Apple iMessage is an important communication channel and an essential part of forensic acquisition efforts. iMessage chats are reasonably secure. Your ability to extract iMessages as well as the available sources of extraction will depend on several factors. Let’s discuss the factors that may affect your ability to extract, and what you can do to overcome them.

If the iPhone is locked with a passcode, it is considered reasonably secure. The exception are some older devices, which are relatively vulnerable. But what if the passcode is known or is not set? Will it be easy to gain access to all of the data stored in the device? And why do we have the countless forensic tools –is analysis and reporting the sole reason for their existence? Not really. If you’ve been wondering what this acquisition thing is all about, this article is for you.

When investigating iOS devices, you may have seen references to the SoC generation. Security researchers and developers of various iOS jailbreaks and exploits often list a few iPhone models followed by a note that mentions “compatible iPad models”. This is especially common when discussing iOS forensics, particularly referring to the checkra1n jailbreak. What do those references mean, and how are the iPhone and iPad models related? Can we count the iPod Touch and Apple TV, too? Let’s have a look.

The number of iOS 14 users is on the raise, and we will see it running on most Apple devices pretty soon. Apple had already stopped signing the last version of iOS 13 on all but legacy hardware. Soon, we will only see it running on the iPhone 5s and iPhone 6 which didn’t get the update, and on a small fraction of newer devices. If you are working in the forensic field, what do you need to do to make yourself ready for iOS 14? Our software may help.

iOS 14 is officially out. It’s a big release from the privacy protection standpoint, but little had changed for the forensic expert. In this article, we’ll review what has changed in iOS 14 in the ways relevant for the forensic crowd.

The keychain is one of the hallmarks of the Apple ecosystem. Containing a plethora of sensitive information, the keychain is one of the best guarded parts of the walled garden. At the same time, the keychain is relatively underexplored by the forensic community. The common knowledge has it that the keychain contains the users’ logins and passwords, and possibly some payment card information. The common knowledge is missing the point: the keychain contains literally thousands of records belonging to various apps and the system that are required to access lots of other sensitive information. Let’s talk about the keychain, its content and its protection, and the methods used to extract, decrypt and analyze the various bits and pieces.

The long-awaited update for Elcomsoft Phone Breaker has arrived. The update brought back the ability to download iCloud backups, which was sorely broken since recent server-side changes introduced by Apple. We are also excited to become the first forensic company to offer support for iCloud backups saved by iOS 14 beta devices, all while supporting the full spectrum of two-factor authentication methods. We are proud to provide the most comprehensive forensic support of Apple iCloud with unmatched performance, accelerating forensic investigations and providing access to critical evidence stored in the cloud.

There is no lack of tools claiming the ability to recover lost or deleted information from the iPhone. These tools’ claims range from “Recover data lost due to water damaged, broken, deletion, device loss, etc.” to the much more reserved “Selectively recovers iPhone data from internal memory, iCloud, and iTunes”. Do any of those tools actually work, and do they live up to the user’s expectations? The answer is complex, hence this article. Let us place the claims through our usual scrutiny.

Location data is one of the most sensitive pieces of personal information. In today’s world, aggregated location data is as sensitive and as valuable as the user’s passwords. Once this data is transmitted to the OS manufacturer’s cloud service or any of the third-party vendors, the user has the right to know exactly what information is collected; who, when, and how has access to it. In today’s article, we will talk about one of the iOS lesser known features called “Significant locations”.

Apple iCloud contains massive amounts of data, which may become highly valuable evidence. The oldest and most frequently mentioned are iCloud backups, which ElcomSoft were the first to extract back in 2012. A lot has changed since then. Today, iCloud backups account for a very minor part of the evidence available in iCloud. Learn what types of data are stored in iCloud, how Apple protects the data with end-to-end encryption, and how to access that valuable evidence with the updated Elcomsoft Phone Breaker.