Elcomsoft iOS Forensic Toolkit Frequently Asked Questions

ElcomSoft iOS Forensic Toolkit

Q: What is the Toolkit for?

A: The Toolkit allows to perform physical acquisition of most Apple devices running iOS for further forensic analysis. Logical acquisition is also supported.

Q: What is the difference between logical and physical acquisition?

Logical acquisition creates a copy of the file system, saving all folder/file structure. Some files, however, are 'locked' and so cannot be copied.

Physical acquisition creates a bit-by-bit image of the partition, including unallocated space.

Q: What kind of information is available in the image, compared to the device backup?

The most important data that is not available with device backup is full device keychain, that contains login and password information to web sites, wi-fi access points, mail accounts, as well as the 'secret' data saved by many 3rd party applications. With physical acquisition, you can also get all files with additional protections, such as Mail.app e-mail databases.

Q: What does the Toolkit contain, and how it works?

The Toolkit is a command-line script that allows booting the device from special (custom) ramdisk (that is also included into the Toolkit) and performing several operations, such as acquiring images of user and system partitions, extracting the encryption key, decrypting the user partition (using the keys and the passcode), brute-forcing the passcode and more. Most of the operations are actually performed directly on the device, and the script just simplifies the communication with it.

Q: What particular devices does the Toolkit work with?

Here is the list of supported devices:

  • iPhone 3G
  • iPhone 3GS
  • iPhone 4 (GSM)
  • iPhone 4 (CDMA)
  • iPod Touch 3rd gen
  • iPod Touch 4th gen
  • iPad

Q: What about original iPhone and older versions of iOS?

Sorry, we're not going to support them.

Q: What about iPad 2?

Unfortunately, iPad 2 bootrom isn't vulnerable to any public exploits, so we cannot do anything with it, sorry. The only way to perform forensic analysis of iPad 2 is work with iTunes backup; if backup is password-protected and/or you want to decrypt the keychain, our Elcomsoft Phone Password Breaker will help.

Q: How do I detect iPhone/iPad/iPod model?

Here are Apple Knowledge base articles that should help:

Identifying iPhone models: http://support.apple.com/kb/HT3939
Identifying iPod models: http://support.apple.com/kb/ht1353

Q: Does your Toolkit leave any traces in the system?

No, our Toolkit is "zero-footprint". It does not change a bit on the device (even does not modify the system partition), performing all operations in memory -- so it is not possible to detect that it has been used, neither it creates any problem for forensic procedures.

Q: Does that also mean that using your Toolkit is absolutely safe for my device, or there's a chance that I'll brick it?

First is right. Using our Toolkit is 100% safe for all compatible devices running the firmware that was available at the Toolkit released date. If your device' firmware is newer, however, we'd recommend to contact us prior to using the Toolkit.

Q: Why do you have command-line interface only, i.e. no GUI?

There are several reasons for that. First, we wanted to get exactly the same interface on both Windows and MacOS X platforms (yes, we know that there are some developers' tools and libraries for multi-platform development, but that's another story). Second command-line interface in fact is very simple and convenient to use. Third, you *have* to be attentive when using the command-line tool - the chance that you press the wrong button is zero (at least because there are no buttons here :)).

Q: Is it simple to use or requires some technical knowledge and/or experience? Or even worse, should I attend some trainings to lean how to use it?

Using our software is as simple as pressing a few buttons. You only have to have a "basic" computer experience.

Q: Please tell me more on DFU mode, and how to enter the device into it!

DFU stands for "Device Firmware Update". In this mode, the iPhone can interface with iTunes (or 3rd party software) but does not load the iOS or boot loader. The primary reason to access DFU mode is to change the firmware on the device. Or to load a custom firmware (such as ours) to perform some other tasks. Here is how to enter into it:

  1. Connect the iPhone to your computer
  2. Make sure iTunes is not running
  3. Turn the iPhone off (hold down the power button at the top of the iPhone)
  4. Hold down the sleep/power button and home button together for exactly 10 seconds, then release the power button
  5. Continue to hold down the Home button for another 10 seconds. You device should be in DFU by then.

Note: when you are in DFU mode your iPhone screen will be completely black!

It may take a few attempts to get your iPhone into DFU mode; this is normal.

Q: What are the software and hardware requirements?

Windows version requires Windows XP or Windows 7 (32-bit or 64-bit); MacOS X version - MacOS X 10.6 (Snow Leopard) or MacOS X 10.7 (Lion); the Toolkit might also work on other versions, but has not been tested there. Also, iTunes (10.2 or newer) is needed. Finally, you should have enough free space on hard disk to hold the complete device image (at least twice the device size, because the device image is first acquired, and then decrypted).

Q: Do I need to download anything extra, or everything is included?

The Toolkit already includes all you need (for all supported devices). So even an Internet connection is not needed.

Q: Does it work with the device that are already jailbroken?

Yes, of course. For such devices, btw, there is a reason to acquire the system partition, too (btw, it is not encrypted).

Q: Is the Toolkit compatible with images made with 3rd party tools?

Yes, if this images are in HFS+ format. So if you already made an image with some other software (such as Cellebrite UFED Physical), you do not have to make it again with our Toolkit, but use the Toolkit only to perform other tasks: get the encryption keys, brute-force the passcode, decrypt this image etc.

Q: Is it possible to decrypt an image if the device itself is not available?

No, you also need the keys (from the device). They are NOT in the image of the user partition, and are being extracted (technically) the other way.

Q: What can I do with devices protected with the passcode?

For devices running iOS 3.x the passcode is a piece of cake: passcode is not needed to decrypt filesystem or any of keychain items; moreover, the passcode can be recovered instantly.

With iOS 4, however, the situation is a bit worse (because of encryption). In short, you can still decrypt filesystem image without the passcode - however, some of the files will remain encrypted (Mail.app databases and some other) and so will most of the device keychain items.However, the Toolkit allows to recover the passcode using the brute-fore attack - for simple (4-digit ones), it takes just about a half an hour. But even without the passcode there is another option: if you have physical access to the computer the device has been synced with, you can get the special "escrow" keys from there, and the passcode will not be needed, i.e. the Toolkit will be able to perform the full decryption (incl. keychain and Mail.app files).

Q: When you brute-forcing the passcode, does not the device lock after 10 unsuccessful attempts?

No. We perform password checking at the lowest (not operating system) level.

Q: Can you do anything with SIM card lock?

Sorry, no.

Q: I have got a message that the keys were not extracted - what could be the reason for that, and what can I do?

The most common reason is: the device simply does not use data encryption. So it is either running iOS 3.x (where encryption was not implemented at all); or in case of iOS 4.x device, decryption is disabled there - it is possible if the device has been upgraded from iOS 3.x.

Q: What is acquisition (imaging) time?

The speed is limited only by the speed of the device (it's built-in USB controller) and USB bus limitations. Of course, the flash memory size of the device also matters. For example, iPhone 4 32GB is being images in about an hour and half.

Q: What cam I do with decrypted image (DMG)?

First, you can mount it into your MacOS X or Windows system and work like with any (removable) drive. Second, you can use industry-standard forensic (analysis/reporting) tools like:

Q: Does an acquired (and decrypted) image allows data carving? For example, can I get deleted mail, messages, images etc?

Unfortunately, all unallocated space is also encrypted, and we cannot decrypt it (yet). So it is not possible to get deleted mail or images. However, SMS messages (and some other data) are stored in sqlite database, and sometimes deleted data could be recovered from them - using forensic tools.

Q: How does your Toolkit compare with Zdziarski's method/tool?

As far as we are not full-time law enforcement (and do not live in the US), we don't have access to above mentioned software (sometimes referred as 'method', or tool, or 'collection of tools'), so it is hard to compare.