Elcomsoft iOS Forensic Toolkit

Perform full file system and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

Key Features

1. Full file system extraction and keychain decryption without a jailbreak

2. Logical acquisition extracts backups, crash logs, media and shared files

3. Passcode unlock and physical acquisition for legacy devices

4. Extracts and decrypts protected keychain items

5. Repeatable, forensically sound extraction for select iPhone and iPad models through modified bootloader
6. Automatically disables screen lock for smooth, uninterrupted acquisition

Forensic Access to iPhone/iPad/iPod Devices running Apple iOS

Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.

The following extraction methods are supported:

Advanced logical acquisition (backup, media files, crash logs, shared files) (all devices, all versions of iOS)
Direct agent-based extraction (all 64-bit devices, select iOS versions)
Forensically sound bootloader-based checkm8 extraction (select devices)
Jailbreak-based extraction (all devices and versions of iOS with public jailbreaks)
Passcode unlock and true physical acquisition (select 32-bit devices)

Full File System Extraction and Keychain Decryption Without a Jailbreak

A jailbreak-free extraction method based on direct access to the file system is available for a limited range of iOS devices. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.

Better yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction.

Both the file system image and all keychain records are extracted and decrypted. The agent-based extraction method delivers solid performance and results in forensically sound extraction. Removing the agent from the device after the extraction takes one push of a button.

You can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device’s system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.

Installing and signing the extraction agent requires an Apple ID registered in the Apple Developer Program. The Mac edition drops this requirement, allowing to use a regular Apple ID for signing and sideloading the extraction agent onto the iOS device.

iOS Forensic Toolkit fully supports the extraction of all jailbroken devices for which a jailbreak is available. Full file system extraction and keychain decryption are available for jailbroken devices. All public jailbreaks are supported.
Forensically sound extraction for select iPhone and iPad models

To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. The new, bootloader-based extraction method delivers repeatable results across extraction sessions. When using iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.

The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is derived directly from the source. All the work is performed completely in the RAM, and the operating system installed on the device is left untouched and is not used during the boot process. Our unique direct extraction process offers the following benefits:

Repeatable results. Checksums of subsequent extractions will match the first one if the device is kept powered off and never boots iOS between sessions.
Supports iPhone 5s, 6/6s/Plus, SE (original), iPhone 7/8/Plus, iPhone X.
Wide iOS compatibility. iOS 8.0 through iOS 15.3 are supported.
Untouched system and data partitions.
Zero modification policy: 100% of the patching occurs in the RAM.
The installation process is fully guided and massively more reliable compared to jailbreaking.
Locked devices supported in BFU mode, while USB restricted mode can be completely bypassed.

Notes: bootloader-level extractions are available exclusively in the Mac edition, requiring a macOS computer.
Unlocking and Imaging Legacy Devices: iPhone 4, 5, and 5c

Passcode unlock and imaging support are available for legacy iPhone models.

The Toolkit can be used to unlock encrypted iPhone 4, 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN. This DFU attack works at the speed of 13.6 passcodes per second on iPhone 5 and 5c devices, and takes only 12 minutes to unlock an iPhone protected with a 4-digit PINs. 6-digit PINs will take up to 21 hours. A smart attack will be used automatically to attempt cutting this time as much as possible. In less than 4 minutes, the tool will try several thousand most commonly used passcodes such as 000000, 123456 or 121212, followed by 6-digit PINs based on the dates of birth. With 74,000 of those, the smart attack takes approximately 1.5 hours. If still unsuccessful, the full brute force of the rest of the passcodes is initiated. (Note: passcode recovery runs at the speed of 6.6 passcodes per second on the iPhone 4).

Full physical acquisition is available for legacy iOS devices including the iPhone 4, 5 and 5c. For all supported models, the Toolkit can extract the bit-precise image of the user partition and decrypt the keychain. If the device is running iOS 4 through 7, the imaging can be performed even without breaking the screen lock passcode, while devices running iOS 8 through 10 require breaking the passcode first. For all supported models, the Toolkit can extract and decrypt the user partition and the keychain.

Notes: Mac edition only; iPhone 4s is not supported. For iOS 4 through 7, passcode recovery is not required for device imaging. For iOS 8 and 9, the passcode must be recovered before imaging (otherwise, limited BFU extraction available).