Elcomsoft iOS Forensic Toolkit

对iPhone,iPad和iPod Touch设备进行物理和逻辑采集。 镜像设备文件系统,提取设备加密数据(密码,加密密钥和受保护数据)并解密文件系统镜像。

  • 通过越狱对64位iOS设备进行物理采集
  • 逻辑采集提取备份,崩溃日志,媒体和共享文件
  • 使用配对记录解锁iOS设备(lockdown文件)
  • 提取和解密受保护的钥匙串项目
  • 实时文件系统获取
  • 自动禁用屏幕锁定,实现平稳,不间断的采集
Full version $ 1495
购买

Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.

See Compatible Devices and Platforms for details.

Physical Acquisition of iOS Devices

Physical acquisition is the only acquisition method to extract full application data, protected keychain items, downloaded messages and location history. Physical acquisition returns more information compared to logical acquisition due to direct low-level access to data.

Elcomsoft iOS Forensic Toolkit supports jailbroken 64-bit devices (iPhone 5s and newer) running most versions of iOS (subject to jailbreak availability). The use of a bootrom-based jailbreak enables partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X (via checkra1n jailbreak). Full file system and complete keychain acquisition for unlocked devices from this device range.

Full File System Extraction and Keychain Decryption Without a Jailbreak

A jailbreak-free extraction method based on direct access to the file system is available for a limited range of iOS devices. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.

Better yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction.

Both the file system image and all keychain records are extracted and decrypted. The agent-based extraction method delivers solid performance and results in forensically sound extraction. Removing the agent from the device after the extraction takes one push of a button.

You can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device's system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.

Installing and signing the extraction agent requires an Apple ID registered in the Apple Developer Program. The Mac edition drops this requirement, allowing to use a regular Apple ID for signing and sideloading the extraction agent onto the iOS device.

Passcode Unlock for iPhone 5 and 5c

The Toolkit can be used to unlock encrypted iPhone 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN (Mac version only). This DFU attack works at the speed of 13.6 passcodes per second, and takes only 12 minutes to unlock an iPhone 5 or 5c protected with a 4-digit PINs. 6-digit PINs will take up to 21 hours. A smart attack will be used automatically to attempt cutting this time as much as possible. In less than 4 minutes, the tool will try several thousand most commonly used passcodes such as 000000, 123456 or 121212, followed by 6-digit PINs based on the dates of birth. With 74,000 of those, the smart attack takes approximately 1.5 hours. If still unsuccessful, the full brute force of the rest of the passcodes is initiated.

Logical Acquisition

iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device, pulls media and shared files and extracts system crash logs. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

We always recommend using logical acquisition in combination with physical for safely extracting all possible types of evidence.

Media and Shared Files

Quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).

In addition to media files, iOS Forensic Toolkit can extract stored files of multiple apps, extracting crucial evidence without a jailbreak. Extract Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record.

Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

产品主要优点

Supported Devices and Acquisition Methods

iOS Forensic Toolkit implements physical acquisition support for jailbroken devices from iPhone 5s through iPhone 11, 11 Pro and 11 Pro Max. Logical acquisition is available for devices without a jailbreak.

The following compatibility matrix applies:

  • Passcode unlock: Brute-forces 4-digit and 6-digit screen lock passcodes via DFU exploit. All iOS versions, iPhone 5 and 5c devices. Only available in the Mac edition.
  • Agent (without a jailbreak): Full file system extraction and keychain decryption for devices running iOS 9 through 13.5. The corresponding iPad models are also covered. Apple Developer registration required (Windows)/optional (macOS).
  • With jailbreak: Physical acquisition for jailbroken devices running any version of iOS for which a jailbreak is available (iPhone 5s through iPhone 11 Pro Max, most iPad models, Apple TV 4 & 4K).
  • With BootROM-based jailbreak: Partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X (via checkra1n jailbreak). Full file system and complete keychain acquisition for unlocked devices from this device range. iOS 14 support: full file system and keychain extraction are available for iPhone 6s, iPhone 6s Plus, and iPhone SE (first gen), including partial BFU extraction.
  • No jailbreak: Logical acquisition, shared files and media extraction for devices running versions of iOS without a jailbreak. Device must be unlocked with passcode, Touch ID or lockdown record
Apple Watch and Apple TV Extraction

Elcomsoft iOS Forensic Toolkit is the only third-party tool on the market to extract information from Apple Watch devices. While experts may attempt creating an iTunes-style backup of the user’s iPhone paired with their Apple Watch, a local backup may not be available if the iPhone is securely locked. Extracting information directly from the Watch allows accessing information even if the iPhone is locked or unavailable. While Apple Watch does not offer standalone iTunes-style backups, experts can still access crash logs and media files including EXIF and location data. A third-party IBUS adapter is required to connect the Watch.

Apple TV devices have no support for iTunes-style backups, but may contain a local copy of the user’s entire iCloud Photo Library if the user enabled iCloud Photos in their iCloud account. Since Apple TV does not feature passcode protection, the extraction is possible even if the user’s iPhone is locked down and the iCloud password is unknown. Requires wired connection for Apple TV 4, wireless connection through Xcode for Apple TV 4K.

Logical Acquisition with Lockdown Support

Logical acquisition is available for all devices regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started.

Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer.

If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Elcomsoft Phone Breaker is also required to view keychain records. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).

Using a lockdown (pairing) record, information can be extracted from locked iOS devices even after power-off or reboot. The following matrix applies to devices running iOS 8 and newer:

Basic device info Advanced device info App list Media iTunes-style backup
Device locked, no lockdown record Yes No No No No
Device never unlocked after reboot, lockdown exists Yes Yes No No No
Device unlocked after reboot, lockdown exists Yes Yes Yes Yes Yes
Keychain Extraction

Elcomsoft iOS Forensic Toolkit can extract keychain items including those protected with ThisDeviceOnly attribute, opening investigators access to highly sensitive data such as login/password information to Web sites and other resources (and, in many cases, to Apple ID).

The device must remain unlocked during the entire keychain acquisition process. iOS Forensic Toolkit implements a tool to disable automatic screen lock.

Partial keychain extraction is possible for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X regardless of iOS version.

产品视频

Compatible Devices and Platforms

  • iPhone 5 and 5c: passcode unlock via DFU (macOS edition only)
  • 64-bit iOS devices with jailbreak: file system extraction, keychain decryption
  • Partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X
  • Apple TV 4 (cable connection) and Apple TV 4K (wireless connection through Xcode, Mac only)
  • Apple Watch (all generations); requires a third-party IBUS adapter
  • No jailbreak: agent-based extraction for supported devices; advanced logical acquisition for all other devices [1]

Logical acquisition includes:

  • Extended information about the device
  • iTunes-format backup (includes many keychain items)
  • List of installed apps
  • Media files (even if the backup is password-protected)
  • Shared files (even if the backup is password-protected)

  1. Logical acquisition works even with locked devices with unknown passcode if a valid pairing record is available. 

系统需求

Windows

  • Windows 7/8/8.1/10

Apple macOS

  • macOS 10.12
  • macOS 10.13
  • macOS 10.14
  • macOS 10.15

产品版本信息

Elcomsoft iOS Forensic Toolkit v.6.52

21 October, 2020

  • added full support (incl. keychain acquisition) for iOS 12.3 to iOS 12.4.8 running on iPhone 5s and iPhone 6
  • minor bug fixes in Agent installation

可以使用标准Microsoft Windows工具删除所有程序 – 还可以通过控制面板或在“开始”菜单中使用“ Uninstall ”快捷方式

系统需求

Windows

  • Windows 7/8/8.1/10

Apple macOS

  • macOS 10.12
  • macOS 10.13
  • macOS 10.14
  • macOS 10.15

产品版本信息

Elcomsoft iOS Forensic Toolkit v.6.52

21 October, 2020

  • added full support (incl. keychain acquisition) for iOS 12.3 to iOS 12.4.8 running on iPhone 5s and iPhone 6
  • minor bug fixes in Agent installation

可以使用标准Microsoft Windows工具删除所有程序 – 还可以通过控制面板或在“开始”菜单中使用“ Uninstall ”快捷方式

买Elcomsoft iOS Forensic Toolkit

Full version
$ 1495
购买