CORPORATE AND FORENSIC SOLUTIONS
Elcomsoft iOS Forensic Toolkit
Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices running any version of iOS. Elcomsoft iOS Forensic Toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly.
Features and Benefits
- An all-in-one, complete solution
- Acquire complete, bit-precise device images
- Decrypt keychain items, extract, device keys
- Quick file system acquisition: 20-40 minutes for 32 GB models
- Zero-footprint operation leaves no traces and no alterations to devices’ contents
- Fully accountable: every step of investigation is logged and recorded
- Supports all versions of iOS from 3 to 5
- Passcode not required (*)
- Instant passcode recovery for all iOS versions up to iOS 3
- Simple 4-digit iOS 4 and iOS 5 passcodes recovered in 20-40 minutes
- Physical and logical acquisition supported
- Mac and Windows versions available
- Automatic and manual modes available
- Availability restricted to select government entities
Access More Information than Available in iPhone Backups
ElcomSoft already offers the ability to access information stored in iPhone/iPad/iPod devices by decrypting data backups made with Apple iTunes. The new toolkit offers access to much more information compared to what’s available in those backups, including access to passwords and usernames, email messages, SMS and mail files.
Huge amounts of highly sensitive information stored in users’ smartphones can be accessed. Historical geolocation data, viewed Google maps and routes, Web browsing history and call logs, pictures, email and SMS messages, usernames, passwords, and nearly everything typed on the iPhone is being cached by the device and can be accessed with the new toolkit.
Zero Footprint Operation
Elcomsoft iOS Forensic Toolkit provides true zero-footprint operation, leaving no traces and making no changes to the contents of the device.
Real-Time Access to Encrypted Information
Unlike previously employed methods relying on lengthy dictionary attacks or brute force password recovery, the new toolkit can extract most encryption keys out of the physical device. With encryption keys handily available, access to most information is provided in real-time. A typical acquisition of an iPhone device takes from 20 to 40 minutes (depending on model and memory size); more time is required to process 64-Gb versions of Apple iPad. The list of exceptions is short, and includes user’s passcode, which can be brute-forced or recovered with a dictionary attack.
Keychain Recovery
Elcomsoft iOS Forensic Toolkit can access iOS secrets including most keychain items, opening investigators access to highly sensitive data such as login/password information to Web sites and other resources.
Passcode Not Required (But May Come Handy)
Knowing the original passcode is never required, but may come handy in the case of iOS 4/5/6 devices only. The following chart helps to understand whether you’ll need a passcode for a successful acquisition.
iOS 1.x-3.x: passcode not required. All information will be accessible. The original passcode will be instantly recovered and displayed.
iOS 4.x-5.0: certain information is protected with passcode-dependent keys, including the following:
- Email messages;
- Keychains (stored login/password information);
- Certain third-party application data, if the application requested strong encryption.
iOS 4 and iOS 5 Passcode Recovery
Elcomsoft iOS Forensic Toolkit can brute-force iOS 4 and iOS 5 passcodes in 20-40 minutes for a 4-digit passcode. Complex passcodes can be recovered, but require more time.
Escrow File Support
Alternatively, an escrow file can be used to decrypt protected pieces of information even without knowing the original passcode. (An escrow file can be obtained from a computer with which the device under investigation has been connected/synced).
System Requirements
iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running Mac OS X 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion) with iTunes 10.2 or later installed.
The Toolkit for Microsoft Windows requires the computer running Windows XP or Windows 7 with iTunes 10.2 or later installed.
Other versions of Mac OS X, Windows and iTunes might also work but have not been tested.
Compatible Devices and Platforms
The Toolkit currently supports the following iOS devices:
- iPhone 3G
- iPhone 3GS
- iPhone 4 (GSM and CDMA models)
- iPhone 4s ****
- iPod Touch (all generations)
- iPad (1st generation only)
- iPad 2 ****
- The new iPad ****
Supported operating systems:
- iOS 3.x (up to 3.1.3)
- iOS 4.x – up to iOS 4.3.5 (up to iOS 4.2.10 for iPhone 4 CDMA)
- iOS 5.x
|
iPhone 3G iPod Touch 1, iPod Touch 2 |
iPhone 3Gs, iPod Touch 3th gen, iPad 1 |
iPhone 4, iPod Touch 4th gen iPad 2 (****) The new iPad (****) iPhone 4s (****) |
|||
| iOS <= 3.x | iOS 4.x | iOS 3.x | iOS 4.x/5.x | iOS 4.x/5.x | |
| Physical imaging |
 |
|
|
|
|
| Logical imaging |
|
|
|
|
|
| Passcode recovery | instant |
|
instant |
|
|
| Keychain decryption |
|
|
|
|
|
| Disk decryption(*) | N/A** | N/A** | N/A** |
*** |
|
(*) Devices originally shipped with iOS 3.x, including those running iOS 4.x/5.x that were upgraded from iOS 3.x without performing “erase install”, do not have Data Protection enabled, and user partitions are not encrypted. Therefore, the decryption is not required.
(**) Devices running iOS versions before 3.x do not have Data Protection enabled and user partition is not encrypted.
(***) If device shipped with iOS 3.x and was updated to iOS 4.x without doing erase install (i.e. using ‘Update’ option in iTunes as opposed to ‘Restore’), the Data Protection will not be enabled for that device and user partition will not be encrypted.
(****) iPhone 4S, iPad 2 and the new iPad support is limited to jailbroken devices only with iOS 5.x. evasi0n jailbreak is NOT supported iPhone 5 and iPod Touch 5th gen are not supported at all.
EIFT trial notes
EIFT trial version has all features and functionalities of the complete version, but is timely limited to 15 days. You can prolong your trial license for a price reduced by the price of the trial version.