ElcomSoft iOS Forensic Toolkit 4.0


Active Member
Oct 3, 2017

ElcomSoft iOS Forensic Toolkit 4.0
Languages: English | File Size: 112.84 MB
Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

- Physical acquisition for 32-bit and 64-bit iOS devices via jailbreak
- Logical acquisition with iTunes-style backup includes decrypted keychain
- Unlocks iOS devices with pairing records (lockdown files)
- Decrypts keychain items and extracts device keys
- Real-time file system acquisition for jailbroken devices
- Quickly extracts media and shared files, even if backup password is set

Enhanced Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices' file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. Access to most information is provided instantly. Please note that some models require jailbreaking. See Compatible Devices and Platforms for details.

Physical Acquisition for Legacy, 32-bit and 64-bit Apple Devices
Physical acquisition is the only acquisition method to extract full application data, downloaded messages and location history. Physical acquisition operates on fixed-timeframe basis, which guarantees the delivery of the entire content of a 32-GB device in 40 minutes or less (depending on the amount of information stored in the device). In many cases, physical acquisition returns more data than logical acquisition, as many files are locked by the operating system and not accessible during the process of logical acquisition.

Elcomsoft iOS Forensic Toolkit supports both legacy hardware (iPhone 4 and older), jailbroken 32-bit devices (iPhone 4S through 5C) and jailbroken 64-bit devices (iPhone 5s through iPhone X).

A proprietary acquisition technique is exclusively available in Elcomsoft iOS Forensic Toolkit for 64-bit devices. Physical acquisition for 64-bit devices is fully compatible with jailbroken iPhones and iPads equipped with 64-bit SoC, returning the complete file system of the device (as opposed to bit-precise image extracted with the 32-bit process). Only devices with known or empty passcode are supported; passcode protection must be removed in iOS settings prior to acquisition.

Logical Acquisition with Keychain Extraction
iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

Logical acquisition with iOS Forensic Toolkit is the only acquisition methods allowing access to encrypted keychain items. Logical acquisition should be used in combination with physical for extracting all possible types of evidence.

Media and Shared Files Extraction
iOS Forensic Toolkit offers the ability to quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly and easily on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).

In addition to media files, iOS Forensic Toolkit can extract stored files of multiple apps, extracting crucial evidence from 32-bit and 64-bit devices without a jailbreak. While access to app data without a jailbreak is limited, this new technique allows extracting Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record. If a lockdown record is used, some files may not be accessible unless the lock screen passcode is removed.

Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

All Features and Benefits
- Physical Acquisition for 32-bit and 64-bit iOS Devices
- Logical Acquisition with Lockdown Support and Keychain Extraction
- Access More Information than Available in iPhone Backups
- Keychain Recovery
- Passcode Recovery Release Notes:iOS Forensic Toolkit 4.0 features a major overhaul, adding physical extraction of iOS keychain and offering straightforward acquisition workflow for iOS devices ranging from the iPhone 5s through iPhone X. The update drops support of legacy devices, cleans up redundant code and offers a much cleaner look and a straightforward usage experience.

iOS Forensic Toolkit receives a major overhaul, adding the ability to extract and decrypt keychain items during physical extraction of jailbroken 64-bit iOS devices. In addition, the new release offers an option to disable automatic screen lock on the connected device and pulls crash logs. The tool prevents automatic screen lock of the iOS device during the acquisition to make sure that all files are extracted, even those with the strongest security attributes.

iOS Forensic Toolkit 4.0 is now providing all possible options for extracting and decrypting data from both jailbroken and non-jailbroken 64-bit devices, including the last generations of Apple hardware and software. Without a jailbreak, experts can perform logical extraction through iOS system backups as well as app data and media file extraction. If a jailbreak can be installed, experts can image the file system of 64-bit iPhones and iPads, extract crash logs and decrypt the keychain.

Keychain Extraction
iOS keychain is an Apple's solution for securely storing passwords, keys, certificates, payment data and app-specific credentials. The keychain is securely encrypted with a hardware-specific key. On 64-bit hardware (iPhone 5s and all newer iOS devices), this key is additionally protected with Secure Enclave.

iOS Forensic Toolkit 4.0 adds the ability to extract and decrypt keychain items during the course of physical acquisition, successfully bypassing Secure Enclave protection on jailbroken devices. Notably, the entire content of the keychain is decrypted including records secured with ThisDeviceOnly attribute. Such records are unavailable via logical acquisition. The tool prevents automatic screen lock of the iOS device during the acquisition to make sure that even those records with the strongest security attributes are successfully extracted and decrypted.

Access to Crash Logs
Crash logs are an important part of the evidence that are not included into a local backup but may be extractable from the device with logical acquisition methods. From a forensic point of view, crash logs may deliver the list of installed and uninstalled apps. Once the expert discovers a crash log entry created by an app that is no longer present in the system, one can safely assume that the app was installed on the device at least up to the date and time specified in the crash log entry. In addition, one can build a timeline of device usage based on all the timestamps discovered have in crash logs.

iOS Forensic Toolkit 4.0 adds the ability to extract crash logs from iOS devices with or without a jailbreak. Access to crash logs requires a paired device or access to a valid lockdown file.

New User Interface
iOS Forensic Toolkit 4.0 comes with completely new user interface featuring streamlined workflow targeting the recent crop of Apple devices (iPhone 5s, 6/6s/7/8/Plus, iPhone SE and iPhone X). While still console-based, the new user interface provides concise step-by-step workflow for consecutively performing activities connected with logical and physical acquisition. The new Toolkit drops support for legacy hardware, instead concentrating on devices that are currently in circulation. Experts who require support for older Apple devices must contact ElcomSoft to obtain a legacy build.System Requirements:
- Windows Server 2016
- Windows Server 2012
- Windows 7 (32 bit)
- Windows 7 (64 bit)
- Windows 8
- Windows 8.1
- Windows 10Homepage

Recommend Download Link Hight Speed | Please Say Thanks Keep Topic Live