Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

Physical acquisition for 64-bit iOS devices with or without a jailbreak
Logical acquisition extracts backups, crash logs, media and shared files
Unlocks iOS devices with pairing records (lockdown files)
Extracts and decrypts protected keychain items
Real-time file system acquisition
Automatically disables screen lock for smooth, uninterrupted acquisition

NEW FEATURES
Passcode unlock for iPhone 5 and 5c
We have updated the Mac edition with the ability to unlock encrypted iPhone 5 and 5c devices protected with an unknown screen lock passcode. This DFU requires a macOS computer and a standard USB to Lightning cable (no Type-C cables, but you can use the adapter if your Mac has nothing but Type-C ports).

Our solution works at the speed of 13.6 passcodes per second, so it only takes 12 minutes to unlock an iPhone 5 or 5c protected with a 4-digit PINs. 6-digit PINs will take longer, up to 21 hours in total. However, we’ve implemented a smart attack to cut this time as much as possible. In less than 4 minutes, we’ll try thousands of the most commonly used passcodes, including the classic hits such as 000000, 123456 or 121212. Then we’ll try the 6-digit combinations based on the dates of birth. With 74,000 of those, that’ll take another 1.5 hours. If still unsuccessful, we’ll do the full brute force of the rest of the passcodes.

Mac edition: Jailbreak-free extraction without an Apple Developer Account
Version 6.50 drops the requirement for using a paid Apple Developer account when extracting the file system and decrypting the keychain from a compatible iPhone or iPad device. When running on a macOS computer, the tool can now sideload and sign the extraction binary by using a regular Apple ID account, allowing experts extracting the file system and decrypting the keychain from compatible iOS devices.

In addition, jailbreak-free extraction for iOS versions up to and including iOS 13.5 is now supported (full file system and keychain extraction).

Forensic Access to iPhone/iPad/iPod Devices running Apple iOS
Perform the complete forensic acquisition of user data stored in iPhone/iPad/iPod devices. Elcomsoft iOS Forensic Toolkit allows imaging devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and accessing locked devices via lockdown records.

See Compatible Devices and Platforms for details.

Physical Acquisition of iOS Devices
Physical acquisition is the only acquisition method to extract full application data, protected keychain items, downloaded messages and location history. Physical acquisition returns more information compared to logical acquisition due to direct low-level access to data.

Elcomsoft iOS Forensic Toolkit supports jailbroken 64-bit devices (iPhone 5s and newer) running most versions of iOS 7 through 13.x. The use of a bootrom-based jailbreak enables partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X (via checkra1n jailbreak). Full file system and complete keychain acquisition for unlocked devices from this device range.

Full File System Extraction and Keychain Decryption Without a Jailbreak
A jailbreak-free extraction method based on direct access to the file system is available for a limited range of iOS devices. Using an in-house developed extraction tool, this acquisition method installs an extraction agent onto the device being acquired. The agent communicates with the expert’s computer, delivering robust performance and extremely high extraction speed topping 2.5 GB of data per minute.

Better yet, agent-based extraction is completely safe as it neither modifies the system partition nor remounts the file system while performing automatic on-the-fly hashing of information being extracted. Agent-based extraction does not make any changes to user data, offering forensically sound extraction.

Both the file system image and all keychain records are extracted and decrypted. The agent-based extraction method delivers solid performance and results in forensically sound extraction. Removing the agent from the device after the extraction takes one push of a button.

You can either extract the complete file system or use the express extraction option, only acquiring files from the user partition. By skipping files stored in the device's system partition, the express extraction option helps reduce the time required to do the job and cut storage space by several gigabytes of static content.

Installing and signing the extraction agent requires an Apple ID registered in the Apple Developer Program. The Mac edition drops this requirement, allowing to use a regular Apple ID for signing and sideloading the extraction agent onto the iOS device.

Passcode Unlock for iPhone 5 and 5c
The Toolkit can be used to unlock encrypted iPhone 5 and 5c devices protected with an unknown screen lock passcode by attempting to recover the original 4-digit or 6-digit PIN (Mac version only). This DFU attack works at the speed of 13.6 passcodes per second, and takes only 12 minutes to unlock an iPhone 5 or 5c protected with a 4-digit PINs. 6-digit PINs will take up to 21 hours. A smart attack will be used automatically to attempt cutting this time as much as possible. In less than 4 minutes, the tool will try several thousand most commonly used passcodes such as 000000, 123456 or 121212, followed by 6-digit PINs based on the dates of birth. With 74,000 of those, the smart attack takes approximately 1.5 hours. If still unsuccessful, the full brute force of the rest of the passcodes is initiated.

Logical Acquisition
iOS Forensic Toolkit supports logical acquisition, a simpler and safer acquisition method compared to physical. Logical acquisition produces a standard iTunes-style backup of information stored in the device, pulls media and shared files and extracts system crash logs. While logical acquisition returns less information than physical, experts are recommended to create a logical backup of the device before attempting more invasive acquisition techniques.

We always recommend using logical acquisition in combination with physical for safely extracting all possible types of evidence.

Media and Shared Files
Quickly extract media files such as Camera Roll, books, voice recordings, and iTunes media library. As opposed to creating a local backup, which could be a potentially lengthy operation, media extraction works quickly on all supported devices. Extraction from locked devices is possible by using a pairing record (lockdown file).

In addition to media files, iOS Forensic Toolkit can extract stored files of multiple apps, extracting crucial evidence without a jailbreak. Extract Adobe Reader and Microsoft Office locally stored documents, MiniKeePass password database, and a lot more. The extraction requires an unlocked device or a non-expired lockdown record.

Perform physical and logical acquisition of iPhone, iPad and iPod Touch devices. Image device file system, extract device secrets (passwords, encryption keys and protected data) and decrypt the file system image.

Compatible Devices and Platforms
iPhone 5 and 5c: passcode unlock via DFU (macOS edition only)
64-bit iOS devices with jailbreak: file system extraction, keychain decryption
Partial file system & keychain acquisition for BFU, locked and disabled iPhone models ranging from the iPhone 5s through iPhone X
Apple TV 4 (cable connection) and Apple TV 4K (wireless connection through Xcode, Mac only)
Apple Watch (all generations); requires a third-party IBUS adapter
No jailbreak: agent-based extraction for supported devices; advanced logical acquisition for all other devices [1]
Logical acquisition includes:

Extended information about the device
iTunes-format backup (includes many keychain items)
List of installed apps
Media files (even if the backup is password-protected)
Shared files (even if the backup is password-protected)

Only for V.I.P