Elcomsoft iOS Forensic Toolkit

Elcomsoft has released the latest version in a collection of tools they produce that attack passwords for devices, images or services. For this article, we will be looking at iOS Forensic Toolkit. Elcomsoft tools are available at www.Elcomsoft.com/products.html while more details about Phone Password Breaker is specifically found at www.Elcomsoft.com/eppb.html. There are 3 versions offered of this tool: Home, Professional and the Law Enforcement only version.

This article is written using the law enforcement version with permission and thanks to Elcomsoft.

iOS Forensic Toolkit is a powerful command line utility that has been written to be menu choice driven. This makes processing iOS devices step-wise and rather simple. If you are the type that would prefer to get into the application and not deal with the manual first, this software likely is your kind of software. Here is a window capture of the main menu:

Main Menu
EIFT Main Menu

The software requires that the iOS device is placed into “DFU Mode” first AND while connected to the Mac this process will be conducted with. The manual and “Choice 1” both assist with this. Once in DFU Mode, simply select “Choice 2” to load the custom Elcomsoft Ramdisk to the iOS device. With the Ramdisk successfully loaded, you continue with each step. Creating the image of each partition will mean an encrypted image when you are working with the iPhone 3GS or newer or iPad 1 & 2. Fortunately, by the time we get to “Choice 7”, this should be of no matter.
User Imaging Process Begin
Choice 3 - Imaging System or User partitions

Here, I chose to image each partition of my iPhone 4 running v4.3.3 firmware. The larger partition, User, took a few hours to complete as it is over USB.

Device Secrets Begin
Choice 4 - Extract Device Secrets

This step you actually will return to for a second run. Once you know the device passcode, you will want to re-run this Choice so you are able to fully decrypt the User.dmg and files contained within.

Device Passcode Capture End
Choice 5 - Recover iOS Device Passcode (Simple passcode enabled for this run)

This menu choice happens rather quickly for simple pass-codes. In my case, you can see 774 seconds, or 12.4 minutes. If a person is using the alpha-numeric passcode feature, expect this step to take significantly longer.

Decrypt Image Begin
Choice 7 - Decrypting Image using brute forced pin code

With the decrypted User.dmg, we can now analyze this with any of our chosen tools. Here is a look at the data using BlackLight R2:
BL_StartOfCase
BlackLight R2 - Preprocessing User.dmg from iOS Forensic Toolkit

BlackLight sorted all of the information into browser history, email, etc., just as you would expect. Processing made easy.

You can also mount this DMG read-only and utilize any live tools to look at the files as well. Here is a look at the DMG just made as seen from the Finder and Terminal:
User Partition Finder View
User.dmg as seen from the Finder


User Partition Terminal View
User.dmg as seen from Terminal

Thank you Elcomsoft for providing the software for this article to show the new capabilities to everyone. The only downside to what was what shown here today is that this is only being made to law enforcement only at this time. Home and commercial users have 2 other options to choose from which each have slightly less capabilities, but are certainly worth your time in researching.