Elcomsoft iOS Forensic Toolkit
$1,800.00
Elcomsoft iOS Forensic Toolkit performs physical and logical acquisition of iPhone, iPad, and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys, and protected data), and decrypt the file system image.
Description
Elcomsoft iOS Forensic Toolkit
Perform full file system and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.
- Full file system extraction and keychain decryption
- Logical acquisition extracts backups, crash logs, Apple Unified Logs, media and shared files
- Passcode unlock and physical acquisition for legacy devices
- Extracts and decrypts protected keychain items
- Repeatable, forensically sound extraction for select iPhone and iPad models through modified bootloader
- Automatically disables screen lock for smooth, uninterrupted acquisition
Supports: all generations of iPhone, iPad, iPad Pro and iPod Touch running iOS 3 through 18, all generations of Apple Watch, Apple TV 4 (HD), all generations of Apple TV 4K; full file system acquisition for select models and versions via extraction agent and bootloader methods.
New features
Faster Extended Logical Acquisition
Elcomsoft iOS Forensic Toolkit significantly speeds up media and sysdiagnose extraction when performing advanced logical acquisition.
Apple Unified Logs Extracted via Logical Acquisition
This release adds support for extracting Apple Unified Logs, an essential source of forensic data that captures detailed system-level activity, including processes, events, and app behavior. Unlike sysdiagnose logs, which typically cover only the last 24 hours with limited historical depth, Unified Logs provide significantly broader visibility into past device activity. Their retention spans several days, depending on event type and device configuration, offering investigators a much richer dataset for timeline reconstruction and behavioral analysis.
Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devicesâ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.
The following extraction methods are supported:
- Advanced logical acquisition (backup, media files, crash logs, Apple Unified Logs, shared files) (all devices, all versions of iOS)
- Direct agent-based extraction (all 64-bit devices, select iOS versions)
- Forensically sound bootloader-based extraction (select devices)
- Passcode unlock and true physical acquisition (select 32-bit devices)
See Compatible Devices and Platforms for details.
Multi-Platform Availability
iOS Forensic Toolkit is available for macOS, Windows, and Linux. Here’s how they compare feature-wise:
| Elcomsoft iOS Forensic Toolkit Features | macOS | Windows | Linux* |
|---|---|---|---|
| Get extended device information | â | â | â |
| Logical acquisition (iTunes-style backup) | â | â | â |
| Extracting media files & metadata | â | â | â |
| Extracting sysdiagnose logs and Apple Unified Logs | â | â | â |
| Agent-based extraction with developer accounts | â | â | â |
| Agent-based extraction with regular accounts | â | â | â |
| Bootloader-based extraction and passcode unlock | â | â | â |
| Additional service features | â | â | â |
The Linux edition officially supports Debian, Ubuntu, Kali Linux, and Mint.
Full File System Extraction and Keychain Decryption
A low-level extraction method based on direct access to the file system is available for a wide range of iOS devices and OS versions. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expertâs computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.
Using the extraction agents is inherently safe for the device itself as it neither modifies the system partition nor remounts the file system. The low-level extraction technique employed by the extraction agent yields as much data as that obtained through bootloader-based extraction methods. Both the file system image and all keychain records can be extracted and decrypted depending on the OS version.
One can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device’s system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.
Sideloading the extraction agent requires the use of an Apple ID. Both regular and developer Apple IDs can be used.
Forensically sound extraction with bootloader exploit
To preserve digital evidence, the chain of custody begins from the first point of data collection to ensure that digital evidence collected during the investigation remains court admissible. The new, bootloader-based extraction method delivers repeatable results across extraction sessions. When using Elcomsoft iOS Forensic Toolkit on a supported device, the checksum of the first extracted image will match checksums of subsequent extractions provided that the device is powered off between extractions and never boots the installed version of iOS in the meantime.
The new extraction method is the cleanest yet. Our implementation of bootloader-based exploit is built from the ground up. All the work is performed completely in the RAM, and the operating system installed on the device is not booted during the extraction process. Our unique direct extraction process offers the following benefits:
- Repeatable results. Checksums of subsequent extractions will match the first one if the device is kept powered off and never boots iOS between sessions.
- Supports iPhone X, iPhone 8/7/Plus, 6s/6/Plus, SE (original), iPhone 5s
- Supports a wide range of Apple models in total including 25 iPhones, 40 iPads, 3 iPods, 4 Apple TV and 4 Apple Watch models
- Wide iOS compatibility. iOS 3 through iOS 16 are supported (no support for iOS 16 on A11 Bionic iPhones).
- Unaltered system and data partitions.
- Zero data modification policy: 100% of the patching occurs in the RAM.
- The installation process is fully guided and extremely robust.
- Locked devices supported in BFU mode, while USB restricted mode can be completely bypassed.
Compatibility: bootloader-level extractions are available in the Mac and Linux editions.
Unlocking and Imaging Legacy Devices: iPhone 3GS, 4, 4s, 5, and 5c
Passcode unlock and imaging support are available for legacy iPhone models.
Elcomsoft iOS Forensic Toolkit can be used to unlock encrypted iPhone 3GS, 4, 4s (1), 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN. This attack takes only 12 minutes to unlock an iPhone 5 protected with a 4-digit PIN, while 6-digit PINs will take up to 21 hours.
Full physical acquisition is available for the same range of devices. For all supported models, the Toolkit can extract the bit-precise image of the user partition and decrypt the keychain. If the device is running iOS 4 through 7, the imaging can be performed even without breaking the screen lock passcode, while devices running iOS 8 through 10 require breaking the passcode first. For all supported models, the Toolkit can extract and decrypt the user partition and the keychain.
Finally, 32-bit devices can be unlocked and extracted even if they are in a state of lock after 10 unsuccessful passcode attempts.
You must be logged in to post a review.
Reviews
There are no reviews yet.