Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.
See Compatible Devices and Platforms for details.
Physical Acquisition of iOS Devices
Physical acquisition is the only acquisition method to extract full application data, protected keychain items, downloaded messages and location history. Physical acquisition returns more information compared to logical acquisition due to direct low-level access to data.
Elcomsoft iOS Forensic Toolkit supports jailbroken 64-bit devices (iPhone 5s through iPhone X) running most versions of iOS 7 through 11.
iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device, pulls media and shared files and extracts system crash logs. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.
We always recommend using logical acquisition in combination with physical for safely extracting all possible types of evidence.
Media and Shared Files
Quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).
In addition to media files, iOS Forensic Toolkit can extract stored files of multiple apps, extracting crucial evidence without a jailbreak. Extract Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record.
Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.