Accessing the list of apps installed on an iOS device can give valuable insight into which apps the user had, which social networks they use, and which messaging tools they communicate with. While manually reviewing the apps by examining the device itself is possible by scrolling a potentially long list, we offer a better option. Elcomsoft Phone Viewer can not just display the list of apps installed on a given device, but provide information about the app’s version, date and time of acquisition (first download for free apps and date and time of purchase for paid apps), as well as the Apple ID that was used to acquire the app. While some of that data is part of iOS system backups, data on app’s acquisition time must be obtained separately by making a request to Apple servers. Elcomsoft Phone Viewer automates such requests, seamlessly displaying the most comprehensive information about the apps obtained from multiple sources.
In this how-to guide, we’ll cover the steps required to access the list of apps installed on an iOS device.
Step 1: Create a password-protected backup or download an iCloud Backup
In order to access the list of apps installed on the device, you may use either a local backup or a backup downloaded from iCloud.
Local Backups
While we always recommend creating a password-protected backup as such backups allow accessing a wider range of data compared to non-protected backups, the list of apps is available in unprotected backups as well.
We recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu). However, Apple iTunes can be also used.
Important: if you are a mobile forensic expert, using a specialized tool such as iOS Forensic Toolkit is recommended for making a backup. While iTunes can be used, Apple’s tool may introduce unwanted artefacts by synchronizing the device to the computer. iOS Forensic Toolkit does not attempt to “sync” iOS devices; instead, it invokes a single function of making a backup.
Note: if you are using iOS Forensic Toolkit to produce a backup, the tool will automatically set a temporary backup password. The password will be “123”; you will need to use this password when opening the backup with Elcomsoft Phone Viewer.
If the device is locked with an unknown passcode, follow this guide: Acquisition of a Locked iPhone with a Lockdown Record
iCloud Backups
If you choose to download an iCloud backup, use Elcomsoft Phone Breaker and select Download from iCloud – Backups as shown on the following screen shot:
More information about downloading iCloud backups in this article.
Step 2: Recover backup password
This step is only required if the backup is protected with an unknown password. If you know the password (or specified one during the first step), skip this step and go directly to Step 3.
If you are using a cloud backup, skip this step and go directly to Step 3.
To recover the password, do the following:
Once the password is recovered, you may optionally decrypt the backup in Elcomsoft Phone Breaker. Alternatively, you may open the backup in Elcomsoft Phone Viewer, in which case it will be decrypted automatically (although you will need to supply the backup password).
Step 3: Open the backup in Elcomsoft Phone Viewer
In order to access the list of Wi-Fi networks and view the list of installed apps, you will need to use Elcomsoft Phone Viewer 3.50 or newer.
A working Internet connection is required to pull additional details such as the app’s first install date. If no Internet connection is present, the list displayed will lack some details. If you are analyzing a cloud backup downloaded from iCloud or iCloud Drive, very little data will be initially available. Elcomsoft Phone Viewer automatically retrieves additional properties for each app from the list. This operation is performed in a background thread, and starts immediately after you open the Applications view. While the data is downloading, you may continue analyzing the data available in other sections.
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.
Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.