Providing near-instant forensic access to encrypted information stored in the latest iPhone and iPad devices, iOS Forensic Toolkit enables access to protected file system dumps extracted from supported Apple devices even if the original device passcode is unknown.
By performing a physical acquisition analysis of the device itself, the toolkit offers instant access to all protected information including SMS and email messages, call history, contacts and organizer data, Web browsing history, voicemail and email accounts and settings, stored logins and passwords, geolocation history and the original plain-text user passcode.
The tool can also perform logical acquisition of iOS devices, or provide forensic access to encrypted iOS file system dumps.
The toolkit can acquire a 16-Gb iPhone 4 in about 20 minutes, or a 32-Gb version in 40 minutes.
With the release of iOS 5, Apple made some minor tweaks and some major changes to data encryption. “There was no break-through in the iOS security model”, says Andrey Belenko, ElcomSoft leading developer. “The architectural changes are more of an evolution of the existing model. However, we highly welcome these changes, as they present better security to the end user. In particular, the number of keychain items that can be decrypted without the passkey is now less than it used to be. Device passcode is one of the hallmarks of Apple’s security model, and they are expanding the use of it to cover more data than ever before.”
The Toolkit currently supports the following iOS devices:
- iPhone 3G
- iPhone 3GS
- iPhone 4 (GSM and CDMA models)
- iPod Touch (3rd and 4th generations)
- iPad (1st generation only).
Information about toolkit