# iOS Data Acquisition Guide

**Methods:** 9 | **Generated:** 2026-03-07

---

## Physical Acquisition

### checkm8 Physical Extraction (A5–A11)

Exploit the checkm8 bootrom vulnerability (present in Apple A5 through A11 chipsets) to obtain a full filesystem extraction bypassing the iOS passcode. Works on iPhone 5s through iPhone X.

**Tools:** Cellebrite UFED, GrayKey, Belkasoft X, checkra1n

**Prerequisites:**
- Device with A5-A11 chipset
- Forensic tool supporting checkm8 exploitation
- USB connection to the device
- Device must be in DFU mode

**Steps:**
1. Determine the device model and confirm A5-A11 chipset (iPhone 5s through iPhone X).
2. Put the device into DFU (Device Firmware Update) mode.
3. Use the forensic tool to send the checkm8 exploit payload.
4. The exploit loads a custom bootloader that bypasses the passcode.
5. Perform a full filesystem extraction.
6. Extract keychain data if passcode is known or bruteforced.
7. Hash and verify the extraction.

**Pros:** Full filesystem access including app data and system files | Bypasses passcode lock (filesystem access, not keychain) | Hardware-based exploit -- cannot be patched by Apple software updates | Works regardless of iOS version on supported hardware
**Cons:** Limited to A5-A11 chipsets (iPhone 5s through iPhone X, and corresponding iPads) | Does not work on A12+ (iPhone XR/XS and later) | BFU (Before First Unlock) state limits available data if device was powered off | Keychain extraction requires the passcode for full access
**Notes:** checkm8 is the most significant iOS forensic breakthrough in recent years. For A12+ devices (2018 and later), physical extraction is not currently possible without vendor exploits. Always document the BFU/AFU state of the device.

### GrayKey iOS Extraction

GrayKey (Magnet Forensics/Grayshift) is a hardware device that performs passcode brute-force and full filesystem extractions from iOS devices, including newer A12+ models.

**Tools:** GrayKey

**Prerequisites:**
- GrayKey hardware unit with active subscription
- Law enforcement or authorized government agency status
- Physical access to the device

**Steps:**
1. Connect the iOS device to the GrayKey unit via Lightning/USB-C.
2. Select the extraction type and configure passcode brute-force settings if needed.
3. GrayKey performs the passcode recovery and/or extraction.
4. Wait for the extraction to complete (time varies based on passcode complexity).
5. Download the extraction from the GrayKey web interface.
6. Analyze with GrayKey analysis tools, AXIOM, or Cellebrite PA.

**Pros:** Supports passcode brute-force on modern iOS devices | Full filesystem extraction capability on more devices than checkm8 alone | Regularly updated for new iOS versions and devices | Can extract data from BFU state on some configurations
**Cons:** Extremely expensive -- hardware purchase plus subscription | Only available to law enforcement and select government agencies | Extraction time depends on passcode complexity (can take days-weeks for 6+ digit codes) | Apple continues to patch exploits used by GrayKey
**Notes:** GrayKey capabilities change frequently as Apple patches vulnerabilities and Grayshift discovers new ones. Always check current supported device/iOS version matrix before attempting extraction.

## Logical Acquisition

### iTunes/Finder Backup Acquisition

Create an iTunes (Windows) or Finder (macOS) backup of the iOS device. An encrypted backup contains significantly more data including Health data, Wi-Fi passwords, and keychain entries.

**Tools:** iTunes, Finder (macOS), iBackupBot, iExplorer

**Prerequisites:**
- Device passcode to unlock and trust the computer
- iTunes or macOS Catalina+ with Finder
- USB Lightning or USB-C cable

**Steps:**
1. Connect the iOS device to the forensic workstation via USB.
2. Trust the computer on the device if prompted (requires device passcode).
3. Open iTunes (Windows) or Finder (macOS Catalina+).
4. Select the device and choose "Back up to this computer".
5. CRITICAL: Enable "Encrypt local backup" -- encrypted backups contain more data.
6. Set a known encryption password.
7. Wait for the backup to complete.
8. Locate the backup folder and hash all files.
9. Parse the backup with forensic tools (Cellebrite, AXIOM, Autopsy, or open-source parsers).

**Pros:** Non-invasive and legally defensible | Encrypted backups contain far more data than unencrypted | Works on all iOS versions and device models | Backup files are well-documented and widely supported by forensic tools
**Cons:** Requires the device to be unlocked and trusted | Does not include all app data (apps can opt out of backup) | No deleted data recovery -- only current state | Backup encryption password must be set/known by the examiner
**Notes:** ALWAYS create an encrypted backup. Unencrypted backups are missing critical data categories including Health, Wi-Fi, and keychain. If a backup password was previously set by the user and is unknown, it must be brute-forced or reset (which requires the device passcode).

### AFC (Apple File Conduit) Extraction

Use the AFC and AFC2 protocols over USB to access the iOS filesystem. Standard AFC provides access to media files; jailbroken devices with AFC2 allow full filesystem access.

**Tools:** libimobiledevice, iFunBox, iMazing

**Prerequisites:**
- Device unlocked and paired/trusted
- libimobiledevice or compatible tool installed
- Jailbreak for AFC2 full filesystem access

**Steps:**
1. Connect the device and establish trust.
2. Use libimobiledevice tools: idevicepair pair && idevicebackup2 backup /evidence/
3. For media files: use ifuse to mount the device media directory.
4. For AFC2 (jailbroken): mount the full filesystem.
5. Copy relevant files and directories.
6. Hash collected files.

**Pros:** Open-source tools available (libimobiledevice) | Access to media partition without full backup | AFC2 on jailbroken devices provides near-physical access
**Cons:** Standard AFC is very limited in scope | AFC2 requires a jailbroken device | Device must be unlocked and trusted
**Notes:** libimobiledevice is the most capable open-source iOS interaction library. It supports pairing, backup, and file access without iTunes. Actively maintained and regularly updated.

### checkm8 Filesystem Extraction

Use the checkm8 exploit to obtain a full filesystem extraction (without BFU bypass) from A5-A11 devices that are in an AFU (After First Unlock) state.

**Tools:** Cellebrite UFED, Belkasoft X, Elcomsoft iOS Forensic Toolkit

**Prerequisites:**
- A5-A11 device in AFU state
- Forensic tool with checkm8 support

**Steps:**
1. Confirm the device is in AFU state (has been unlocked at least once since boot).
2. Put the device into DFU mode.
3. Apply the checkm8 exploit via the forensic tool.
4. Extract the full filesystem including app data.
5. If the passcode is known, also extract keychain data.
6. Hash and verify the extraction.

**Pros:** Full filesystem access without needing the passcode | Comprehensive app data extraction | Works on all iOS versions for A5-A11 hardware
**Cons:** A5-A11 only (up to iPhone X) | AFU state required for data partition access | Keychain extraction still requires the passcode
**Notes:** The distinction between BFU and AFU is critical: in BFU state, the data partition encryption keys have not been derived, so only limited data is available. Always check and document the device state.

### Cellebrite UFED iOS Extraction

Cellebrite UFED supports multiple iOS extraction methods including advanced logical (equivalent to encrypted backup), filesystem (via checkm8 or agent), and full filesystem extraction.

**Tools:** Cellebrite UFED, Cellebrite Physical Analyzer

**Prerequisites:**
- Cellebrite UFED license and hardware
- Device passcode for advanced logical extraction
- Updated support packages

**Steps:**
1. Connect the iOS device to UFED.
2. Select the device model and iOS version.
3. Choose extraction method based on device capability matrix.
4. For advanced logical: creates an encrypted-backup-equivalent extraction.
5. For checkm8-supported devices: filesystem or physical extraction.
6. Follow the UFED guided workflow.
7. Analyze with Physical Analyzer.

**Pros:** Broadest iOS device and version support | Multiple extraction methods in one tool | Automated workflows reduce examiner error | Regular updates for new iOS versions
**Cons:** Very expensive commercial license | Physical extraction limited to A5-A11 chipsets | A12+ devices limited to advanced logical or agent-based methods
**Notes:** Cellebrite remains the go-to tool for iOS forensics. For A12+ devices, the advanced logical extraction (encrypted backup equivalent) provides the most data available without exploitation.

### Elcomsoft iOS Forensic Toolkit (EIFT)

Elcomsoft iOS Forensic Toolkit provides checkm8-based extraction, advanced logical acquisition, and agent-based filesystem extraction for iOS devices.

**Tools:** Elcomsoft iOS Forensic Toolkit

**Prerequisites:**
- EIFT license
- Apple Developer account for agent-based extraction
- Device passcode for advanced logical and agent-based methods

**Steps:**
1. Connect the iOS device to the forensic workstation.
2. Launch EIFT and select the extraction method.
3. For checkm8 devices (A5-A11): select filesystem or physical extraction.
4. For A12+ devices: use agent-based extraction (requires developer account and device passcode).
5. For any device: use advanced logical (encrypted backup) extraction.
6. Wait for extraction and verify integrity.
7. Analyze with Elcomsoft Phone Viewer or export to other tools.

**Pros:** Supports checkm8, agent-based, and logical extraction methods | More affordable than Cellebrite or GrayKey | Command-line interface allows scripted extractions | Keychain extraction with passcode
**Cons:** Agent-based extraction requires Apple Developer account | Smaller support matrix than Cellebrite | Agent installation modifies the device
**Notes:** EIFT offers the best price-to-capability ratio for iOS forensics. The agent-based extraction method provides filesystem access on A12+ devices where checkm8 is not available.

## Cloud Acquisition

### iCloud Backup Acquisition

Acquire iCloud device backups which contain messages, photos, app data, and device settings. Available through Apple ID credentials, legal process, or forensic tools.

**Tools:** Elcomsoft Phone Breaker, Cellebrite Cloud, Legal Process

**Prerequisites:**
- Apple ID credentials and 2FA access for tool-based, OR
- Valid legal process for law enforcement, OR
- User consent

**Steps:**
1. Determine if iCloud Backup is enabled on the target device.
2. For tool-based acquisition: use Elcomsoft Phone Breaker with Apple ID credentials and 2FA token.
3. For law enforcement: submit legal process to Apple for iCloud backup data.
4. Download the iCloud backup archives.
5. Parse the backup using Cellebrite, AXIOM, or Elcomsoft Phone Viewer.
6. Analyze extracted data.

**Pros:** No physical access to the device required | Contains comprehensive device data including messages and media | Multiple backup snapshots may be available | Can be obtained through legal process without any credentials
**Cons:** iCloud Backup must be enabled by the user | Advanced Data Protection encrypts backups end-to-end (Apple cannot assist) | Two-factor authentication complicates tool-based access | Backup may not be recent if auto-backup is disabled
**Notes:** Check Advanced Data Protection status early. If ADP is enabled, iCloud backups are end-to-end encrypted and Apple cannot provide them even with legal process. Preservation requests to Apple should be sent immediately.

## Triage Acquisition

### Sysdiagnose Collection

Trigger and collect a sysdiagnose log bundle from iOS, which contains extensive diagnostic data including process lists, network connections, crash logs, and system statistics.

**Tools:** iOS Settings, Finder/iTunes, sysdiagnose parser

**Prerequisites:**
- Physical access to the unlocked device
- Ability to sync with a computer or share the file

**Steps:**
1. On the iOS device: simultaneously press both volume buttons + side button briefly (do not trigger power off/SOS).
2. Wait 2-3 minutes for the sysdiagnose to generate.
3. Go to Settings > Privacy & Security > Analytics & Improvements > Analytics Data.
4. Find the sysdiagnose file (sysdiagnose_YYYY.MM.DD_...).
5. Alternatively: connect to Mac and sync -- find sysdiagnose in ~/Library/Logs/CrashReporter/MobileDevice/
6. Extract and analyze the .tar.gz archive.

**Pros:** No jailbreak or special tools required | Contains rich diagnostic data (WiFi, Bluetooth, processes, network) | Can be collected by non-technical personnel | Useful for investigating stalkerware and spyware
**Cons:** Does not contain user data (messages, photos, etc.) | Requires device interaction (button press) | Large archive that requires specialist parsing | Some data requires expertise to interpret
**Notes:** Sysdiagnose is invaluable for detecting spyware, analyzing network connections, and understanding device state. MVT can parse sysdiagnose bundles for spyware indicators. It is often the first artifact collected in mobile investigations.

---
*Generated by DFIR Assist*