Knowledgebase : Elcomsoft products > Elcomsoft iOS Forensic Toolkit

Note: this version of FAQ is slightly outdated and describes an older version of EIFT (1.15). An update has been published as a separate document, avaialble here. But please start reading from this version as it provides basic information on the product.

Q. What is this product all about?

A. Physical acquisition. The tool performs a real-time, complete forensic acquisition of user data stored in iPhone/iPad/iPod devices running any version of iOS. It captures bit-to-bit images of devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. It can also recover device passcodes (some limitations apply). A major feature of iOS Forensic Toolkit is its super-fast operation: data is acquired and decrypted in real time; the entire content of a 16 GB device can be captured in under 20 minutes with no “ifs” and “buts”. 

Q. Do you limit usage of this product to law enforcement agencies only?

A. We used to, but not anymore. 

Q. What are the product's system requirements?

A. iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running Mac OS X 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion) with iTunes v. 10.2 or later installed. The Toolkit for Microsoft Windows requires a computer running Windows XP, Vista or Windows 7 with iTunes 10.2 or later installed. 

Q. Is the Mac version better than the Windows one?

A. Yes. First, Macs have more reliable USB ports. Second, when you connect an iOS-based device in DFU mode to a Windows system, the system must install the drivers, which may take a long time and is not always safe for the system. 

Q. What iOS devices are supported?

A. Here is the full list:

  • iPhone 3G
  • iPhone 3GS
  • iPhone 4 (GSM and CDMA models)
  • iPhone 4S*
  • iPod Touch (up to 4th gen incl.)
  • iPad (1st generation only)
  • iPad 2 *
  • The new iPad *

*Note: support for iPhone 4S, iPad 2 and the new iPad is limited to jailbroken devices (that are not locked) running iOS 5.x.

Update (07/17/2013): newer devices such as iPhone 5 are supported now, as well as iPhone 4S and iPad 2+ running iOS 6. Please refer to the second part of FAQ. 

Q. What iOS versions are supported?

A. For non-jailbroken devices (up to and including iPhone 4), all systems from iOS 1.0 to the latest iOS 6.x are supported. For iPhone 4S, iPad 2 and the new iPad only jailbroken iOS 5.x is supported.

Update (07/17/2013): all devices running iOS 6 are supported now; please refer to the second part of FAQ. 

Q. How do I identify my device model?

A. The following articles on Apple web site should help:
 

Q. What about iPhone 5, 4th gen iPad, iPad Mini, and latest iPod?

A. Sorry, they are not supported. We are working on adding support for jailbroken devices in the same way as It was made for iPhone 4S etc.

Update (07/17/2013): we did it. Please refer to the second part of FAQ. 

Q. Do you provide a jailbreak (for the devices such as iPhone 4S)?

A. No, we don’t jailbreak devices. You are supposed take care of that yourself. 

Q. What if the device is locked (i.e. after 10 unsuccessful attempts to enter the passcode)?

A. No problem! You can still use the Toolkit with it. 

Q. What's the difference between EIFT and EPPB (Elcomsoft Phone Password Breaker)?

A. Speaking of iOS (EPPB supports iOS and BlackBerry devices), EIFT performs physical acquisition and requires you to have access to the device itself. On the other hand, Elcomsoft Phone Password Breakerworks only with iTunes and iCloud backups. 

Q. What is the benefit of physical acquisition?

A. It works faster than backup analysis, and you can acquire much more information. Some of the files stored on iOS devices are not accessible in user mode, and so cannot be read using logical (backup) acquisition. Sometimes, certain data can be extracted but cannot be decrypted. In contrast, physical acquisition allows you to get everything, i.e. create an exact bit-by-bit image of the device in real time. 

Q. When should I use the logical acquisition?

A. Generally, logical acquisition works faster with small amounts of information. Use logical acquisition if you are in a rush. Logical acquisition works at the "file level". Also, logical acquisition comes handy if you don't have access to third-party forensic tools that work with disk images. 

Q. I get a lot of error messages during logical acquisition - many files cannot be copied. What should I do?

A. This is by design. In this mode (at user/file level), certain files remain inaccessible. The only way around this problem is using physical acquisition. 

Q. How to analyze and browse information extracted by EIFT?

A. You can mount images created by EIFT into your system. If you’re using a Mac, you can simply double-click an image. In Windows, you will need some third-party software that supports HFS+ file system. After the image is mounted, you can browse through the files using Finder (Mac OS X), Explorer (Windows), or whatever else. However, we would recommend you to use a special third-party tool such as Oxygen Forensic Suite

Q. Is it possible to perform data carving through unallocated space, or restore deleted files?

A. We’re planning to add this feature to EIFT (currently, there is no other software that can do that for iOS4+ file system). Only deleted messages (SMS/iMessage) can be restored under certain circumstances. 

Q. Do you have a similar product for Android?

A. No. At this time, we have no plans to develop such a product. 

Q. What about BlackBerry?

A. If a BlackBerry device is locked with an unknown password, it is not possible to perform a physical acquisition at all. If a password is known or not set, the acquisition is possible, at least in theory, but would require a special loader specific to each particular device. However, it is sometimes possible to recover BlackBerry device passcodes using Elcomsoft Phone Password Breaker (and btw, it can also recover passwords to BlackBerry Wallet and Password Keeper applications). 

Q. How long does the acquisition of iOS device take?

A. It depending on the type of the device and its memory size. In a ballpark, physical acquisition may take from 15 minutes to about an hour. 

Q. How easy is it to break the passcode?

A. In iOS version up to 3.x, passcodes can be recovered instantly. With iOS 4 and later, there are three types of passcodes. Simple passcodes are 4 digits only. Simple passcodes have a guaranteed recovery time of 30 minutes or less. Passcodes of the second type also only contain digits, but are not limited to 4 digits. Breaking these passcodes is much more lengthy, considering that the recovery speed is about 5 passcodes per second. In the worst case, a passcode may contain all printable characters, and may have any length. This situation is very rare simply because the user would have to enter the passcode every time when unlocking the device. The good news is that the type of a passcode is stored in the system, and EIFT can detect it, so you can easily figure out what kind of an attack should be used. 

Q. Is it possible to run an offline passcode attack, e.g. on faster hardware?

A. Unfortunately, no. Apple devices are intentionally designed so that passcode verification can be only performed on the device. 

Q. Can I do anything if the passcode has not been recovered?

A. Yes. You can still image system and user partitions, and decrypt the user partition. The only information that won’t be decrypted is mail and some of the keychain data. 

Q. Does EIFT leave any traces on the device?

A. For old devices (up to iPhone 4 and first-gen iPad), the product has true "zero-footprint" operation, whatever you do. For jailbroken devices (iPhone 4S etc), the jailbreak itself is the main modification, as well as OpenSSH (if it has not been installed already), plus a couple of our utilities intended for recovery of the passcode and extracting the encryption keys from the system. 

Q. Is it possible to extract anything from the device that has been reset?

A. Nothing useful. Once the device is reset, the encryption keys are securely wiped. While you can still extract raw data, decrypting the data will not be possible, so anything obtained from the device will be completely useless for an investigation. 

Q. What is the difference between Guided and Manual modes?

A. The Guided mode is designed to automate the acquisition process as much as possible. In this mode, you get a text-based menu listing the operations you can perform. Via this menu, you can load ramdisk, break the passcode, extract and decrypt the keychain, and make an image of device partition(s). Manual mode offers more flexibility via allowing command-line operations. The main functional difference comes in cracking the passcode: the Guided mode only allows cracking simple passcodes (4-digit passcodes). The Manual mode also allows cracking complex passcodes that are longer than 4 characters or contain alphanumerical characters using brute-force and dictionary attacks. 

Q. What problems are common when using EIFT and how to deal with them?

A. The trickiest part is entering the device into DFU mode. We have not seen anyone being able to do that from the first try. Please follow the instructions carefully. YouTube has lots of video guides on how to perform the procedure. Once you got it, everything else should run smoothly. Some problems that may occur can be halted passcode recovery or incomplete device imaging. Things you should try are:

  • Try using a different USB port;
  • Try using a different USB cable;
  • Use a Mac version of the Toolkit on a Mac instead of Windows PC.

Q. Do you have plans to make a GUI version?

A. This is one thing we are still considering. 

Q. How can I try a product before purchasing?

A. You can order a trial kit. The trial kit is fully functional, but only works for 15 days after the first run. The trial kit is not free, but its price just barely covers the cost of the mandatory USB dongle and express delivery to your door. 

Q. If I decide to purchase the full one-year license for EIFT, will I get another dongle?

A. You can continue using the dongle you get for the trial. We will provide you will the utility that upgrades your license and the dongle. Same for renewal of the existing full license. 

Q. Are there other types of license for EIFT covering other periods beside the two-week trial and the one-year full license?

A. At this time, those two are the only licensed offered.

 

Q. I've got a problem when my problem goes to sleep during Toolkit operation. Is there anything I can do?

A. Yes, the Toolkit loose the connection to iOS device when the system awakes. As a workaround, you can use the built-in utility caffeinate (availabvle in MacOS X 10.8 and later) that prevents the system from sleeping. To do that, just replace the command in Toolkit.command & Toolkit-JB.command scripts:

/bin/bash “$BINDIR/Toolkit.sh” 2>&1 | tee –a “$LOGFILE”

with the following one:

caffeinate –i /bin/bash “$BINDIR/Toolkit.sh” 2>&1 | tee –a “$LOGFILE”

Note: this is the second part of EIFT FAQ, mostly on the new version (1.20) released on July 17th, 2013. The first (basic) part is available here.

Q. So you actually support for iPhone 5 now?

A. Yes, we support iPhone 5, 4S, and all previous generations.

Q. What about iPad 4, iPad Mini and iPod Touch 5th gen?

A. They're now also supported.

Q. Are there any limitations supporting these last-generation devices?

A. Unfortunately, there are limitations. For recent devices such as iPhone 4S and 5 or iPad 2 to 4, we can only deal with jailbroken devices. So we can perform physical acquisition if a device is already jailbroken or if you can install the jailbreak yourself.

Q. How can I install the jailbreak?

A. Considering you have a device running iOS 6, you’ll be using the “evasi0n” jailbreak. Currently, it supports iOS 6.0 to 6.1.2. Please make sure you understand the procedure and follow it carefully. Read the original jailbreak documentation before installing the code. The most important points are:

  1. Create a local iTunes backup without password. Backup password is a device-specific setting (it’s not just for the backup). If it is set, you may get problems jailbreaking the device.
  2. Remove passcode from the device.

Q. What about iOS 6.1.3 and 6.1.4? Is it possible to jailbreak them, or downgrade to an earlier version of iOS?

A. Unfortunately, jailbreaking is not yet available for these versions of iOS. Downgrading iOS from these versions is not possible either.

Q. What if I have a last-gen iPhone, it has a supported version of iOS installed, but it’s locked and the passcode is unknown?

A. Physical acquisition for this device is possible if the device is already jailbroken (which means: you can try). If it is not, physical acquisition will not be possible. For non-jailbroken devices locked with an unknown passcode, you can only acquire iPhone up to version 4, the original iPad and early generations of iPod Touch.

Q. Where do I get the “evasi0n” jailbreak?

A. Please use a search engine to discover the code. It’s not exactly legal to distribute (but perfectly legal to *use*), so we’re not publishing it here.

Q. How do I work with a jailbroken iPhone 4 and older devices?

A. Legacy devices do not require a jailbreak to be physically acquired. You can continue working with them via the DFU mode.

Q. Are the any other differences between old and new versions of the Toolkit I should know about?

A. Yes, there are differences affecting the way you’ll be using the product:

  1. We still have two versions of the script - "Toolkit.cmd" (Toolkit.command in Mac version) and "Toolkit-JB.cmd" (Toolkit-JB.command). The second version has a new name now; it was called "Toolkit-A5" before, simply because it was intended for A5 devices only (iPhone 4S, the new iPad, and iPad with Retina display). Now it is more universal and works with A5+ devices, so also including iPhone 5, iPad 4, iPad Mini and iPod Touch 5th gen.
  2. Toolkit menu is reorganized.
  3. You no longer have to specify device type for legacy devices (up to iPhone 4) when using the toolkit script for older devices.
  4. Toolkit script for newer devices (iPhone 5 etc.) is also updated. You will no longer have to upload the utilities ('passcode' and 'dumpkeys') manually, setting the required execute permissions etc. This process is now done automatically once you select the appropriate menu item. However, you still have to specify the iOS version (5 or 6) because there are significant differences between them.

Q. The "Toolkit-JB" script asks me for a password, what's that?

A. It is the password of the user 'root'. The default password (immediately after installing the jailbreak) is "alpine" (without quotes).

Q. How do I change the 'root' password?

A. If you don’t know the password, and the default password does not work, you may need to change it. Use any available tool to access files stored in the iOS device (such as iFunBox or iExplorer) to edit the following file:

/private/etc/master.passwd

The line corresponding to the root account should look like this:

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

Saving the modified master.passwd file back to the device will restore the default root password to "alpine".

Of course, if you know the existing password, there is no need to change it.

Q. Are there any other requirements for jailbroken devices?

A. Yes, there is a requirement to have a working SSH server running on the device. To check whether it is already there, start the 'Toolkit-JB' first; this will automatically establish a tunnel between SSH port (22) on the device and port 3022 on the localhost. Now use an SSH client to connect to localhost on port 3022, e.g. using the following command:

ssh -p 3022 root@localhost

If an SSH session is established, or if you are asked for a password, or if you receive a key fingerprint mismatch error, then the SSH server is already running on the device. If the connection is not established or refused, then there is no SSH server running. You can fix it by installing the OpenSSH package using Cydia (which should be present on all jailbroken devices).

Q. From time to time, I get the following error: "Failed to add the host to the list of known hosts (/cygdrive/c/Device/Null). What does that mean?

A. You can just ignore it.

Q. How long does it take to crack a passcode?

A. It depends on many factors such as the device model, the type and length of the passcode, and sheer luck. A simple 4-digit passcode on iPhone 4 can be cracked in 20-40 minutes. The same passcode on iPhone 5 will take about 10 minutes. Long and complex passcodes may take forever. The speed of password recovery may vary from only 4 passcodes per second on iPhone 4 to about 15 p/s on iPhone 5.

Q. Why is passcode recovery so slow? Are you planning to use GPU acceleration for that?

A. On iOS devices, the password recovery process can only run on the device itself. It cannot be outsourced or broken offline. This is the way Apple secures its devices, and this is one of the reasons why Apple devices are so secure.

Q. Once I run a passcode recovery, will the iPhone be locked, disabled or wiped after too many unsuccessful attempts?

A. No. Even if the device has the "Erase all data on this iPhone after 10 failed passcode attempts" setting turned on, the setting is not applicable here. The Toolkit accesses the hardware directly, and does not care about any iOS settings. The device will never be locked.

Q. In Windows, a separate console window with "Tunnel 3022-22" is being opened, is that normal?

A. Yes. Please do not close it while the Toolkit is running.

Q. Do I ever need physical acquisition? Why is it better than logical?

A. Physical acquisition returns more data than logical acquisition. The keychain can only be completely decrypted with physical acquisition. In addition, some files on the device are locked and not being copied with logical acquisition, while physical acquisition operates at a lower level and acquires the complete image of the device.

Q. With physical acquisition, is it possible to recover the data that have been deleted from the device (such as photos)?

A. For iOS 4/5/6 – unfortunately, no. Sometimes, however, you can restore deleted messages (SMS and iMessage) and some other data stored in SQLite databases (you would need 3rd party forensic software for that, though).

Q. In brief, what is the typical usage of the Toolkit, and where should I start from?

A. The first step depends on the model of your iOS device. For iPhone 4 and older devices, you should enter the device into the DFU mode and load RAMdisk into it (see the manual for details). For iPhone 4S+, you need to jailbreak the device and install OpenSSH. Then, the typical steps are:

  1. Break the passcode (if it is set and not known) via menu item [3]. Without the passcode some information cannot be decrypted; however, this step is still optional.
  2. Obtain device keys and keychain data (menu item [4]). This is mandatory. Without the keys, neither keychain nor device image can be decrypted.
  3. Decrypt the keychain (menu item [5]). This is not needed if you only need to acquire and decrypt the image of the device file system. However, there is a lot of critical data in the keychain such as backup password, passwords to all Wi-Fi access points the device ever connected to, mail (SMTP, POP3 and IMAP) passwords, sometimes the password to Apple ID, passwords entered into Web forms, etc.
  4. Create an image of the disk (menu item [6]) and decrypt it ([7]), or create a tarball (logical acquisition).
  5. Reboot the device (you can do that either by selecting menu item [9] in the Toolkit, or by keeping pressing [Home] and [Sleep] buttons on the device for some time).
  6. Wait while the process finishes, which can take up to 40 minutes for a 32-GB device.