Perfect Acquisition is the most sophisticated method for extracting data from compatible iOS devices. This method is completely forensically sound; it doesn’t modify a single bit of the filesystem. When supported, this method should always be used over alternatives. This guide outlines the entire process, from acquiring the data dump to decrypting and mounting it for analysis. Note: this guide applies to iOS Forensic Toolkit 8.80 and newer, in which the process has been made easier to use.

System requirements

Perfect Acquisition is supported on the following devices and platforms:

• Compatible devices: Perfect Acquisition is available for a range of 32-bit Apple devices, and supports models from the iPhone 3GS to iPhone 5c. Also supported are classic iPad 1 through 4, the original iPad Mini, Apple TV 2 and 3 as well as the original Apple Watch S0.
• Host computer: currently, Perfect Acquisition is available in macOS and Linux editions of iOS Forensic Toolkit.
• Mounting disk image: to mount the disk image on a Windows computer without EIFT installed, use FSTool, a free, portable, in-house developed tool. Unpack the archive to any folder, install the included version of WinFSP (by launching the corresponding .msi installer), and run fstool.exe from there, no installation required.

Note: all supported iPhone/iPad/Apple TV models use HFS exclusively. APFS is only used on 64-bit devices starting with iOS 10.3, tvOS 10.2, watchOS 3.2. However, Apple Watch S0 still uses APFS since watchOS 3.2 despite being a 32-bit model.

Important: for all operations that output a file, a file with that name must not already exist in the output path. If one already exists, e.g. from an interrupted previous attempt or from another extraction, the toolkit will return an error.

Basic sequence

The extraction is performed by running the following commands (each command is followed by a short usage note).

./EIFT_cmd boot -w 

iOS Forensic Toolkit starts in wait mode. Can be launched either before or after connecting the device in DFU mode. You can place the device in DFU mode either before or after launching the tool (if, for example, the device was originally connected in regular or Recovery mode).

./EIFT_cmd ramdisk diskdump -o data.dmg 

Creates a disk image saved as data.dmg.

./EIFT_cmd ramdisk dumpkeys -n -o keys_bfu.plist 

Extracts BFU keys (a partial key set that does not require the device passcode) into keys_bfu.plist.

./EIFT_cmd fstool -i data.dmg -B systembag.kb -k keys_bfu.plist 

Extracts the system keybag from data.dmg into systembag.kb using the BFU keys.

./EIFT_cmd ramdisk passcode -b systembag.kb -k keys_bfu.plist 

Auto-detects passcode type and runs a passcode recovery attack with default settings; support for 4- and 6-digit codes is detected automatically.

./EIFT_cmd ramdisk dumpkeys -k keys_bfu.plist -b systembag.kb -o keys.plist -p <PASSCODE> 

Extracts the full set of keys (use the discovered/known device passcode — <PASSCODE>.

Keychain decryption and mounting the disk image

Next, decrypt the keychain and mount the data image. Use the following commands:

./EIFT_cmd tools keychain -i data.dmg -k keys.plist -o keychain.xml 

Extracts and saves the keychain to XML.

./EIFT_cmd fstool -i data.dmg -k keys.plist --mount 

Mounts the disk image.

Important: mounting the disk image on a Windows PC where iOS Forensic Toolkit is not installed, use the following command:

fstool.exe  -i data.dmg -k keys.plist --mount

If mounting returns error=1455: this indicates insufficient available memory; increase the swap file size.

Additional notes

DMG images have several advantages compared to a filesystem image in .tar format: extracting to a DMG preserves more metadata and provides greater reliability over extracting the filesystem. With tar you extract filesystem contents, while here you export the entire “disk” of the device; there is a meaningful difference between the two. We plan a detailed article on this topic.

Forensic analysis tools: existing tools may need improvements to handle extractions made this way. Cellebrite Physical Analyzer and Magnet AXIOM reliably parse the mounted images; Oxygen Forensic Detective may fail due to hard-coded fixed paths or incompatibility with legacy iOS versions installed on 32-bit devices.

In the future, we plan to make a similar method available for more 64-bit devices that are compatible with the checkm8 exploit. APFS support is already implemented in the fstool utility.