"With each iteration, iOS tightens security", says Vladimir Katalov, ElcomSoft CEO. "While we can still do a lot to older versions of the system, iOS 10 closes every known loophole and workaround. In this update, iOS Forensic Toolkit can only do logical acquisition of devices running iOS 10.x and display information about the device. To make logical acquisition easier, the Toolkit can now search for unlock records on paired computers automatically."
The updated data extraction engine with iOS 10 support enables experts perform logical acquisition of devices running Apple’s latest OS. Logical extraction is available for all devices and does not require a jailbreak.
The update is free for all customers who have purchased or updated Elcomsoft iOS Forensic Toolkit within one year. Customers whose support and maintenance package has expired may be eligible for a discounted update.
iOS 10 Support
According to Apple, as many as 76% of compatible devices are running Apple’s latest OS, with only 18% still on iOS 9.x. iOS 10 is more secure than ever, closing every loophole and every backdoor discovered in earlier versions of iOS. As a result, physical acquisition of iOS 10 devices is currently out of the question; logical and cloud extraction methods are the only ways to go.
With recent updates, Elcomsoft iOS Forensic Toolkit gained the ability to force iPhones and iPads produce local backups. While this method does not require jailbreak (which is so far unavailable for iOS 10.2), the phone must be unlocked in order to make the backup. iOS Forensic Toolkit can automatically unlock iOS devices even if there is no passcode or valid Touch ID by using a pairing record from a computer (Mac or PC) that has an established trusted relationship with that device. iOS Forensic Toolkit 2.20 adds the ability to automatically discover such pairing records.
In iOS 10, Apple made internal changes to backup mechanisms and data formats. As a result, ElcomSoft had to made changes to its mobile acquisition toolkit in order to be able to obtain system backups produced by iOS 10. Password-protected iOS 10 backups can still be recovered and decrypting by using the latest version of Elcomsoft Phone Breaker.
macOS Sierra Support
Elcomsoft iOS Forensic Toolkit improves live system analysis of computers running macOS Sierra, enabling automatic extraction of lockdown records from the new OS. Once extracted, lockdown records can be transferred to a different computer, and used to make iPhones and iPads (including iOS 10.x devices) dump their contents into a local backup without providing a passcode or fingerprint.
Lockdown records, or pairing records, are files that are stored on the computer to which the iOS device syncs to. These files are created the first time the user connects their iOS device to a PC that has iTunes installed. Lockdown records are used to re-establish a pairing relationship between the computer and iOS device, allowing the user to conveniently sync their iPhone by simply connecting it to their computer and without having to manually unlock the device every time.
Forensic specialists routinely use lockdown records to produce a full device backup of the connected phone. A lockdown file can be extracted from the original computer and used on a different Mac or PC to re-establish pairing relationship; all that without unlocking the iPhone with a passcode or Touch ID.
Elcomsoft iOS Forensic Toolkit can automatically detect whether a lockdown record is available for the currently connected iOS device. However, macOS Sierra protects access to the disk location where lockdown records are stored. This affects live system analysis. In order to access lockdown records on live systems running macOS Sierra and newer, users must manually enable access to /var/db/lockdown.
iOS Forensic Toolkit 2.20 automatically detects situations where additional permissions are required to access stored lockdown records, and prompts users to give access privileges.
Pricing and Availability
Elcomsoft iOS Forensic Toolkit 2.20 is immediately available. North American pricing starts from $1,495. Both Windows and Mac OS X versions are supplied with every order. Existing customers can upgrade at no charge or at a discount depending on their license expiration.
Compatibility
Windows and macOS versions of Elcomsoft iOS Forensic Toolkit are available. Physical acquisition support for the various iOS devices varies depending on lock state, jailbreak state and the version of iOS installed. For some devices running some versions of iOS logical acquisition is the only available method. The full compatibility matrix is available at https://www.elcomsoft.com/eift.html
About Elcomsoft iOS Forensic Toolkit
Elcomsoft iOS Forensic Toolkit provides forensic access to encrypted information stored in popular Apple devices running iOS versions 3 to 10.2. By performing a physical acquisition analysis of the device itself, the Toolkit offers instant access to all protected information including SMS and email messages, call history, contacts and organizer data, Web browsing history, voicemail and email accounts and settings, stored logins and passwords, geolocation history, the original plain-text Apple ID password, conversations carried over various instant messaging apps such as Skype or Viber, as well as all application-specific data saved in the device.
iOS Forensic Toolkit is the only tool on the market to offer physical acquisition for Apple devices equipped with 64-bit SoC including Apple iPhone 5S, 6/6s, iPhone 7 and their Plus versions. Physical acquisition for 64-bit devices returns significantly more information compared to logical and over-the-air approaches.