Obtaining Detailed Information about iOS Installed Apps

October 3rd, 2017 by Oleg Afonin
Category: «Did you know that...?», «Elcomsoft News», «Tips & Tricks»

Accessing the list of apps installed on an iOS device can give valuable insight into which apps the user had, which social networks they use, and which messaging tools they communicate with. While manually reviewing the apps by examining the device itself is possible by scrolling a potentially long list, we offer a better option. Elcomsoft Phone Viewer can not just display the list of apps installed on a given device, but provide information about the app’s version, date and time of acquisition (first download for free apps and date and time of purchase for paid apps), as well as the Apple ID that was used to acquire the app. While some of that data is part of iOS system backups, data on app’s acquisition time must be obtained separately by making a request to Apple servers. Elcomsoft Phone Viewer automates such requests, seamlessly displaying the most comprehensive information about the apps obtained from multiple sources.

In this how-to guide, we’ll cover the steps required to access the list of apps installed on an iOS device.

Step 1: Create a password-protected backup or download an iCloud Backup

In order to access the list of apps installed on the device, you may use either a local backup or a backup downloaded from iCloud.

Local Backups

While we always recommend creating a password-protected backup as such backups allow accessing a wider range of data compared to non-protected backups, the list of apps is available in unprotected backups as well.

We recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu). However, Apple iTunes can be also used.

Important: if you are a mobile forensic expert, using a specialized tool such as iOS Forensic Toolkit is recommended for making a backup. While iTunes can be used, Apple’s tool may introduce unwanted artefacts by synchronizing the device to the computer. iOS Forensic Toolkit does not attempt to “sync” iOS devices; instead, it invokes a single function of making a backup.

Note: if you are using iOS Forensic Toolkit to produce a backup, the tool will automatically set a temporary backup password. The password will be “123”; you will need to use this password when opening the backup with Elcomsoft Phone Viewer.

If the device is locked with an unknown passcode, follow this guide: Acquisition of a Locked iPhone with a Lockdown Record 

iCloud Backups

If you choose to download an iCloud backup, use Elcomsoft Phone Breaker and select Download from iCloud – Backups as shown on the following screen shot:

More information about downloading iCloud backups in this article.

Step 2: Recover backup password

This step is only required if the backup is protected with an unknown password. If you know the password (or specified one during the first step), skip this step and go directly to Step 3.

If you are using a cloud backup, skip this step and go directly to Step 3.

To recover the password, do the following:

  1. Open Elcomsoft Phone Breaker
  2. Password recovery wizard | Choose source | iOS device backup
  3. The list of available backups will be displayed. At this point, you may select an existing backup from the current PC.If you are processing the backup extracted on a different computer or created with iOS Forensic Toolkit, select “Choose another” and specify path to the manifest.plist
  4. Default attack settings will be available. If you are content with default attack settings, you may begin the attack by clicking the “Start recovery” button.
  5. Once the password is discovered, it will be displayed.

Once the password is recovered, you may optionally decrypt the backup in Elcomsoft Phone Breaker. Alternatively, you may open the backup in Elcomsoft Phone Viewer, in which case it will be decrypted automatically (although you will need to supply the backup password).


Step 3: Open the backup in Elcomsoft Phone Viewer

In order to access the list of Wi-Fi networks and view the list of installed apps, you will need to use Elcomsoft Phone Viewer 3.50 or newer.

  1. In Elcomsoft Phone Viewer, open the backup.
  2. If the backup is encrypted, provide backup password in order to decrypt the backup.
  3. Once the backup is opened, select “Applications”. The list of installed apps along with all additional details will be displayed.

A working Internet connection is required to pull additional details such as the app’s first install date. If no Internet connection is present, the list displayed will lack some details. If you are analyzing a cloud backup downloaded from iCloud or iCloud Drive, very little data will be initially available. Elcomsoft Phone Viewer automatically retrieves additional properties for each app from the list. This operation is performed in a background thread, and starts immediately after you open the Applications view. While the data is downloading, you may continue analyzing the data available in other sections.


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »

Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »