Hello Reader,
        If you haven’t already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:
A. It does not ship with any rootless jailbreaks
B. It does not automate the process of installing rootless jailbreaks
C. It does not do a physical image of the device

What it does do though is provide you a list of tested Jailbreaks (rooted and rootless) that you can install on an iOS device. Once the jailbreak is installed you can then use the Elcomsoft iOS Forensic Toolkit to decrypt the keycahin and most importantly get a full file system dump. We’ve tested this on an iPhone running IOS 12 and I can confirm that all the hidden and system directories we missed were included.

This includes not only FSEvents data but also the KnowledgeC databases that Sarah Edwards has been blogging about. We attached the same rootless jailbroken phone to Celebrite and it did not detect the presence of the jailbreak and so did not allow for a full filesystem dump.

While I’m sure this will be fixed in the never ending mobile forensics arm race in the near future its a point towards Elcomsoft this round.

Though I do have to wonder, if we could just dump a tar of the phones contents after applying the jailbreak ourselves without using Elcomsoft at all. This will be tomorrows testing along with a write up this week of our process for doing so.