Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly.
Please note that not all of the devices and iOS versions are supported, and some models require jailbreaking. See Compatible Devices and Platforms for details.
Features and Benefits
- An all-in-one, complete solution
- Acquire complete, bit-precise device images
- Decrypt keychain items, extract, device keys
- Quick file system acquisition: 20-40 minutes for 32 GB models
- Zero-footprint operation leaves no traces and no alterations to devices’ contents
- Fully accountable: every step of investigation is logged and recorded
- Supports iOS up to to 8.4
- Passcode is not required
- Simple 4-digit passcodes recovered in 10-40 minutes
- Mac and Windows versions available
- Automatic and manual modes available
Access More Information than Available in iPhone Backups
ElcomSoft already offers the ability to access information stored in iPhone/iPad/iPod devices by decrypting data backups made with Apple iTunes. The new toolkit offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, application-specific data and more.
Huge amounts of highly sensitive informationf stored in users’ smartphones can be accessed. Historical geolocation data, viewed Google maps and routes, Web browsing history and call logs, pictures, email and SMS messages, usernames, passwords, and nearly everything typed on the iPhone is being cached by the device and can be accessed with the new toolkit.
Real-Time Access to Encrypted Information
Unlike previously employed methods relying on lengthy dictionary attacks or brute force password recovery, the new toolkit can extract most encryption keys out of the physical device. With encryption keys handily available, access to most information is provided in real-time. A typical acquisition of an iPhone device takes from 20 to 40 minutes (depending on model and memory size); more time is required to process 64-Gb versions of Apple iPad. The list of exceptions is short, and includes user’s passcode, which can be brute-forced or recovered with a dictionary attack.
Elcomsoft iOS Forensic Toolkit can access iOS secrets including most keychain items, opening investigators access to highly sensitive data such as login/password information to Web sites and other resources.
Knowing the original passcode is never required, but may come handy in the case of iOS 4-7 devices (for iOS 8, however, it is required). The following chart helps to understand whether you’ll need a passcode for a successful acquisition.
iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly recovered and displayed.
iOS 4.0-7.x: certain information is protected with passcode-dependent keys, including the following:
- Email messages;
- Most keychain records (stored login/password information);
- Certain third-party application data, if the application requested strong encryption.
iOS 8.x: most information is protected. Without the passcode, we can get only very limited amount of data (basically just the contact list and voice mail); see Apple’s Take on Government Surveillance: On Its Customers’ Side for details.
Elcomsoft iOS Forensic Toolkit can brute-force iOS 4+ simple 4-digit passcodes in 10-40 minutes. Complex passcodes can be recovered as well, but require more time, as far as recovery is being performed right on the device and cannot be done "offline" on a faster equipment.
Escrow File Support
For iOS 4, an escrow file can be used to decrypt protected pieces of information even without knowing the original passcode. An escrow file can be obtained from a computer with which the device under investigation has been connected/synced. For iOS 5 and later versions, the similar technology is being used for device syncing (with pairing records), but these records can be used only to perform iTunes backup of the device (without unlocking it), but not for physical acquisition or passcode cracking.
iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running Mac OS X 10.6 (Snow Leopard), 10.7 (Lion), 10.8 (Mountain Lion), 10.9 (Mavericks) or 10.10 (Yosemite) with iTunes 10.6 or later installed.
The Toolkit for Microsoft Windows requires the computer running Windows XP, Windows 7 or Windows 8/8.1 with iTunes 10.6 or later installed.
Other versions of Mac OS X, Windows and iTunes might also work but have not been tested.
Compatible Devices and Platforms
The Toolkit completely supports the following iOS devices, running all iOS versions up to iOS 7; no jailbreaking required, and passcode does not actually matter:
- iPhone (original)
- iPhone 3G
- iPhone 3GS
- iPhone 4 (GSM and CDMA models)
- iPad (1st generation)
- iPod Touch (1st - 4th generations)
Support for the following models is limited to jailbroken devices only (so the device should be already jailbroken with OpenSSH installed, or you should be able to install the jailbreak yourself, so the passcode is not set or known, and iOS version is compatible with the jailbreak):
- iPhone 4s
- iPhone 5
- iPhone 5C
- iPod Touch (5th gen)
- iPad 2
- iPad with Retina display (3rd and 4th generations)
- iPad Mini
The following (64-bit) models are not supported at all, regardless iOS version and jailbreak status:
- iPhone 5S
- iPhone 6
- iPhone 6 Plus
- iPad Air
- iPad Mini with Retina display
Supported operating systems:
- iOS 1-5
- iOS 6.0-6.1.2 (with evasi0n jailbreak)
- iOS 6.1.3-6.1.6 (with p0sixspwn jailbreak)
- iOS 7.0 (with evasi0n jailbreak)
- iOS 7.1 (with Pangu 1.2+ jailbreak)
- iOS 8.0-8.1.2 (with TaiG or PP jailbreak)
- iOS 8.1.3-8.4 (with TaiG 2.0 jailbreak)
Product names used in this web site are for identification purposes only and may be trademarks of their respective owners.