- Physical acquisition for 64-bit iOS devices via jailbreak
- Logical acquisition extracts backups, crash logs, media and shared files
- Unlocks iOS devices with pairing records (lockdown files)
- Extracts and decrypts protected keychain items
- Real-time file system acquisition
- Automatically disables screen lock for smooth, uninterrupted acquisition
Supports: Supports: all generations of iPhone, iPad, iPad Pro and iPod Touch with and without jailbreak; Apple Watch and Apple TV 4 and 4K; all versions of iOS from iOS 7 to iOS 12
Supported Devices and Acquisition Methods
iOS Forensic Toolkit implements physical acquisition support for jailbroken devices from iPhone 5s through iPhone X/Xs/Xr. Logical acquisition is available for devices without a jailbreak.
The following compatibility matrix applies:
- With jailbreak: Physical acquisition for jailbroken devices running any version of iOS for which a jailbreak is available (iPhone 5s through iPhone X, iPad mini 2 through 4, iPad Air, Air 2, Pro, Apple TV 4, 4K)
- No jailbreak: Logical acquisition, shared files and media extraction only for devices running versions of iOS without a jailbreak. Device must be unlocked with passcode, Touch ID or lockdown record
Apple Watch and Apple TV Extraction
Elcomsoft iOS Forensic Toolkit is the only third-party tool on the market to extract information from Apple Watch devices. While experts may attempt creating an iTunes-style backup of the user’s iPhone paired with their Apple Watch, a local backup may not be available if the iPhone is securely locked. Extracting information directly from the Watch allows accessing information even if the iPhone is locked or unavailable. While Apple Watch does not offer standalone iTunes-style backups, experts can still access crash logs and media files including EXIF and location data. A third-party IBUS adapter is required to connect the Watch.
Apple TV devices have no support for iTune-style backups, but may contain a local copy of the user’s entire iCloud Photo Library if the user enabled iCloud Photos in their iCloud account. Since Apple TV does not feature passcode protection, the extraction is possible even if the user’s iPhone is locked down and the iCloud password is unknown. Requires wired connection for Apple TV 4, wireless connection through Xcode for Apple TV 4K.
Logical Acquisition with Lockdown Support
Logical acquisition is available for all devices regardless or hardware generation and jailbreak status. The device must be unlocked at least once after cold boot; otherwise, the device backup service cannot be started.
Experts will need to unlock the device with passcode or Touch ID, or use a non-expired lockdown file extracted from the user’s computer.
If the device is configured to produce password-protected backups, experts must use Elcomsoft Phone Breaker to recover the password and remove encryption. Elcomsoft Phone Breaker is also required to view keychain records. If no backup password is set, the tool will automatically configure the system with a temporary password (“123”) in order to be able to decrypt keychain items (password will be reset after the acquisition).
Using a lockdown (pairing) record, information can be extracted from locked iOS devices even after power-off or reboot. The following matrix applies to devices running iOS 8 through iOS 12.x:
|Basic device info||Advanced device info||App list||Media||iTunes-style backup|
|Device locked, no lockdown record||Yes||No||No||No||No|
|Device never unlocked after reboot, lockdown exists||Yes||Yes||No||No||No|
|Device unlocked after reboot, lockdown exists||Yes||Yes||Yes||Yes||Yes|
iOS Forensic Toolkit
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.
Please contact us below for more information.