Description
Windows
| $ 79 |
|
| $ 399 |
macOS
| $ 79 |
|
| $ 399 |
New features
Analyze Keychain Records
Elcomsoft Phone Breaker is the only tool on the market to access,
extract and decrypt iCloud Keychain, Apple’s cloud-based system for
storing and syncing passwords, credit card data and other highly
sensitive information across devices. Elcomsoft Phone Viewer can now
display keychain records obtained with Elcomsoft Phone Breaker from
Apple iCloud. Not limited to iCloud Keychain, the tool can display
kleychain records obtained from password-protected local backups and
extracted with Elcomsoft iOS Forensic Toolkit from jailbroken devices or
using the acquisition agent.
Access Telegram Conversations and Secret Chats
Elcomsoft Phone Viewer can display Telegram conversation histories,
messages, media files, contact lists and metadata from TAR images
obtained with Elcomsoft iOS Forensic Toolkit with file system
extraction. In addition to general conversations and file attachments,
the tool can display Telegram secret chats.
Telegram secret chats are device specific. They are not part of the
Telegram cloud, and they cannot be extracted with cloud acquisition. As a
result, the content of secret chats can be only obtained from the
device of origin. The working database must be extracted from a file
system image obtained with agent-based or jailbreak-based extraction
using Elcomsoft iOS Forensic Toolkit.
Decrypt and Analyze Signal Conversation Histories and Telegram Secret Chats
Signal is an incredibly secure cross-platform instant messaging app.
Signal does not sync conversations with a cloud and never allows its
working database to show up even in encrypted local backups. Even once
the Signal database is extracted from the iPhone’s file system image,
accessing the data is difficult due to the custom encryption implemented
by Signal. The binary encryption key is stored in the iOS keychain with
a high protection class.
Elcomsoft Phone Viewer can decrypt Signal conversation databases
extracted from the iPhone via physical acquisition. Experts using
Elcomsoft iOS Forensic Toolkit will open the file system image in
Elcomsoft Phone Viewer and use the extracted keychain file to decrypt
the Signal database. Elcomsoft Phone Viewer will then decrypt the
database and display its content in a blink of an eye.
While Telegram is not considered the most secure instant messaging
app (this title belongs to Signal), Telegram supports secure chats.
According to Telegram developers, all messages in secret chats use
end-to-end encryption. Secret chats are device specific. They are not
part of the Telegram cloud, and they cannot be extracted with cloud
acquisition. Elcomsoft Phone Viewer can display Telegram conversations
and secret chats obtained from TAR images extracted with Elcomsoft iOS
Forensic Toolkit.
Explore the content of local and cloud backups produced by
iOS, BlackBerry 10, Windows Phone 8 and Windows 10 Mobile devices!
Elcomsoft Phone Viewer is a small, lightweight tool enabling read-only
access to contacts, messages, call logs, notes and calendar data located
in mobile backups. In addition, the tool displays essential information
about the device such as model name, serial number, date of last backup
etc. Finally, the tool implements access to deleted SMS and iMessages
stored in iOS backups.
A Perfect Viewing Companion
Yet another “me too” forensic viewer? We looked hard for a tool we
could recommend to our customers for viewing data decrypted or
downloaded with Elcomsoft Phone Breaker. No single tool on the market
meets our stringent requirements on speed, compatibility and ease of
use. That’s why we introduced a viewing tool of our own.
Elcomsoft Phone Viewer is the ideal viewing companion for Elcomsoft Phone Breaker,
enabling full support for all data formats produced by this tool.
Regularly maintained and timely updated, Elcomsoft Phone Viewer is the
first to receive support for the latest mobile backup formats extracted,
downloaded or decrypted with other ElcomSoft tools. Using our mobile
acquisition tools? Elcomsoft Phone Viewer is a perfect companion!
Note that Elcomsoft Phone Viewer can only open unencrypted backups as
well as iTunes backups with a known password. Should you have a backup
file encrypted with an unknown password, use Elcomsoft Phone Breaker to
recover the password.
Analyzes Online Activities
Elcomsoft Phone Viewer displays the user’s online activities
including Web browsing history and search queries, browser bookmarks and
opened tabs including page snapshots. Information about recent search
queries and last visited Web sites already helped solve multiple cases,
and will undoubtedly help investigating crime.
Access to Synced Data, Passwords and Messages
Information such as call logs, contacts, notes, calendars as well as
Web browsing activities including Safari history (including deleted
items), bookmarks and open tabs can be synced with Apple servers. Unlike
iCloud backups that may or may not be created on daily basis, synced
information is pushed to Apple servers just minutes after the
corresponding activity has taken place. Once uploaded, synced data can
be retained for months with no option for the end user to clear the data
or disable the syncing.
Synchronized records can be obtained for extended periods of time;
much longer than available in iOS devices and device backups. Existing
and deleted records are obtained, and filter can be applied to only
display deleted records.
Elcomsoft Phone Viewer is ElcomSoft’s stock tool for viewing synced
data extracted from Apple iCloud with Elcomsoft Phone Breaker. The
following types of synced data can be viewed:
- Messages in iCloud: complete with attached media files and documents
- Safari (browsing history, bookmarks, tabs opened on user’s devices)
- Voice Memos
- Calendars, notes and contacts
- Call logs (information about calls made and received)
- Apple Maps (routes, places, searches)
- Wi-Fi (wireless access points, MAC addresses, date and device added)
- Wallet (everything except payment data)
- Account info (comprehensive information about the user and devices registered on the Apple ID account)
Multimedia Gallery
Elcomsoft Phone Viewer can display pictures and videos captured with
the phone or saved by one of the many apps. But don’t you worry, there
won’t be a big mess of thousands of images appearing in a single
thumbnail gallery. The files will be automatically split into a number
of categories, making it easy to discover which pictures were captured
with the phone’s camera, or received as messages or attachments. A
separate category filters out system and application images such as
buttons, logos and splash screens. Album view is available to allow you
better navigate through thousands of images.
Aggregated Locations
Multiple sources of location data may be available in a given backup
or image. Location data may be found in calendar events, iMessage
attachments, map caches and system logs. Geolocation is one of the most
important EXIF tags available. Elcomsoft Phone Viewer will automatically
extract location data from multiple sources, and map the locations with
OpenStreetMap. The ability to map GPS coordinates extracted from
multiple sources can become extremely handy during investigations.
Analyze Apple Health Data
Health data can serve as essential evidence during investigations. At
very least, the data includes step count, running and walking distances
with exact timestamps the user was walking or running. Significantly
more evidence is available if the user wears a HealthKit compliant
device such as the Apple Watch or a third-party fitness tracker. A
multitude of third-party apps may contribute to Health data
significantly.
Elcomsoft Phone Viewer can display Health data stored in
password-protected iTunes backups and file system images obtained from
iOS devices in TAR/ZIP format with Elcomsoft iOS Forensic Toolkit or
GrayKey during physical extraction.
TAR Images: The iOS File System
Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone,
physical acquisition has never been the same. For all iPhone and iPad
devices equipped with Apple’s 64-bit processors, physical acquisition is
exclusively available via file system imaging. The imaging is performed
on the device itself in order to bypass full-disk encryption.
Regardless of the tool performing physical acquisition, the result of
these efforts is always a TAR archive containing an image of the
device’s file system. Elcomsoft iOS Forensic Toolkit produces TAR files
as the result of the “F” (File System) command.
Up until now, most tools available for analyzing information inside
these TAR images were integral parts of fully-featured forensic
toolkits. The expert’s choice would be limited to either time-consuming
and labour-intensive manual analysis requiring a high level of
expertise, or a highly sophisticated and complex forensic suite, with
nothing in between. Elcomsoft Phone Viewer offers the lightweight and
convenient third option, enabling fast and easy analysis of evidence
found in the results of physical acquisition.
All Features and Benefits
The Applications view allows viewing
information about the apps installed on the iOS device being analyzed.
The expert can access the list of all apps installed on the device along
with their acquisition date (date of purchase for paid apps or date of
first install for the free apps). Additional information includes the
app version, category, and Apple ID that was used to make the purchase.
Since some of that information is not available in the backup, Elcomsoft
Phone Viewer automatically requests additional data via an online
connection through iTunes.
By making use of the Applications view, experts can gain insight into
which apps the user had, which social networks they use, and which
messaging tools they communicate with.
The Wi-Fi view enables access to the list
of Wi-Fi networks saved in password-protected iOS backups. SSID, MAC
address and password for each network is displayed. Additional network
parameters include network BSSID and encryption standard. In addition,
Elcomsoft Phone Viewer automatically extracts the date and time of first
joining and last using the network.
Experts can sort the list by last connection time, thus tracking the
user by seeing which networks they joined during a given time period.
Since version 2.30, Elcomsoft Phone Viewer
can display iCloud Photo Library images extracted by Elcomsoft Phone
Breaker. Automatic grouping by albums and advanced filtering are
supported.
Elcomsoft Phone Viewer allows viewing iOS
notifications extracted from iCloud backups as well as local backups
produced with iTunes. The tool can display notifications going several
years back, unless they are read or dismissed by the user.
Notifications are an essential part of the system, and may contain
large amounts of volatile, highly sensitive information. Nearly all
applications that are of forensic significance make use of
notifications. Email clients, instant messengers, taxi and travel apps,
social networks and many other applications can push notifications.
Unless dismissed, these notifications are included into both local and
cloud system backups.
Access EXIF information stored in the
images with ease. Elcomsoft Phone Viewer displays when, where and in
which lighting conditions the image was captured. Detailed camera info
allows determining whether an image was captured on this device or
received from another one. Looking for images captured around the time
of an incident? Just specify a data range, and Elcomsoft Phone Viewer
will automatically display images captured during that period based on
the images’ EXIF tags.
Elcomsoft Phone Viewer is the perfect tool
for exploring information contained in online backups downloaded from
the cloud, while Elcomsoft Phone Breaker is the perfect tool for
downloading mobile backups from iCloud (iOS devices), and Windows Live!
(devices running Windows Phone 8/8.1 and Windows 10 Mobile).
Use Elcomsoft Phone Breaker to quickly download selective information
from Apple iCloud, and review information you acquired in Elcomsoft
Phone Viewer. The two tools enable investigators obtain essential
information about the suspect such as their calls, messages, address
books and location history in a matter of minutes.
Elcomsoft Phone Viewer is a perfect tool
when time is the ultimate priority. By using Elcomsoft Phone Viewer
together with other ElcomSoft tools such as Elcomsoft Phone Breaker,
investigators can save time by reviewing essential bits of information
in just a few moments. By quick downloading selective information from
Apple iCloud with Elcomsoft Phone Breaker and viewing acquired
information in Elcomsoft Phone Viewer, investigators can obtain
essential information about the suspect such as their calls, messages,
address books and location history in a matter of minutes. The ability
to view Calls and Messages databases with many thousand entries as well
as convenient full-text and category-based searching and filtering make
navigating through acquired information a snap.
Export evidence in just a few clicks! You
can export digital evidence obtained from iOS devices including local
and cloud backups, iCloud synchronized data and file system images
received as a result of physical acquisition. In addition, location data
is exported into the industry-standard KML format. Elcomsoft Phone
Viewer exports data in Microsoft Excel format, enabling experts to
continue the investigation in their forensic product of choice. The
ability to export data collected from the many supported sources allows
easy interoperability with most commonly used forensic and analytic
toolkits.
Search through thousands of records in a
snap! Elcomsoft Phone Viewer offers real-time filtering and full-text
searching, allowing examiners locate records of interest in a matter of
seconds. Search through Contacts, Calls, Notes and Messages, look up
contact by names, numbers and other available fields, and locate
messages with full-text search.
With real-time filtering, you can opt to only display favorite
contacts or only display contacts from one or more accounts (Exchange,
iCloud, Google, Facebook, or any combination). For messages, you can
specify date range, type of message (SMS, MMS, iMessage) and whether to
display incoming, outgoing or all messages.
In iOS 12 and 13, the Screen Time password
is used to secure Content & Privacy Restrictions. With Screen Time
password enabled and restrictions configured, experts cannot access many
features of the iPhone. Elcomsoft Phone Viewer can display iOS Screen
Time passwords if they are present. In iOS 12, Screen Time passwords can
be obtained from password-protected iTunes backups; the backup password
must be known. Cloud extraction is the only way to obtain Screen Time
passwords for devices running iOS 13.
Elcomsoft Phone Viewer is a fast, compact
tool that requires no learning curve. Using Elcomsoft Phone Viewer is
just as easy as viewing an Excel spreadsheet. Designed to simplify the
entry into mobile forensics, Elcomsoft Phone Viewer offers more than
enough features for many IT security departments, offices and one-off
investigations.
| Trial | Standard | Forensic | |
|---|---|---|---|
| Data sources | |||
| iTunes backups | ✓ | ✓ | ✓ |
| Encrypted iTunes backups with known password | ✓ | ✓ | ✓ |
| iCloud backups downloaded with Elcomsoft Phone Breaker | ✓ | ✓ | ✓ |
| iCloud synchronized data downloaded with Elcomsoft Phone Breaker | ✓ | ✓ | ✓ |
| iOS device image created by Elcomsoft iOS Forensic Toolkit or GrayKey device | – | – | ✓ |
| BlackBerry backups | ✓ | ✓ | ✓ |
| Microsoft Cloud data | ✓ | ✓ | ✓ |
| View | |||
| Calls, Contacts, Calendars, Tasks | Last 10 records only | ✓ | ✓ |
| Apple Health | Only 10 recent records are displayed in each category | ✓ | ✓ |
| iCloud photos | Copying file properties is not allowed | ✓ | ✓ |
| Media files | Copying file properties is not allowed | ✓ | ✓ |
| SMS & iMessages | Last 10 records only | ✓ | ✓ |
| Notes | Last 10 records only | ✓ | ✓ |
| Notifications | Last 10 records only | ✓ | ✓ |
| Voice Memos | Last 10 records only | ✓ | ✓ |
| Web and History data | Last 10 records only | ✓ | ✓ |
| Wi-Fi connections | Last 10 records only | ✓ | ✓ |
| Skype data | Last 10 records only | ✓ | ✓ |
| Keychain records | Only 2 first characters of passwords are displayed | ✓ | ✓ |
| Apple Pay transactions | – | – | ✓ |
| Signal messages | – | – | ✓ |
| Telegram messages | – | – | ✓ |
| Export | |||
| Export data to Microsoft Excel | – | Contacts and Notes categories can be exported only | ✓ |
Supported Data Types
Elcomsoft Phone Viewer enables access to the following information:
System Data
- Device model name
- Device serial number
- Date/time of backup
- Other essential information (for iOS devices: IMEI, device IDs, phone number, iOS version)
User Data
- File system images (TAR files)
- Contacts (aggregated, i.e. including ones synced with Facebook, Gmail etc.)
- Messages (including deleted SMS and iMessages in iOS backups)
- Apple Health data
- Voice Memos
- Screen Time data including the list of installed apps on all devices sharing Screen Time through iCloud
- Messages and attached files (media, documents etc.) downloaded from iCloud
- Wi-Fi networks along with passwords, first and last connection time
- List of installed apps
- Locations
- Notifications
- Notes (for Windows Phone, in Microsoft OneNote format)
- Call Logs (incl. FaceTime)[1]
- Calendar (for all accounts, from local to Microsoft Exchange and iCloud)[1]
- Search queries, browsing history, bookmarks and open tabs with page snapshots [1]
- Images and videos with album support
- Photos from iCloud Photo Library
- Synced data from iCloud such as call logs, Safari tabs and browsing history, calendars, notes etc.
- Screen Time and Restrictions passwords
- Signal and Telegram conversation history including secret chats
For iOS device backups, Elcomsoft Phone Viewer can work with ones in
the original iTunes format, and supports backups with converted/restored
file names. Partial backups (select categories downloaded from iCloud)
are also supported.
Supported Devices
Elcomsoft Phone Viewer supports information saved to local or cloud backups by all of the following devices:
Apple iOS 6 to iOS iOS 13, iPadOS (iTunes and iCloud backups):
- iPhone (all models from iPhone 3GS up to the current generation)
- iPad (all models including from the original iPad to the latest
generation models, including all generations of iPad Air and iPad Pro)
- iPod Touch (starting from the 4th generation)
BlackBerry 10
- BlackBerry 10 backups created with BlackBerry Link and decrypted
with Elcomsoft Phone Breaker (password for BlackBerry ID is required)
Windows Phone 8/8.1 and Windows 10 Mobile
- Windows Live backups downloaded with Elcomsoft Phone Breaker
-
Not available for Windows Phone.
System requirements
Windows
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008/2019
Apple macOS
- macOS 10.12 Sierra
- macOS 10.13 High Sierra
- macOS 10.14 Mojave
- macOS 10.15 Catalina
Trial limitations
Trial version shows only last 10 records in every category.
Release notes
Elcomsoft Phone Viewer v.5.10.36812
11 June, 2020
- added support for new (merged) synced iCloud data downloaded by Phone Breaker
- added keychain viewer (Forensic edition only)
- show contact names in calls and names near phone numbers in Signal chats
- fixed date/time processing for messages and calls in Signal chats
- fixed crash on data export from main Windows
- clearing program test folder with temporary data
- fixed crash on Windows 7 on backup processing
- fixed program hang on “Counting files for decryption”
- minor fixes and improvements in UI
Uninstallation
procedure: in order to uninstall the product, follow the standard
procedure via Control Panel – Programs and features or use the
corresponding Unistall link from the product’s folder in the Windows
Start menu.
