Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly.
Please note that some models require jailbreaking. See Compatible Devices and Platforms for details.
Physical Acquisition for Legacy, 32-bit and 64-bit Apple Devices
Physical acquisition is the only acquisition method to extract full application data, downloaded messages and location history. Physical acquisition operates on fixed-timeframe basis, which guarantees the delivery of the entire content of a 32-GB device in 40 minutes or less (depending on the amount of information stored in the device). In many cases, physical acquisition returns more data than logical acquisition, as many files are locked by the operating system and not accessible during the process of logical acquisition.
Elcomsoft iOS Forensic Toolkit supports both legacy hardware (iPhone 4 and older), jailbroken 32-bit devices (iPhone 4S through 5C) and jailbroken 64-bit devices (iPhone 5s through iPhone X).
A proprietary acquisition technique is exclusively available in Elcomsoft iOS Forensic Toolkit for 64-bit devices. Physical acquisition for 64-bit devices is fully compatible with jailbroken iPhones and iPads equipped with 64-bit SoC, returning the complete file system of the device (as opposed to bit-precise image extracted with the 32-bit process). Only devices with known or empty passcode are supported; passcode protection must be removed in iOS settings prior to acquisition.
Logical Acquisition with Keychain Extraction
iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.
Logical acquisition with iOS Forensic Toolkit is the only acquisition methods allowing access to encrypted keychain items. Logical acquisition should be used in combination with physical for extracting all possible types of evidence.
Media and Shared Files Extraction
iOS Forensic Toolkit offers the ability to quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly and easily on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).
In addition to media files, iOS Forensic Toolkit can extract stored files of multiple apps, extracting crucial evidence from 32-bit and 64-bit devices without a jailbreak. While access to app data without a jailbreak is limited, this new technique allows extracting Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record. If a lockdown record is used, some files may not be accessible unless the lock
screen passcode is removed.
Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.