We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta, but was stripped from the final release. It re-appeared and disappeared several times during the iOS 11 development cycle, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.

This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.

Finally, TAR support is there! Using Elcomsoft iOS Forensic Toolkit to pull TAR images out of jailbroken iOS devices? You’ll no longer be left on your own with the resulting TAR file! Elcomsoft Phone Viewer 3.70 can now open the TAR images obtained with Elcomsoft iOS Forensic Toolkit or GrayKey and help you analyse evidence in that file. In addition, we added an aggregated view for location data extracted from multiple sources – such as the system logs or geotags found in media files.

As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalists and the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.

Starting with version 2.40, Elcomsoft Extractor for WhatsApp supports physical and cloud acquisition of WhatsApp Business. The physical extraction method requires root access, while cloud acquisition requires authenticating into the user’s Google Drive account with proper authentication credential. In addition, a verification code received from WhatsApp as an SMS must be provided to decrypt the backup downloaded from Google Drive. In this guide, we’ll describe all the steps required to perform physical and cloud acquisition of WhatsApp Business. (more…)

Numerous vendors advertise many types of solutions for extracting evidence from Android devices. The companies claim to support tens of thousands of models, creating the impression that most (if not all) Android devices can be successfully acquired using one method or another.

Cloud acquisition is arguably the future of mobile forensics. Even today, cloud services by Apple and Google often contain more information than any single device – mostly due to the fact that cloud data is collected from multiple sources.

UPDATE June 2, 2018: USB Restricted Mode did not make it into iOS 11.4. However, in iOS 11.4.1 Beta USB Restricted Mode Has Arrived

After testing waters for more than a year, Google has finally pulled the plug and began blocking access to Google Play services on uncertified devices. Why Google took this step, who is affected, and what it means for the end users? Let’s try to find out.