Accessing the list of apps installed on an iOS device can give valuable insight into which apps the user had, which social networks they use, and which messaging tools they communicate with. While manually reviewing the apps by examining the device itself is possible by scrolling a potentially long list, we offer a better option. Elcomsoft Phone Viewer can not just display the list of apps installed on a given device, but provide information about the app’s version, date and time of acquisition (first download for free apps and date and time of purchase for paid apps), as well as the Apple ID that was used to acquire the app. While some of that data is part of iOS system backups, data on app’s acquisition time must be obtained separately by making a request to Apple servers. Elcomsoft Phone Viewer automates such requests, seamlessly displaying the most comprehensive information about the apps obtained from multiple sources.

In this how-to guide, we’ll cover the steps required to access the list of apps installed on an iOS device.

Step 1: Create a password-protected backup or download an iCloud Backup

In order to access the list of apps installed on the device, you may use either a local backup or a backup downloaded from iCloud.

Local Backups

While we always recommend creating a password-protected backup as such backups allow accessing a wider range of data compared to non-protected backups, the list of apps is available in unprotected backups as well.

We recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu). However, Apple iTunes can be also used.

Important: if you are a mobile forensic expert, using a specialized tool such as iOS Forensic Toolkit is recommended for making a backup. While iTunes can be used, Apple’s tool may introduce unwanted artefacts by synchronizing the device to the computer. iOS Forensic Toolkit does not attempt to “sync” iOS devices; instead, it invokes a single function of making a backup.

Note: if you are using iOS Forensic Toolkit to produce a backup, the tool will automatically set a temporary backup password. The password will be “123”; you will need to use this password when opening the backup with Elcomsoft Phone Viewer.

If the device is locked with an unknown passcode, follow this guide: Acquisition of a Locked iPhone with a Lockdown Record 

iCloud Backups

If you choose to download an iCloud backup, use Elcomsoft Phone Breaker and select Download from iCloud – Backups as shown on the following screen shot:

More information about downloading iCloud backups in this article.

Step 2: Recover backup password

This step is only required if the backup is protected with an unknown password. If you know the password (or specified one during the first step), skip this step and go directly to Step 3.

If you are using a cloud backup, skip this step and go directly to Step 3.

To recover the password, do the following:

1. Open Elcomsoft Phone Breaker
2. Password recovery wizard | Choose source | iOS device backup
3. The list of available backups will be displayed. At this point, you may select an existing backup from the current PC.If you are processing the backup extracted on a different computer or created with iOS Forensic Toolkit, select “Choose another” and specify path to the manifest.plist
4. Default attack settings will be available. If you are content with default attack settings, you may begin the attack by clicking the “Start recovery” button.
5. Once the password is discovered, it will be displayed.

Once the password is recovered, you may optionally decrypt the backup in Elcomsoft Phone Breaker. Alternatively, you may open the backup in Elcomsoft Phone Viewer, in which case it will be decrypted automatically (although you will need to supply the backup password).

Step 3: Open the backup in Elcomsoft Phone Viewer

In order to access the list of Wi-Fi networks and view the list of installed apps, you will need to use Elcomsoft Phone Viewer 3.50 or newer.

1. In Elcomsoft Phone Viewer, open the backup.
2. If the backup is encrypted, provide backup password in order to decrypt the backup.
3. Once the backup is opened, select “Applications”. The list of installed apps along with all additional details will be displayed.

A working Internet connection is required to pull additional details such as the app’s first install date. If no Internet connection is present, the list displayed will lack some details. If you are analyzing a cloud backup downloaded from iCloud or iCloud Drive, very little data will be initially available. Elcomsoft Phone Viewer automatically retrieves additional properties for each app from the list. This operation is performed in a background thread, and starts immediately after you open the Applications view. While the data is downloading, you may continue analyzing the data available in other sections.