Elcomsoft iOS Forensic Toolkit

iOSElcomsoft iOS Forensic Toolkit

Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple 

Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly.

Please note that some models require jailbreaking. See Compatible Devices and Platforms for details.

Features and Benefits

An all-in-one, complete acquisition solution

Physical acquisition (32-bit devices): acquire complete, bit-precise device images

Physical acquisition (64-bit devices): extract more information compared to logical or cloud acquisition

Logical acquisition: extract iTunes-style backups including the keychain

Extract information from locked devices (limitations apply)

Decrypt keychain items, extract, device keys (32-bit devices only)

Quick file system acquisition: 20-40 minutes for 32 GB models

Zero-footprint operation leaves no traces and no alterations to devices’ contents (32-bit legacy devices only)

Fully accountable: every step of investigation is logged and recorded

Supports iOS up to 9.3.3

Passcode is not required

Simple 4-digit passcodes recovered in 10-40 minutes

Mac and Windows versions available

Automatic and manual modes available

Physical Acquisition for 32-bit and 64-bit Apple Devices

Physical acquisition is the method of choice for accessing information stored in iOS devices. When having a choice, forensic customers performing physical acquisition will obtain more information from the device than by using any other method such as logical acquisition or backup analysis. While it is difficult to predict how long it would take to break a password protecting an offline backup, physical acquisition operates on fixed-timeframe basis, which guarantees the delivery of the entire content of a 32-GB device in 40 minutes or less (depending on the amount of information stored in the device). Much more information is available with physical acquisition compared to backup analysis, creating a bit-precise image of the device in real time. It also returns more data than logical acquisition, as many files are locked by the operating system and not accessible during the process of logical acquisition.

Providing near-instant forensic access to encrypted information stored in the latest iPhone and iPad devices, Elcomsoft iOS Forensic Toolkit enables access to protected file system dumps extracted from supported Apple devices even if the original device passcode is unknown. At this time, physical acquisition support is only available for legacy hardware (iPhone 4 and older) and jailbroken 32-bit devices (iPhone 4S through 5C).

A proprietary acquisition technique is exclusively available in Elcomsoft iOS Forensic Toolkit for 64-bit devices. Physical acquisition for 64-bit devices is fully compatible with jailbroken iPhones and iPads equipped with 64-bit SoC, returning the complete file system of the device (as opposed to bit-precise image extracted with the 32-bit process). Note that the keychain is extracted but cannot be decrypted with the new 64-bit process. Only devices with known or empty passcode are supported; passcode protection must be removed in iOS settings prior to acquisition.

Support for 32-bit and 64-bit iOS Devices

iOS Forensic Toolkit implements unconditional physical acquisition support for old iDevices (up to and including iPhone 4). Physical acquisition is also available for jailbroken 32-bit devices such as the iPhone 4S, 5, and 5C, the original iPad mini and 32-bit iPads. 64-bit devices are supported via a dedicated physical acquisition for 64-bit devices technique (jailbreak required).

The following compatibility matrix applies:

All devices: Logical acquisition is available for all devices regardless of jailbreak status or iOS version. Supports lockdown files for accessing passcode-protected devices.

Legacy: Unconditional physical acquisition support for legacy devices (iPhone 4 and older) regardless of iOS version and lock status

32-bit: Full physical acquisition support of jailbroken 32-bit devices running all versions of iOS up to iOS 9 (iPhone 4S through 5C, iPad mini)

64-bit: Physical acquisition for jailbroken 64-bit devices running any version of iOS for which a jailbreak is available (iPhone 5S, 6, 6S and their Plus versions, iPad mini 2 through 4, iPad Air, Air 2)

Locked: Limited acquisition support for jailbroken 32-bit and 64-bit iOS devices that are locked with an unknown passcode and cannot be unlocked

Logical Acquisition with Lockdown Support and Keychain Extraction

iOS Forensic Toolkit supports logical, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

Logical acquisition is available for all devices running iOS 4 or newer regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started.

Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer.

If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Apple iTunes is not required to produce a backup. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).

Access More Information than Available in iPhone Backups

ElcomSoft already offers the ability to access information stored in iPhone/iPad/iPod devices by decrypting data backups made with Apple iTunes. The new toolkit offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, geolocation data, application-specific data and more.

Huge amounts of highly sensitive information stored in users’ smartphones can be accessed. Historical geolocation data, viewed Google maps and routes, Web browsing history and call logs, pictures, email and SMS messages, user names, passwords, and nearly everything typed on the iPhone is being cached by the device and can be accessed with the new toolkit.

Real-Time Access to Encrypted Information

Unlike previously employed methods relying on lengthy dictionary attacks or brute force password recovery, the new toolkit can extract most encryption keys out of the physical device. With encryption keys handily available, access to most information is provided in real-time. A typical acquisition of an iPhone device takes from 20 to 40 minutes (depending on model and memory size); more time is required to process 64-Gb versions of Apple iPad. The list of exceptions is short, and includes user’s passcode, which can be brute-forced or recovered with a dictionary attack.

Keychain Recovery

Elcomsoft iOS Forensic Toolkit can access iOS secrets including most keychain items, opening investigators access to highly sensitive data such as login/password information to Web sites and other resources (and in many cases, to Apple ID).

During physical acquisition, keychain recovery is only available for 32-bit devices. The keychain can be extracted but cannot be decrypted when using the physical acquisition for 64-bit devices technique.

However, the logical acquisition module will still extract the keychain. You’ll be able to decrypt the keychain if no backup password was set in the iOS device (iOS Forensic Toolkit will specify a temporary password, “123”) or if you are able to break the original password if one is unknown (with Elcomsoft Phone Breaker).

Passcode Recovery

Knowing the original passcode is never required, but may come handy in the case of iOS 4-7 devices (for iOS 8, however, it is required). The following chart helps to understand whether you’ll need a passcode for a successful acquisition.

iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly recovered and displayed.

iOS 4.0-7.x: certain information is protected with passcode-dependent keys, including the following:

Email messages;

Most keychain records (stored login/password information);

Certain third-party application data, if the application requested strong encryption.

iOS 8.x and 9.x: most information is protected. Without the passcode, we can get only very limited amount of data; see Apple’s Take on Government Surveillance: On Its Customers’ Side for details.

Elcomsoft iOS Forensic Toolkit can brute-force iOS 4+ simple 4-digit passcodes in 10-40 minutes. Complex passcodes can be recovered as well, but require more time, as far as recovery is being performed right on the device and cannot be done "offline" on a faster equipment.

System Requirements

iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running Mac OS X from 10.6 (Snow Leopard) to 10.11 (El Capitan) with iTunes 10.6 or later installed.

iOS Forensic Toolkit has a known compatibility issue with OS X 10.10.5 and 10.11 and old iOS devices (iPhone 4 and older) requiring the use of the DFU mode. Acquisition of newer devices is working correctly in El Capitan.

The Toolkit for Microsoft Windows requires the computer running Windows XP, Windows 7, Windows 8/8.1 or Windows 10 with iTunes 10.6 or later installed.

Other versions of Mac OS X, Windows and iTunes might also work but have not been tested.

Compatible Devices and Platforms

The Toolkit completely fully supports the following iOS devices, running all iOS versions up to iOS 7; no jailbreaking required, passcode can be bypassed or quickly recovered:

iPhone (original)

iPhone 3G

iPhone 3GS

iPhone 4 (GSM and CDMA models)

iPad (1st generation)

iPod Touch (1st - 4th generations)

Physical acquisition is available for the following models (requires jailbreak with OpenSSH installed)

iPhone 4S

iPhone 5

iPhone 5C

iPod Touch (5th gen)

iPad 2

iPad with Retina display (3rd and 4th generations)

iPad Mini

The following (64-bit) models are supported via physical acquisition for 64-bit devices, regardless of iOS version (up to 9.0.2):

iPhone 5S

iPhone 6

iPhone 6 Plus

iPhone 6S

iPhone 6S Plus

iPad Air

iPad Air 2

iPad Mini 2/3/4

iPad Pro

Supported operating systems:

iOS 1-5

iOS 6.0-6.1.2 (with evasi0n jailbreak)

iOS 6.1.3-6.1.6 (with p0sixspwn jailbreak)

iOS 7.0 (with evasi0n jailbreak)

iOS 7.1 (with Pangu 1.2+ jailbreak)

iOS 8.0-8.1.2 (with TaiG, PanGu or PP jailbreak)

iOS 8.1.3-8.4 (with TaiG 2.0 jailbreak)

iOS 9.0-9.1 (with PanGu jailbreak)

iOS 9.2-9.3.3 (with PanGu jailbreak)