Elcomsoft iOS Forensic Toolkit FAQ, part 1
Posted by Andrey Malyshev, Last modified by Andrey Malyshev on 14 August 2017 02:19 PM
Note: this version of FAQ is slightly outdated and describes an older version of EIFT (1.15). An update has been published as a separate document, avaialble here. But please start reading from this version as it provides basic information on the product.
Q. What is this product all about?
A. Physical acquisition. The tool performs a real-time, complete forensic acquisition of user data stored in iPhone/iPad/iPod devices running any version of iOS. It captures bit-to-bit images of devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. It can also recover device passcodes (some limitations apply). A major feature of iOS Forensic Toolkit is its super-fast operation: data is acquired and decrypted in real time; the entire content of a 16 GB device can be captured in under 20 minutes with no “ifs” and “buts”.
Q. Do you limit usage of this product to law enforcement agencies only?
A. We used to, but not anymore.
Q. What are the product's system requirements?
A. iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running Mac OS X 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion) with iTunes v. 10.2 or later installed. The Toolkit for Microsoft Windows requires a computer running Windows XP, Vista or Windows 7 with iTunes 10.2 or later installed.
Q. Is the Mac version better than the Windows one?
A. Yes. First, Macs have more reliable USB ports. Second, when you connect an iOS-based device in DFU mode to a Windows system, the system must install the drivers, which may take a long time and is not always safe for the system.
Q. What iOS devices are supported?
A. Here is the full list:
*Note: support for iPhone 4S, iPad 2 and the new iPad is limited to jailbroken devices (that are not locked) running iOS 5.x.
Update (07/17/2013): newer devices such as iPhone 5 are supported now, as well as iPhone 4S and iPad 2+ running iOS 6. Please refer to the second part of FAQ.
Q. What iOS versions are supported?
A. For non-jailbroken devices (up to and including iPhone 4), all systems from iOS 1.0 to the latest iOS 6.x are supported. For iPhone 4S, iPad 2 and the new iPad only jailbroken iOS 5.x is supported.
Update (07/17/2013): all devices running iOS 6 are supported now; please refer to the second part of FAQ.
Q. How do I identify my device model?
A. The following articles on Apple web site should help:
Q. What about iPhone 5, 4th gen iPad, iPad Mini, and latest iPod?
A. Sorry, they are not supported. We are working on adding support for jailbroken devices in the same way as It was made for iPhone 4S etc.
Update (07/17/2013): we did it. Please refer to the second part of FAQ.
Q. Do you provide a jailbreak (for the devices such as iPhone 4S)?
A. No, we don’t jailbreak devices. You are supposed take care of that yourself.
Q. What if the device is locked (i.e. after 10 unsuccessful attempts to enter the passcode)?
A. No problem! You can still use the Toolkit with it.
Q. What's the difference between EIFT and EPPB (Elcomsoft Phone Password Breaker)?
A. Speaking of iOS (EPPB supports iOS and BlackBerry devices), EIFT performs physical acquisition and requires you to have access to the device itself. On the other hand, Elcomsoft Phone Password Breakerworks only with iTunes and iCloud backups.
Q. What is the benefit of physical acquisition?
A. It works faster than backup analysis, and you can acquire much more information. Some of the files stored on iOS devices are not accessible in user mode, and so cannot be read using logical (backup) acquisition. Sometimes, certain data can be extracted but cannot be decrypted. In contrast, physical acquisition allows you to get everything, i.e. create an exact bit-by-bit image of the device in real time.
Q. When should I use the logical acquisition?
A. Generally, logical acquisition works faster with small amounts of information. Use logical acquisition if you are in a rush. Logical acquisition works at the "file level". Also, logical acquisition comes handy if you don't have access to third-party forensic tools that work with disk images.
Q. I get a lot of error messages during logical acquisition - many files cannot be copied. What should I do?
A. This is by design. In this mode (at user/file level), certain files remain inaccessible. The only way around this problem is using physical acquisition.
Q. How to analyze and browse information extracted by EIFT?
A. You can mount images created by EIFT into your system. If you’re using a Mac, you can simply double-click an image. In Windows, you will need some third-party software that supports HFS+ file system. After the image is mounted, you can browse through the files using Finder (Mac OS X), Explorer (Windows), or whatever else. However, we would recommend you to use a special third-party tool such as Oxygen Forensic Suite.
Q. Is it possible to perform data carving through unallocated space, or restore deleted files?
A. We’re planning to add this feature to EIFT (currently, there is no other software that can do that for iOS4+ file system). Only deleted messages (SMS/iMessage) can be restored under certain circumstances.
Q. Do you have a similar product for Android?
A. No. At this time, we have no plans to develop such a product.
Q. What about BlackBerry?
A. If a BlackBerry device is locked with an unknown password, it is not possible to perform a physical acquisition at all. If a password is known or not set, the acquisition is possible, at least in theory, but would require a special loader specific to each particular device. However, it is sometimes possible to recover BlackBerry device passcodes using Elcomsoft Phone Password Breaker (and btw, it can also recover passwords to BlackBerry Wallet and Password Keeper applications).
Q. How long does the acquisition of iOS device take?
A. It depending on the type of the device and its memory size. In a ballpark, physical acquisition may take from 15 minutes to about an hour.
Q. How easy is it to break the passcode?
A. In iOS version up to 3.x, passcodes can be recovered instantly. With iOS 4 and later, there are three types of passcodes. Simple passcodes are 4 digits only. Simple passcodes have a guaranteed recovery time of 30 minutes or less. Passcodes of the second type also only contain digits, but are not limited to 4 digits. Breaking these passcodes is much more lengthy, considering that the recovery speed is about 5 passcodes per second. In the worst case, a passcode may contain all printable characters, and may have any length. This situation is very rare simply because the user would have to enter the passcode every time when unlocking the device. The good news is that the type of a passcode is stored in the system, and EIFT can detect it, so you can easily figure out what kind of an attack should be used.
Q. Is it possible to run an offline passcode attack, e.g. on faster hardware?
A. Unfortunately, no. Apple devices are intentionally designed so that passcode verification can be only performed on the device.
Q. Can I do anything if the passcode has not been recovered?
A. Yes. You can still image system and user partitions, and decrypt the user partition. The only information that won’t be decrypted is mail and some of the keychain data.
Q. Does EIFT leave any traces on the device?
A. For old devices (up to iPhone 4 and first-gen iPad), the product has true "zero-footprint" operation, whatever you do. For jailbroken devices (iPhone 4S etc), the jailbreak itself is the main modification, as well as OpenSSH (if it has not been installed already), plus a couple of our utilities intended for recovery of the passcode and extracting the encryption keys from the system.
Q. Is it possible to extract anything from the device that has been reset?
A. Nothing useful. Once the device is reset, the encryption keys are securely wiped. While you can still extract raw data, decrypting the data will not be possible, so anything obtained from the device will be completely useless for an investigation.
Q. What is the difference between Guided and Manual modes?
A. The Guided mode is designed to automate the acquisition process as much as possible. In this mode, you get a text-based menu listing the operations you can perform. Via this menu, you can load ramdisk, break the passcode, extract and decrypt the keychain, and make an image of device partition(s). Manual mode offers more flexibility via allowing command-line operations. The main functional difference comes in cracking the passcode: the Guided mode only allows cracking simple passcodes (4-digit passcodes). The Manual mode also allows cracking complex passcodes that are longer than 4 characters or contain alphanumerical characters using brute-force and dictionary attacks.
Q. What problems are common when using EIFT and how to deal with them?
A. The trickiest part is entering the device into DFU mode. We have not seen anyone being able to do that from the first try. Please follow the instructions carefully. YouTube has lots of video guides on how to perform the procedure. Once you got it, everything else should run smoothly. Some problems that may occur can be halted passcode recovery or incomplete device imaging. Things you should try are:
Q. Do you have plans to make a GUI version?
A. This is one thing we are still considering.
Q. How can I try a product before purchasing?
A. You can order a trial kit. The trial kit is fully functional, but only works for 15 days after the first run. The trial kit is not free, but its price just barely covers the cost of the mandatory USB dongle and express delivery to your door.
Q. If I decide to purchase the full one-year license for EIFT, will I get another dongle?
A. You can continue using the dongle you get for the trial. We will provide you will the utility that upgrades your license and the dongle. Same for renewal of the existing full license.
Q. Are there other types of license for EIFT covering other periods beside the two-week trial and the one-year full license?
A. At this time, those two are the only licensed offered.
Q. I've got a problem when my problem goes to sleep during Toolkit operation. Is there anything I can do?
A. Yes, the Toolkit loose the connection to iOS device when the system awakes. As a workaround, you can use the built-in utility caffeinate (availabvle in MacOS X 10.8 and later) that prevents the system from sleeping. To do that, just replace the command in Toolkit.command & Toolkit-JB.command scripts: