In iOS Forensic Toolkit 4.0, physical acquisition support is available for all 64-bit Apple devices (iPhone 5s, 6/6s/7/8/Plus, iPhone SE and iPhone X) where jailbreak can be installed.

Decrypting User Online Passwords and Device Secrets

In iOS, most passwords to the user's online accounts, authentication tokens, certificates, encryption keys, payment data and app-specific credentials are stored in a the most protected and highly secure area called the keychain. The keychain is securely encrypted with a hardware-specific key. In 64-bit hardware (iPhone 5s and all newer iOS devices), this key is additionally protected with Secure Enclave. Until today, no third-party forensic solution existed to extract and decrypt keychain items from 64-bit iOS devices with Secure Enclave. iOS Forensic Toolkit 4.0 adds the ability to extract and decrypt keychain items during the course of physical acquisition, successfully bypassing Secure Enclave protection on jailbroken devices.

Access to Crash Logs

Crash logs are an important part of the evidence that are not included into a local backup but may be extractable from the device. From a forensic point of view, crash logs may contain the list of installed and uninstalled apps. Сrash log entries by apps no longer installed can lead to an assumption that the app was installed on the device at least up to the date and time specified in the crash log entry. Crash logs can be extracted from iOS devices with or without a jailbreak.

Elcomsoft iOS Forensic Toolkit 4.0 is immediately available in Mac edition, while Windows edition will be released promptly.

