Description
| $ 1495 |
New features
Extracting all devices with iOS 13 through 13.5 with unc0ver
The latest release enables the extraction (full file system and
keychain) of Apple devices running all versions of iOS 13 up to and
including the latest iOS 13.5. The extraction is available for all
devices compatible with the unc0ver jailbreak. The up to date
compatibility matrix is applicable to all Apple devices capable of
running the corresponding version of iOS:
- iOS 13.0 – 13.5: full file system + keychain via unc0ver or checkra1n jailbreaks
- iOS 13.0 – 13.3: full file system + keychain via forensically sound extraction agent (no jailbreak required)
- iOS 13.3.1 – 13.4.1: full file system only (no keychain) via forensically sound extraction agent (no jailbreak required)
Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in
iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging
devices’ file systems, extracting device secrets (passcodes, passwords,
and encryption keys) and accessing locked devices via lockdown records.
See Compatible Devices and Platforms for details.
Physical Acquisition of iOS Devices
Physical acquisition is the only acquisition method
to extract full application data, protected keychain items, downloaded
messages and location history. Physical acquisition returns more
information compared to logical acquisition due to direct low-level
access to data.
Elcomsoft iOS Forensic Toolkit supports jailbroken 64-bit devices
(iPhone 5s and newer) running most versions of iOS 7 through 13.x. The
use of a bootrom-based jailbreak enables partial file system &
keychain acquisition for BFU, locked and disabled iPhone models ranging
from the iPhone 5s through iPhone X (via checkra1n jailbreak). Full file
system and complete keychain acquisition for unlocked devices from this
device range.
Full File System Extraction and Keychain Decryption Without a Jailbreak
A jailbreak-free extraction method based on direct access to the file
system is available for a limited range of iOS devices. Using an
in-house developed extraction tool, this acquisition method installs an
extraction agent onto the device being acquired. The agent communicates
with the expert’s computer, delivering robust performance and extremely
high extraction speed topping 2.5 GB of data per minute.
Better yet, agent-based extraction is completely safe as it neither
modifies the system partition nor remounts the file system while
performing automatic on-the-fly hashing of information being extracted.
Agent-based extraction does not make any changes to user data, offering
forensically sound extraction.
Both the file system image and all keychain records are extracted and
decrypted. The agent-based extraction method delivers solid performance
and results in forensically sound extraction. Removing the agent from
the device after the extraction takes one push of a button.
Logical Acquisition
iOS Forensic Toolkit supports logical acquisition, a simpler and
safer acquisition method compared to physical. Logical acquisition
produces a standard iTunes-style backup of information stored in the
device, pulls media and shared files and extracts system crash logs.
While logical acquisition returns less information than physical,
experts are recommended to create a logical backup of the device before
attempting more invasive acquisition techniques.
We always recommend using logical acquisition in combination with physical for safely extracting all possible types of evidence.
Media and Shared Files
Quickly extract media files such as Camera Roll, books, voice
recordings, and iTunes media library. As opposed to creating a local
backup, which could be a potentially lengthy operation, media extraction
works quickly on all supported devices. Extraction from locked devices
is possible by using a pairing record (lockdown file).
In addition to media files, iOS Forensic Toolkit can extract stored
files of multiple apps, extracting crucial evidence without a jailbreak.
Extract Adobe Reader and Microsoft Office locally stored documents,
MiniKeePass password database, and a lot more. The extraction requires
an unlocked device or a non-expired lockdown record.
Perform physical and logical acquisition of iPhone, iPad and iPod
Touch devices. Image device file system, extract device secrets
(passwords, encryption keys and protected data) and decrypt the file
system image.
All Features and Benefits
iOS Forensic Toolkit implements physical
acquisition support for jailbroken devices from iPhone 5s through iPhone
11, 11 Pro and 11 Pro Max. Logical acquisition is available for devices
without a jailbreak.
The following compatibility matrix applies:
- Agent (without a jailbreak): Full file system
extraction and keychain decryption for devices running iOS 10 through
13.3; full file system only (no keychain): iOS 13.3.1-13.4.1. The
corresponding iPad models are also covered.
- With jailbreak: Physical acquisition for jailbroken
devices running any version of iOS for which a jailbreak is available
(iPhone 5s through iPhone 11 Pro Max, most iPad models, Apple TV 4 &
4K).
- With bootrom-based jailbreak: Partial file system
& keychain acquisition for BFU, locked and disabled iPhone models
ranging from the iPhone 5s through iPhone X (via checkra1n jailbreak).
Full file system and complete keychain acquisition for unlocked devices
from this device range.
- No jailbreak: Logical acquisition, shared files and
media extraction for devices running versions of iOS without a
jailbreak. Device must be unlocked with passcode, Touch ID or lockdown
record
Elcomsoft iOS Forensic Toolkit is the only
third-party tool on the market to extract information from Apple Watch
devices. While experts may attempt creating an iTunes-style backup of
the user’s iPhone paired with their Apple Watch, a local backup may not
be available if the iPhone is securely locked. Extracting information
directly from the Watch allows accessing information even if the iPhone
is locked or unavailable. While Apple Watch does not offer standalone
iTunes-style backups, experts can still access crash logs and media
files including EXIF and location data. A third-party IBUS adapter is
required to connect the Watch.
Apple TV devices have no support for iTune-style backups, but may
contain a local copy of the user’s entire iCloud Photo Library if the
user enabled iCloud Photos in their iCloud account. Since Apple TV does
not feature passcode protection, the extraction is possible even if the
user’s iPhone is locked down and the iCloud password is unknown.
Requires wired connection for Apple TV 4, wireless connection through
Xcode for Apple TV 4K.
Logical acquisition is available for all
devices regardless or hardware generation and jailbreak status. The
device must be unlocked at least once after cold boot; otherwise, the
device backup service cannot be started.
Experts will need to unlock the device with passcode or Touch ID, or
use a non-expired lockdown file extracted from the user’s computer.
If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker
to recover the password and remove encryption. Elcomsoft Phone Breaker
is also required to view keychain records. If no backup password is set,
the tool will automatically configure the system with a temporary
password (“123”) in order to be able to decrypt keychain items (password
will be reset after the acquisition).
Using a lockdown (pairing) record, information can be extracted from
locked iOS devices even after power-off or reboot. The following matrix
applies to devices running iOS 8 and newer:
| Basic device info | Advanced device info | App list | Media | iTunes-style backup | |
|---|---|---|---|---|---|
| Device locked, no lockdown record | Yes | No | No | No | No |
| Device never unlocked after reboot, lockdown exists | Yes | Yes | No | No | No |
| Device unlocked after reboot, lockdown exists | Yes | Yes | Yes | Yes | Yes |
Elcomsoft iOS Forensic Toolkit can extract
keychain items including those protected with ThisDeviceOnly attribute,
opening investigators access to highly sensitive data such as
login/password information to Web sites and other resources (and, in
many cases, to Apple ID).
The device must remain unlocked during the entire keychain
acquisition process. iOS Forensic Toolkit implements a tool to disable
automatic screen lock.
Partial keychain extraction is possible for BFU, locked and disabled
iPhone models ranging from the iPhone 5s through iPhone X regardless of
iOS version.
Compatible Devices and Platforms
- 64-bit iOS devices with jailbreak: physical acquisition (file system extraction, keychain decryption)
- Partial file system & keychain acquisition for BFU, locked and
disabled iPhone models ranging from the iPhone 5s through iPhone X
- Apple TV 4 (cable connection) and Apple TV 4K (wireless connection through Xcode, Mac only)
- Apple Watch (all generations); requires a third-party IBUS adapter
- No jailbreak: agent-based extraction for supported devices; advanced logical acquisition for all other devices [1]
Logical acquisition includes:
- Extended information about the device
- iTunes-format backup (includes many keychain items)
- List of installed apps
- Media files (even if the backup is password-protected)
- Shared files (even if the backup is password-protected)
-
Logical acquisition works even with locked devices with unknown passcode if a valid pairing record is available.
System requirements
Windows
- Windows 7/8/8.1/10
Apple macOS
- macOS 10.12
- macOS 10.13
- macOS 10.14
- macOS 10.15
The iOS Forensic Toolkit for macOS
requires an Intel-based Mac computer running macOS from 10.6 (Snow
Leopard) to 10.15 (Catalina) with iTunes 10.6 or later installed.
The iOS Forensic Toolkit for Microsoft Windows requires the computer
running 64 bit version of Windows 7, Windows 8/8.1 or Windows 10. Latest version of iTunes is required.
Other versions of Mac OS X, Windows and iTunes might also work but have not been tested.
Release notes
Elcomsoft iOS Forensic Toolkit v.6.20
16 June, 2020
- added support for keychain acquisition for Apple TV 4 & 4K running tvOS 13.4 to 13.4.5
- added full file system and keychain acquisition for iOS 10 (no jailbreak, agent-based)
- added support for iPhone 5s and iPhone 6 running some particulat iOS 12 versions (no jailbreak, agent-based); file system only
Uninstallation
procedure: in order to uninstall the product, follow the standard
procedure via Control Panel – Programs and features or use the
corresponding Unistall link from the product’s folder in the Windows
Start menu.
