Elcomsoft iOS Forensic Toolkit FAQ (part 2)
Note: this is the second part of EIFT FAQ, mostly on the new version (1.20) released on July 17th, 2013. The first (basic) part is available here.
Q. So you actually support for iPhone 5 now?
A. Yes, we support iPhone 5, 4S, and all previous generations.
Q. What about iPad 4, iPad Mini and iPod Touch 5th gen?
A. They're now also supported.
Q. Are there any limitations supporting these last-generation devices?
A. Unfortunately, there are limitations. For recent devices such as iPhone 4S and 5 or iPad 2 to 4, we can only deal with jailbroken devices. So we can perform physical acquisition if a device is already jailbroken or if you can install the jailbreak yourself.
Q. How can I install the jailbreak?
A. Considering you have a device running iOS 6, you’ll be using the “evasi0n” jailbreak. Currently, it supports iOS 6.0 to 6.1.2. Please make sure you understand the procedure and follow it carefully. Read the original jailbreak documentation before installing the code. The most important points are:
Q. What about iOS 6.1.3 and 6.1.4? Is it possible to jailbreak them, or downgrade to an earlier version of iOS?
A. Unfortunately, jailbreaking is not yet available for these versions of iOS. Downgrading iOS from these versions is not possible either.
Q. What if I have a last-gen iPhone, it has a supported version of iOS installed, but it’s locked and the passcode is unknown?
A. Physical acquisition for this device is possible if the device is already jailbroken (which means: you can try). If it is not, physical acquisition will not be possible. For non-jailbroken devices locked with an unknown passcode, you can only acquire iPhone up to version 4, the original iPad and early generations of iPod Touch.
Q. Where do I get the “evasi0n” jailbreak?
A. Please use a search engine to discover the code. It’s not exactly legal to distribute (but perfectly legal to *use*), so we’re not publishing it here.
Q. How do I work with a jailbroken iPhone 4 and older devices?
A. Legacy devices do not require a jailbreak to be physically acquired. You can continue working with them via the DFU mode.
Q. Are the any other differences between old and new versions of the Toolkit I should know about?
A. Yes, there are differences affecting the way you’ll be using the product:
Q. The "Toolkit-JB" script asks me for a password, what's that?
A. It is the password of the user 'root'. The default password (immediately after installing the jailbreak) is "alpine" (without quotes).
Q. How do I change the 'root' password?
A. If you don’t know the password, and the default password does not work, you may need to change it. Use any available tool to access files stored in the iOS device (such as iFunBox or iExplorer) to edit the following file:
The line corresponding to the root account should look like this:
Saving the modified master.passwd file back to the device will restore the default root password to "alpine".
Q. Are there any other requirements for jailbroken devices?
A. Yes, there is a requirement to have a working SSH server running on the device. To check whether it is already there, start the 'Toolkit-JB' first; this will automatically establish a tunnel between SSH port (22) on the device and port 3022 on the localhost. Now use an SSH client to connect to localhost on port 3022, e.g. using the following command:
ssh -p 3022 root@localhost
If an SSH session is established, or if you are asked for a password, or if you receive a key fingerprint mismatch error, then the SSH server is already running on the device. If the connection is not established or refused, then there is no SSH server running. You can fix it by installing the OpenSSH package using Cydia (which should be present on all jailbroken devices).
Q. From time to time, I get the following error: "Failed to add the host to the list of known hosts (/cygdrive/c/Device/Null). What does that mean?
A. You can just ignore it.
Q. How long does it take to crack a passcode?
A. It depends on many factors such as the device model, the type and length of the passcode, and sheer luck. A simple 4-digit passcode on iPhone 4 can be cracked in 20-40 minutes. The same passcode on iPhone 5 will take about 10 minutes. Long and complex passcodes may take forever. The speed of password recovery may vary from only 4 passcodes per second on iPhone 4 to about 15 p/s on iPhone 5.
Q. Why is passcode recovery so slow? Are you planning to use GPU acceleration for that?
A. On iOS devices, the password recovery process can only run on the device itself. It cannot be outsourced or broken offline. This is the way Apple secures its devices, and this is one of the reasons why Apple devices are so secure.
Q. Once I run a passcode recovery, will the iPhone be locked, disabled or wiped after too many unsuccessful attempts?
A. No. Even if the device has the "Erase all data on this iPhone after 10 failed passcode attempts" setting turned on, the setting is not applicable here. The Toolkit accesses the hardware directly, and does not care about any iOS settings. The device will never be locked.
Q. In Windows, a separate console window with "Tunnel 3022-22" is being opened, is that normal?
A. Yes. Please do not close it while the Toolkit is running.
Q. Do I ever need physical acquisition? Why is it better than logical?
A. Physical acquisition returns more data than logical acquisition. The keychain can only be completely decrypted with physical acquisition. In addition, some files on the device are locked and not being copied with logical acquisition, while physical acquisition operates at a lower level and acquires the complete image of the device.
Q. With physical acquisition, is it possible to recover the data that have been deleted from the device (such as photos)?
A. For iOS 4/5/6 – unfortunately, no. Sometimes, however, you can restore deleted messages (SMS and iMessage) and some other data stored in SQLite databases (you would need 3rd party forensic software for that, though).
Q. In brief, what is the typical usage of the Toolkit, and where should I start from?
A. The first step depends on the model of your iOS device. For iPhone 4 and older devices, you should enter the device into the DFU mode and load RAMdisk into it (see the manual for details). For iPhone 4S+, you need to jailbreak the device and install OpenSSH. Then, the typical steps are: