Elcomsoft iOS Forensic Toolkit


Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.
 

  • Physical acquisition for 32-bit and 64-bit iOS devices via jailbreak
  • Logical acquisition with iTunes-style backup includes decrypted keychain
  • Unlocks iOS devices with pairing records (lockdown files)

  • Decrypts keychain items and extracts device keys
  • Real-time file system acquisition for jailbroken devices
  • Quickly extracts media and shared files, even if backup password is set

Supports: all generations of iPhone, iPad and iPod Touch with and without jailbreak; all versions of iOS from legacy to latest releases; legacy devices (up to and including iPhone 4) acquired instantly and regardless of lock/jailbreak state; logical acquisition with no passcode using a pairing record.

Description

Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly.

Please note that some models require jailbreaking. See Compatible Devices and Platforms for details.

Physical Acquisition for Legacy, 32-bit and 64-bit Apple Devices

Physical acquisition is the only acquisition method to extract full application data, downloaded messages and location history. Physical acquisition operates on fixed-timeframe basis, which guarantees the delivery of the entire content of a 32-GB device in 40 minutes or less (depending on the amount of information stored in the device). In many cases, physical acquisition returns more data than logical acquisition, as many files are locked by the operating system and not accessible during the process of logical acquisition.

Elcomsoft iOS Forensic Toolkit supports both legacy hardware (iPhone 4 and older), jailbroken 32-bit devices (iPhone 4S through 5C) and jailbroken 64-bit devices (iPhone 5s through iPhone X).

A proprietary acquisition technique is exclusively available in Elcomsoft iOS Forensic Toolkit for 64-bit devices. Physical acquisition for 64-bit devices is fully compatible with jailbroken iPhones and iPads equipped with 64-bit SoC, returning the complete file system of the device (as opposed to bit-precise image extracted with the 32-bit process). Only devices with known or empty passcode are supported; passcode protection must be removed in iOS settings prior to acquisition.

Logical Acquisition with Keychain Extraction

iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

Logical acquisition with iOS Forensic Toolkit is the only acquisition methods allowing access to encrypted keychain items. Logical acquisition should be used in combination with physical for extracting all possible types of evidence.

Media and Shared Files Extraction

iOS Forensic Toolkit offers the ability to quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly and easily on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).

In addition to media files, iOS Forensic Toolkit can extract stored files of multiple apps, extracting crucial evidence from 32-bit and 64-bit devices without a jailbreak. While access to app data without a jailbreak is limited, this new technique allows extracting Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record. If a lockdown record is used, some files may not be accessible unless the lock
screen passcode is removed.

Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

Compatible Devices and Platforms

Compatible Devices and Platforms
  • Legacy devices (up to iPhone 4): full, unconditional physical acquisition support
  • 32-bit devices with jailbreak: full physical acquisition support
  • 64-bit devices with jailbreak: physical acquisition via file system extraction
  • No jailbreak: advanced logical acquisition only *

System Requirements

System Requirements


Windows

  • Windows Server 2016
  • Windows Server 2012
  • Windows 7 (32 bit)
  • Windows 7 (64 bit)
  • Windows 8
  • Windows 8.1
  • Windows 10


Apple

  • OS X 10.6
  • OS X 10.7
  • OS X 10.8
  • OS X 10.9
  • OS X 10.10
  • OS X 10.11
  • OS X 10.12
  • OS X 10.13


Logical acquisition includes:

  • Extended information about the device
  • iTunes-format backup
  • List of installed apps
  • Media files extraction (even if the backup is password-protected)
  • Shared files extraction (even if the backup is password-protected)

Logical acquisition works even with locked devices with unknown passcode if a valid pairing record is available.

System Requirements

iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running macOS from 10.6 (Snow Leopard) to 10.12 (Sierra) with iTunes 10.6 or later installed.

The Toolkit for Microsoft Windows requires the computer running Windows 7, Windows 8/8.1 or Windows 10 with iTunes 10.6 or later installed.

Other versions of Mac OS X, Windows and iTunes might also work but have not been tested.

 

Features & Benefits
iOS Forensic Toolkit implements unconditional physical acquisition support for old iDevices (up to and including iPhone 4). Physical acquisition is also available for jailbroken 32-bit devices such as the iPhone 4S, 5, and 5C, the original iPad mini and 32-bit iPads. 64-bit devices (iPhone 5s through iPhone X) are supported via a dedicated physical acquisition for 64-bit devices technique (jailbreak required). The following compatibility matrix applies:
  • All devices: Logical acquisition and media extraction are available for all devices regardless of jailbreak status or iOS version. Supports lockdown files for accessing passcode-protected devices.
  • Legacy: Unconditional physical acquisition support for legacy devices (iPhone 4 and older) regardless of iOS version and lock status
  • 32-bit: Full physical acquisition support of jailbroken 32-bit devices running all versions of iOS (iPhone 4S through 5C, iPad mini)
  • 64-bit: Physical acquisition for jailbroken 64-bit devices running any version of iOS for which a jailbreak is available (iPhone 5S through iPhone X, iPad mini 2 through 4, iPad Air, Air 2)
  • No jailbreak available: Logical acquisition, shared files and media extraction only for devices running versions of iOS without a jailbreak. Device must be unlocked with passcode, Touch ID or lockdown record
Physical acquisition of 64-bit devices does not decrypt the keychain. In order to access protected items such as stored forms, passwords and authentication tokens, physical should be always preceded by logical acquisition via iOS Forensic Toolkit.
Logical acquisition is available for all devices regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started. Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer. If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Elcomsoft Phone Breaker is also required to view keychain records. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).
ElcomSoft already offers the ability to access information stored in iPhone/iPad/iPod devices by decrypting data backups made with Apple iTunes. The new toolkit offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, geolocation data, application-specific data and more. Huge amounts of highly sensitive information stored in users’ smartphones can be accessed. Historical geolocation data, viewed Google maps and routes, Web browsing history and call logs, pictures, email and SMS messages, user names, passwords, and nearly everything typed on the iPhone is being cached by the device and can be accessed with the new toolkit.
Elcomsoft iOS Forensic Toolkit can access iOS secrets including most keychain items, opening investigators access to highly sensitive data such as login/password information to Web sites and other resources (and in many cases, to Apple ID). During physical acquisition, keychain recovery is only available for 32-bit devices. The keychain can be extracted but cannot be decrypted when using the physical acquisition for 64-bit devices technique. However, the logical acquisition module will still extract the keychain. You’ll be able to decrypt the keychain if no backup password was set in the iOS device (iOS Forensic Toolkit will specify a temporary password, “123”) or if you are able to break the original password if one is unknown (with Elcomsoft Phone Breaker).
Knowing the original passcode is never required, but may come handy in the case of iOS 4-7 devices (for iOS 8, however, it is required). The following chart helps to understand whether you’ll need a passcode for a successful acquisition.

iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly recovered and displayed.

iOS 4.0-7.x: certain information is protected with passcode-dependent keys, including email messages, most keychain records (stored login/password information), and certain third-party application data.

iOS 8.x-11.x: most information is protected. Without the passcode, logical acquisition is supported.

Elcomsoft iOS Forensic Toolkit can brute-force iOS 4+ simple 4-digit passcodes in 10-40 minutes. Complex passcodes can be recovered as well, but require more time, as far as recovery is being performed right on the device and cannot be done "offline" on a faster equipment.

Part No:
AP-EIFT