iOS Forensic Toolkit 10.10 introduces alternative methods for sideloading the low-level extraction agent that require no pairing, delivering the agent to the device over a wired or wireless network bridge.

In this release, we added a new way to sideload the low-level extraction agent onto an iOS device without establishing a pairing relationship. Instead of relying on a trusted pairing record, the toolkit uses a network bridge, wired or wireless, to deliver the extraction agent to the device and open a communication channel back to the investigator’s computer.

This targets a specific scenario: the device is in hand and its passcode is known, but Stolen Device Protection blocks new trusted relationships with unknown computers unless biometric authentication is provided, while biometrics are not available for legal or operational reasons. The pairing-free path sidesteps that requirement entirely.

The new sideloading process requires a paid Apple Developer account, the device itself, and its screen lock passcode. The extraction agent’s own compatibility matrix still applies, so check the iOS Forensic Toolkit product page for the latest details on supported devices and OS versions.

The new method is supported in all three editions: Windows, Linux, and macOS. We recommend using a Mac as the most straightforward solution.

With iOS Forensic Toolkit 10.10, investigators can finally extract devices with known passcodes even when those devices are locked down with Stolen Device Protection or have a damaged USB port.

iOS Forensic Toolkit is a command-line tool able to perform full file system and extended logical acquisition of iPhone, iPad and IoT Apple devices. The tool covers the entire range of Apple hardware and OS versions, implementing bootloader-based, agent-based, and logical acquisition paths.

iOS Forensic Toolkit 10.10 release notes

• extraction agent: added alternative sideloading methods with no pairing required (all platforms)
• extraction agent: iOS 16.7.16 now officially supported (all platforms)
• general: fixed encrypted image mounting (all platforms)
• general: fixed antivirus false positive detection issues (Windows)