Physical Acquisition Is…

July 13th, 2017 by Vladimir Katalov
Category: «Elcomsoft News»

…dead? Not really, not completely, and not for every device. We’ve just updated iOS Forensic Toolkit to add physical support for some previously unsupported combinations of hardware (32-bit devices) and software (iOS 9.1 through 9.3.4). The intent was helping our law enforcement and forensic customers clear some of the backlog, finally taking care of evidence kept on dusty shelves in the back room. In order to do the extraction, you’ll need to install the “Home Depot” jailbreak from and, obviously, Elcomsoft iOS Forensic Toolkit 2.30.

As Apple is busy tightening security of its mobile ecosystem, jailbreaking becomes increasingly more difficult. Even jailbroken iPhone and iPad devices equipped with Secure Enclave (available in all 64-bit models) put severe limitations on what can and cannot be done on the device. In this regard, 32-bit iPhones and iPads were the last generation of iOS devices for which full, unrestricted access was still possible.

How many times did we tell you that Apple killed physical acquisition? If you’ve been following our blog for a while, you’ve heard it from us on at least four occasions during the past three years. And yet, every time after we managed to fix things. We were the first and still the only to do physical extraction of devices protected by Secure Enclave, and we were the first to do it for iOS 10.

This time around it’s not about the bleeding edge. On the contrary; we’re revisiting some of the most popular devices running some of the latest builds of iOS 9. Some of our customers stockpiled dozens of old iPhones that are still on iOS 9. Up until now, we were only able to help if the iPhones in question were on iOS 9.1 or earlier. In this release, we added full physical acquisition support for those 32-bit iPhones and iPads that are on iOS 9.1 through 9.3.4.

Why now, almost 10 month since the release of iOS 10? For at least a year, jailbreak developers concentrated their efforts on new generations of hardware, and stopped supporting older iPhones and iPads. After iOS 9.1, physical acquisition was only available for newer, 64-bit devices such as iPhone 5s, 6, 6s and 6s Plus. A new jailbreak codenamed “Home Depot” was recently released to the public, making it possible to adapt Elcomsoft iOS Forensic Toolkit to use it for the purpose of physical extraction.

What can you expect to get from a jailbroken device? It’s pretty much everything! You will receive:

  • The complete, decrypted image of the iPhone data partition
  • Access to sandboxed app data
  • Access to conversation histories carried over in some of the most secure messaging apps including Facebook, WhatsApp, Skype, Signal and Telegram
  • Full location history
  • All system logs, temporary files and write-ahead logs (WAL)
  • Downloaded emails
  • All keychain data including items protected with the highest security class
  • Access to all cached passwords including Apple ID password, if available

This is much, much more that you could ever obtain from the cloud or even a local backup.

So what’s the current state of affairs for iOS 9 and 10? Physical acquisition is available for jailbroken 64-bit devices running iOS 9.0 through 9.3.3 and 10.0 through 10.2. For 32-bit devices, we can do it for iOS 9.0 through 9.3.4.


Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »