The New Elcomsoft iOS Forensic Toolkit July 17th, 2013 by Vladimir Katalov Soon after releasing the updated version of iOS Forensic Toolkit we started receiving questions about the new product.
Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image. IOS Forensic Toolkit 2.40 is updated with enhanced support for lockdown records, enabling forensic experts to extract more information from locked down iPhones and iPads in “cold boot” situations. The new release can access advanced device information through the use of lockdown records even if the device is completely locked down and has never been unlocked since powered on or rebooted.
IOS Forensic Toolkit 2.40 extends the use of lockdown (pairing) records for the purpose of extracting additional device info from iPhone and iPad devices that are locked with an unknown passcode. In particular, the new build extracts more information from iOS devices that are locked and have never been unlocked after being powered off or rebooted (the “cold boot” situation). The ability to use lockdown records for extracting information from locked devices in “cold boot” state can be extremely important for investigations.
![Torrent Elcomsoft Ios Forensic Toolkit Free Torrent Elcomsoft Ios Forensic Toolkit Free](https://image.isu.pub/181004023355-b0ecdc026464d3296104ee1f33d0a290/jpg/page_1_thumb_large.jpg)
Device model and name - iOS version and build number - Device ID - MAC addresses of the phone’s Wi-Fi and Bluetooth adapters - ICCI/IMEI/IMSI and phone number - Whether or not an iTunes backup password is enabled - Date and time of last iTunes and iCloud backups - List of synced accounts including email address for Google accounts - Various bits such as total and available disk space, time zone and language settings If the iOS device has been unlocked at least once, iOS Forensic Toolkit 2.40 can additionally extract comprehensive information about the apps installed on the device. This includes app names and versions, access permissions, as well as the names of their data folders.
While this information is also available via full local backups, a local backup may come out encrypted with an unknown password, in which case the data will be encrypted unless the password is known. Read our blog post 'The iPhone is Locked-Down: Dealing with Cold Boot Situations': Read our blog post 'What can be extracted from locked iPhones with new iOS Forensic Toolkit': Learn more about EIFT: Go social! Twitter: LinkedIn: Facebook: Instagram: Elcomsoft's official website: Elcomsoft's official blog: All our news and updates: Play ELCOMSAFE! Subscribe for more videos.
Get our book 'Mobile Forensics – Advanced Investigative Strategies' by Oleg Afonin and Vladimir Katalov: For more videos please visit www.youtube.com/user/sethioz Thanks for watching!:).
Recover Password-Protected BlackBerry and Apple Backups Elcomsoft Phone Breaker enables forensic access to password-protected backups for smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms. The password recovery tool supports all Blackberry smartphones as well as Apple devices running iOS including iPhone, iPad and iPod Touch devices of all generations released to date, including the iPhone 8/Plus, iPhone X and iOS 11. Retrieve Cloud Data: Apple iCloud and Microsoft Account Cloud acquisition is a great way of retrieving information stored in mobile backups produced by Apple iOS, and a handy alternative when exploring Windows Phone, Windows 10 Mobile and desktop Windows 10 devices.
Elcomsoft Phone Breaker can retrieve information from Apple iCloud and Microsoft Account provided that original user credentials for that account are known. Online backups can be acquired by forensic specialists without having the original iOS or Windows device in hands. All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID or Microsoft Account accompanied with the corresponding password. Two-Step Verification and Two-Factor Authentication Elcomsoft Phone Breaker supports accounts with as well as the new two-factor authentication.
Access to the second authentication factor such as a trusted device or recovery key is required. You will only need to use it once as Elcomsoft Phone Breaker can save authentication credentials for future sessions. Access iCloud without Login and Password If the user’s Apple ID and password are not available, Elcomsoft Phone Breaker can use a binary authentication token created by Apple iCloud Control Panel in order to login to iCloud and retrieve information. The use of authentication tokens allows bypassing two-factor authentication even if no access to the secondary authentication factor is available. The Forensic edition of Elcomsoft Phone Breaker comes with the ability to acquire and use authentication tokens from Windows and Mac OS X computers, hard drives or forensic disk images.
Authentication tokens for all users of that computer can be extracted, including domain users (providing that their system logon passwords are known). The tools are available in both Windows and Mac versions of the tool. Authentication tokens are obtained from the suspect’s computer on which the iCloud app is installed. In order for the token to be created, the user must have been logged in to iCloud Control Panel on that PC at the time of acquisition. Authentication tokens can be extracted from live systems (a running Mac OS or Windows PC) or retrieved from users’ hard drives or forensic disk images. ICloud is an integral part of Mac OS systems, and installs separately on Windows PCs.
Most users will stay logged in to their iCloud Control Panel for syncing contacts, passwords (iCloud Keychain), notes, photo stream and other types of data without re-typing their password. All this means that the probability of obtaining authentication tokens from PCs with iCloud Control Panel installed is high. Note: this functionality is only available in Forensic edition Decrypt FileVault 2 Volumes FileVault 2 is a whole-disk encryption scheme used in Apple’s Mac OS X.
FileVault 2 protects the entire startup partition with secure 256-bit XTS-AES encryption. If the user forgets their account password, or if the encrypted volume is moved to a different computer, a FileVault 2 can be unlocked with a special Recovery Key. If the user logs in with their Apple ID credentials, the Recovery Key can be saved into the user’s iCloud account. Should the user forget their password, the system can automatically use the Recovery Key to unlock the encrypted volume. It is important to note that Apple does not allow the end user to view or extract FileVault 2 recovery keys from iCloud. Elcomsoft Phone Breaker can extract FileVault 2 recovery keys from the user’s iCloud account, and use these keys to decrypt encrypted disk images. Valid authentication credentials (Apple ID/password or iCloud authentication token) as well as volume identification information extracted from the FileVault-encrypted disk image are required.
Note: this functionality is only available in Forensic edition. APFS volumes are not supported at this time. Extract Synced Data iPhones automatically sync certain types of data with iCloud in real time. Elcomsoft Phone Breaker automatically downloads synced data including call logs, contacts, notes (included deleted notes and attachments), calendars as well as Web browsing activities including Safari history (including deleted records), bookmarks and open tabs.
Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.