use it to unlock the device now. Otherwise, if the passcode is unavailable, click on the OK button to dismiss the prompt. In any case, Belkasoft X will start copying data from the iPhone.
Then enter the password on the device.
At the end of it all, you will see the Operation completely successfully message.
- Sometimes checkm8 works from second or third attempt only. Between attempts, please reboot the device twice.
- If the phone was previously jailbroken with other jailbreaks (or many times with checkra1n), it is common that it does not work with checkm8.
- Phones having MDM tools installed, have issues with checkm8 and checkra1n. The proper acquisition is not guaranteed, it is recommended to unregister them from the corresponding MDM.
- Other forensic tools, which support checkm8-based acquisition on Windows, may interfere Belkasoft work. It is recommended to separate these tools.
- If the USB Restricted Mode is enabled on the device and you do not have the passcode to an iPhone, you will be able to acquire data in BFU (BFU is an acronym for Before First Unlock). Belkasoft X disables USB Restricted Mode automatically during the checkm8-based acquisition process. You do not even need to perform manual or complicated maneuvers.
BFU acquisition can still provide you a lot of data. Here, you can see the results from one of our experiments—Belkasoft’s checkm8-based acquisition from the same iPhone with and without the passcode:
- If in the process of preparation for acquisition message 'Cannot locate the iTunes service. Please install it from the Microsoft Store' appears:
Try opening iTunes or reinstalling. The list of services should contain: AppleMobileDeviceService.exe (AppleMobileDeviceProcess.exe), ApplicationFrameHost.exe.
- If you suspect that the issue is with the Belkasoft product, try manual checkra1n. If it does not work either, most possibly, you will not be able to acquire the device with software-based methods.
This type of acquisition uploads data through Apple File Conduit (AFC) protocol. Available files: Photos, Videos, and some apps.
It requires iTunes to be installed on the machine where Belkasoft X is running.
Extracting application and system crash logs on iOS.
To use this functionality, you do not need to jailbreak your device, it is sufficient to have a passcode or a lockdown file of the device.
Keychain is the password management system developed by Apple. Without the keychain, it is impossible decrypt the various encrypted data extracted with the full file system acquisition.
Checkm8-enabled version of Belkasoft X can extract keychain not only via checkm8-based acquisition but also from any jailbroken iPhone, no matter which jailbreak was used. Based on the extracted information, various decryption tasks become possible. For instance, Belkasoft X can decrypt iOS Signal and Wickr messengers out of the box.