The New Elcomsoft iOS Forensic Toolkit

July 17th, 2013 by Vladimir Katalov
Category: «Elcomsoft News», «Security», «Tips & Tricks»

Soon after releasing the updated version of iOS Forensic Toolkit we started receiving questions about the new product. Did we really break iPhone 5? Does it truly work? Are there limitations, and what can you do about them? We decided to assemble all these questions into a small FAQ. If you’d rather read the full, more technical version of this FAQ, visit the following page instead: Elcomsoft iOS Forensic Toolkit FAQ. Those with non-technical background please read along.

Q. So did you actually break into iPhone 5?

A. Yes, we can do physical acquisition on iPhone 5, 4S, as well as all previous generations of iPhones.

Q. What about iPad 4, iPad Mini and iPod Touch 5th gen?

A. We support them, too.

Q. It’s been so long before anyone started supporting these new devices. Is there a trick?

A. Yes, there is a trick here. All the newest devices such as iPhone 4S and 5, iPad 2, 3 and 4, as well as the last-gen iPod Touch are only supported if they are jailbroken, or if you can jailbreak them.

Q. What about the older ones?

A. For legacy devices it’s business as usual: you can keep acquiring them via the DFU mode. In fact, the new release of iOS Forensic Toolkit makes their acquisition easier by eliminating some previously required manual steps. For example, you will no longer have to manually specify device model, and you won’t have to manually upload some pieces of code (and mess with permission settings) onto the device. The new Toolkit will do all that for you automatically.

Q. Breaking iPhone 5, how can I install the jailbreak?

A. “evasi0n” hack is in fashion today for breaking iOS 6 up to iOS 6.1.2. They are still figuring how to break newer versions of iOS. If you decide to follow this path, we beg you to read the manual and carefully follow all the steps.

Q. What about iOS 6.1.3 and 6.1.4? Is it possible to jailbreak them, or downgrade to an earlier version of iOS?

A. No and no. No hack is available (at least publicly) for these versions of iOS, and Apple won’t let you go back to an earlier version from either 6.1.3 or 6.1.4.

Q. What about iOS 7 then?

A. We’re going to support it subject to jailbreak availability.

Q. What if I have a last-gen iPhone that’s locked, and I don’t know the passcode?

A. You can take a chance and try the Toolkit. It’ll work if the phone is already jailbroken. It’ll fail if it isn’t, and you won’t be able to do a thing about it. Tough luck if that’s the case.

Q. Where do I get the “evasi0n” jailbreak?

A. “evasi0n” is a hack, and we are not into hacking business. Which means: use Google.

Q. How long does it take to crack a passcode?

A. About 20-40 minutes for a simple 4-digit passcode on iPhone 4. About 10 minutes for the same type passcode on iPhone 5. Speeds vary depending on phone model; for example, we can try about 4 passcodes per second on iPhone 4, and about 15 p/s on iPhone 5. As a result, if there’s a long alphanumerical password, you may never be able to break it.

Q. So when do you guys plan boosting this passcode recovery thing with a GPU?

A. The short answer is never. Passcodes can be only tried on the actual device; it’s not technically possible to outsource the recovery. This is part of Apple’s security model, and this one is a particularly strong part.

Q. Once I run a passcode recovery, will the iPhone be locked, disabled or wiped after multiple attempts?

A. No. Even if the device has the “Erase all data on this iPhone after 10 failed passcode attempts” setting turned on, the setting is not applicable here. The Toolkit accesses the hardware directly, bypassing all the iOS settings. The device will not be locked or wiped.

Q. Do I ever need physical acquisition? Why is it better than logical?

A. Physical acquisition returns more data than logical acquisition. The keychain can only be completely decrypted with physical acquisition. In addition, some files on the device are locked and not being copied with logical acquisition, while physical acquisition operates at a lower level and acquires the complete image of the device.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »