Elcomsoft Phone Viewer 4.60 reveals Restrictions and Screen Time passwords, decrypts Signal history

Elcomsoft Phone Viewer can now recover and display Restrictions and Screen Time passwords when analysing iOS local backups. In addition, EPV 4.60 decrypts and displays conversation histories in Signal, one of the world’s most secure messaging apps.

Elcomsoft Phone Viewer is updated with two major features. The tool can now recover iOS 7..11 Restrictions passwords and reveal iOS 12 Screen Time passwords when analysing local iOS backups. In addition, the tool gains support for Signal, world’s most secure instant messaging app. Experts can now decrypt and analyse Signal communication histories when analysing the results of iOS file system acquisition.

Restrictions Passwords (iOS 7 through 11)

Older iOS versions hash Restriction passwords with a strong pbkdf2-hmac-sha1 algorithm. Even though plentiful of iterations are used to protect the hash, the fixed length of only 4 digits allows Elcomsoft Phone Viewer to quickly brute-force the Restriction password in background while the backup is opened. By the time EPV completely loads the backup, the Restriction password would be already recovered.

What you need: a local (iTunes) backup without a password or with a known password, or a cloud backup. Restriction passwords can be also extracted from the iOS file system image (physical acquisition).

Screen Time Password (iOS 12)

iOS 12 makes use of the keychain to store the original Screen Time password in an untethered record. EPV 4.60 extracts Screen Time password from the keychain.

What you need: a local (iTunes) backup with a known password.

Signal Messenger

Signal is one of the most secure instant messaging apps. Signal conversation history is never saved to iCloud or backed up with iTunes. There is no cloud-based synchronization either. The working database can be extracted from a file system image obtained via physical acquisition; however, the conversation history (except attachments) is securely encrypted with a custom algorithm and a random encryption key. The encryption key itself is protected with “this device only” attribute; it can be only extracted from the keychain via physical acquisition.

We’ve been able to extract the key and decrypt Signal working database. You must use Elcomsoft iOS Forensic Toolkit to perform physical extraction (file system + keychain) of the device.

Once the database is decrypted, EPV 4.60 offers experts access to the user’s Signal account info, call logs, conversations and attachments.

Release notes:

  • Added the ability to recover Restriction passwords (iOS 7 through 11)
  • Added the ability to reveal Screen Time passwords (iOS 12)
  • Added the ability to decrypts and display Signal conversation histories
  • Improved backup opening time thanks to the ability to pre-select data categories of interest (for local and cloud backups, file system images)
  • Added compatibility with macOS 10.15 Catalina

See also