Knowledgebase : Mobile Forensics

Contents

Troubleshooting Elcomsoft Phone Breaker

Logging

Setting the logging level

Issues when reverting to an older version

Issues accessing the default iTunes backup folder

Issues running Elcomsoft Apple Token Extractor

Credentials database

Troubleshooting Elcomsoft Phone Viewer

Logging

Cache database

Issues accessing the default iTunes backups folder

Troubleshooting Elcomsoft Cloud eXplorer

Troubleshooting Elcomsoft eXplorer for WhatsApp

Android

 

Troubleshooting Elcomsoft Phone Breaker

If you experience unexpected behavior when using Elcomsoft Phone Breaker, we may be able to help you resolve the issue if we can determine the root cause of the problem. To help us find what causes the problem, we will ask you to provide us the logs.

Logging

Elcomsoft Phone Breaker saves the general logs in the following locations:

  • Windows: %AppData%\Elcomsoft\Elcomsoft Phone Password Breaker\EPB_<version and revision number>.log
  • macOS: ~/Users/<username>/Library/Application Support/Elcomsoft Phone Password Breaker/EPB_<version and revision number>.log

NOTE: In macOS, the folder containing the log file is hidden. Press Shift + Command + G (or Shift + Win + G) and enter the path to the folder to open it.

More often than not, the general log will be all that we need to troubleshoot the problem. However, if the problem occurs while EPB is attacking a password, we may ask you to send an additional log file that stores events related to the password recovery process. Such events are logged in the RecoveryProcess file.

The log is stored in the following location:

  • Windows: %AppData%\Elcomsoft\Elcomsoft Phone Password Breaker\RecoveryProcess.log
  • macOS: not supported

If you are experiencing a problem using Elcomsoft Phone Breaker, please submit your log files at http://support.elcomsoft.com/

In certain configurations, the log from the previous session might be saved as EPB_<version and revision number>.bak. If this is the case, please attach both the *.log and the *.bak files when reporting an issue.

Setting the logging level

The amount of logged information is defined by the logging level you can specify in the EPB Settings > General. The default setting is usually enough to identify an issue. However, in some cases, our support team may ask you to temporarily increase the log level and reproduce the problem. You can increase the log level by modifying the corresponding setting in Settings > General. After reproducing the problem and submitting the log file, please return the log level to its default setting to avoid excessive growth of the log file.

 

Issues when reverting to an older version

If you have been using the latest version of Elcomsoft Phone Breaker, but then decided to switch back to an older one, the following message will be displayed: "The EPB version installed on your computer is outdated. Please get the latest version". This happens because older versions of EPB do not support the newer version of the Credentials.db file.

To continue using EPB, either install the latest version or delete the Credentials.db file from the following location:

  • Windows: %AppData%\Roaming\Elcomsoft\Elcomsoft Phone Password Breaker\Credentials

 

Issues downloading iCloud Keychain data

Sometimes when downloading iCloud Keychain data, you might face one of the following issues on the Apple side:

  • Data cannot be downloaded due to iCloud Keychain synchronization issues.
  • You are offered to download iCloud Keychain data using a trusted device which iCloud Keychain was not synchronized with.

To fix these issues, sign out of iCloud Keychain on the iOS/macOS device being investigated, sign in again, and then reboot the device to synchronize it with iCloud Keychain.

 

Issues accessing the default iTunes backup folder

On macOS 10.14 or higher, if you try to access the default iTunes backup folder, you might be displayed the following message: "EPB has no access to the default iTunes backups folder. Please grant the Full Disk Access permission to EPB. For details, see Troubleshooting in Help." This happens because macOS protects iTunes backups to ensure rogue apps cannot access the users’ personal data.

To grant the Full Disk Access permission to EPB, do the following:

  1. On the Apple menu, click System Preferences.
  2. Click Security & Privacy.
  3. On the Privacy tab, click the Lock icon in the lower-right corner and enter your administrator password, if prompted.
  4. In the list of permissions, select Full Disk Access.
  5. In the list of apps, select the Elcomsoft Phone Breaker check box. If it is not in the list, click the Plus icon and navigate to the Elcomsoft Phone Breaker application.
  6. The Full Disk Access permission is granted to EPB.

 

 

Issues running Elcomsoft Apple Token Extractor

When launching the atex.dmg file for the first time, the following window will appear:

 

To launch atex.dmg, do the following:

  1. Right-click the atex.dmg file and select Open.
  2. Click Open in the appeared window.

 

Credentials database

Credentials in EPB are stored in the following locations:

  • Windows: %AppData%\Roaming\Elcomsoft\Elcomsoft Phone Password Breaker\Credentials
  • macOS: ~/Users/<username>/Library/Application Support/Elcomsoft Phone Password Breaker/Credentials

 

Troubleshooting Elcomsoft Phone Viewer

If you experience unexpected behavior when using Elcomsoft Phone Viewer, we may be able to help you resolve the issue if we can determine the root cause of the problem. To help us find what causes the problem, we will ask you to provide us the logs.

Logging

Elcomsoft Phone Viewer logs events into the EVP.log file, which is located at:

  • Windows: %AppData%\Elcomsoft\Elcomsoft Phone Viewer\EPV.log
  • macOS: ~/Users/<username>/Library/Application Support/Elcomsoft/Elcomsoft Phone Viewer/log

If you are experiencing a problem using Elcomsoft Phone Viewer, please create a ticket in our online support system (see Contacting us for details), providing us with the log file mentioned above.

The amount of logged information is defined by the logging level. The default Medium setting is usually enough to identify an issue. However, in some cases, our support team may ask you to temporarily increase the log level and reproduce the problem. You can increase the log level by modifying the corresponding setting in the Settings.ini file as instructed below. After reproducing the problem and submitting the log file, please return the log level to its default setting to avoid excessive growth of the log file.

To change the level of logging (if requested), please do the following:

  1. Open the ini file that is created when you start the program for the first time. The file is located:
  • Windows: %AppData%\Elcomsoft\Elcomsoft Phone Viewer\Settings.ini
  • macOS: ~/Users/<username>/Library/Application Support/Elcomsoft/Elcomsoft Phone Viewer/Settings.ini
  1. Define the desired logging level in the Level The following logging levels are available:

0 - No logging is performed
1 - The information about fatal errors only is written in the log
2 - The information about program errors is written in the log as well
3 - The information about the program malfunctioning at the warning level is logged
4 - The program system messages at the information level are logged
5 - The level of logging that is necessary for debugging
6 - The Trace level of logging
7 - All information about the program work is logged. This level is the most informative, so please set logging to this level when reproducing the problem with EPV

 

  1. Close the file and restart EPV to apply changes.

 

Cache database

The Wi-Fi location data and locations for other media except for camera roll are saved to the cache database: <system_disk>:\ProgramData\Elcomsoft\Elcomsoft Phone Viewer\epv_cache.db

 

Issues accessing the default iTunes backups folder

On macOS 10.14 or higher, if you try to access the default iTunes backup folder, you might be displayed the following message: "EPV has no access to the default iTunes backups folder. Please grant the Full Disk Access permission to EPV. For details, see Troubleshooting in Help." This happens because macOS protects iTunes backups to ensure rogue apps cannot access the users’ personal data.

To grant the Full Disk Access permission to EPV, do the following:

  1. On the Apple menu, click System Preferences.
  2. Click Security & Privacy.
  3. On the Privacy tab, click the Lock icon in the lower-right corner and enter your administrator password, if asked.
  4. In the list of permissions, select Full Disk Access.
  5. In the list of apps, select the Elcomsoft Phone Viewer check box. If it is not in the list, click the Plus icon and navigate to the Elcomsoft Phone Viewer application.
  6. The Full Disk Access permission is granted to EPV.

 

 

Troubleshooting Elcomsoft Cloud eXplorer

The system information about Elcomsoft Cloud eXplorer operation is logged into ECX.log file that is located at:

  • Windows: %AppData%\Elcomsoft\Elcomsoft Cloud eXplorer\ECX.log
  • macOS: ~/Library/Application Support/Elcomsoft/Elcomsoft Cloud eXplorer/ECX.log

If you are experiencing any problems with Elcomsoft Cloud eXplorer, please create a ticket in our online support system (see Contacting us for details), providing us with the log file mentioned above.

The amount of information that is written to the ECX.log file is defined by the level of logging. The higher the level, the more detailed information is written to the log file, but it may affect the program and overall system performance. By default, a medium level of logging is set. To change the level of logging (if requested), please do the following:

  1. Open the Settings.ini file that is created when you start the program for the first time. The file is located at:
  • Windows: %AppData%\Elcomsoft\Elcomsoft Cloud eXplorer\Settings.ini
  • macOS: ~/Library/Application Support/Elcomsoft/Elcomsoft Cloud eXplorer/Settings.ini
  1. Define the necessary level of logging in the Level parameter. The following levels of logging are available:

0 - No logging is performed
1 - The information about fatal errors only is written in the log
2 - The information about program errors is written in the log as well
3 - The information about the program malfunctioning at the warning level is logged
4 - The program system messages at the information level are logged
5 - The level of logging that is necessary for debugging
6 - The Trace level of logging
7 - All information about the program work is logged. This level is the most informative, so please set logging to this level when reproducing the problem with ECX application

  1. Close the file and restart ECX to apply the changes.

 

Troubleshooting Elcomsoft eXplorer for WhatsApp

t If you experience unexpected behavior when using Elcomsoft eXplorer for WhatsApp, we may be able to help you resolve the issue if we can determine the root cause of the problem. To help us find what causes the problem, we will ask you to provide us the logs. The logs are stored in the EXWA.log file located at:

  • %AppData%\Elcomsoft\Elcomsoft eXplorer for WhatsApp\EXWA.log

If you are experiencing a problem with Elcomsoft eXplorer for WhatsApp, please create a ticket in our online support system (see Contacting us for details), providing us with the log file mentioned above.

The amount of logged information is defined by the logging level. The default setting is usually enough to identify an issue. However, in some cases, our support team may ask you to temporarily increase the log level and reproduce the problem. You can increase the log level by modifying the corresponding setting in the Settings.ini file as instructed below. After reproducing the problem and submitting the log file, please return the log level to its default setting to avoid excessive growth of the log file.

  1. Open the ini file (located at %AppData%\Elcomsoft\Elcomsoft eXplorer for WhatsApp\Settings.ini). This file is created when you start the program at the first time.
  2. Define the desired level of logging in the Level The following levels of logging are available:

0 - No logging is performed
1 - The information about fatal errors only is written in the log
2 - The information about program errors is written in the log as well
3 - The information about the program malfunctioning at the warning level is logged
4 - The program system messages at the information level are logged
5 - The level of logging that is necessary for debugging
6 - The Trace level of logging
7 - All information about the program work is logged. This level is the most informative, so please set logging to this level when reproducing the problem with the EXWA application

  1. Close the file and restart EXWA to apply changes.

 

Android

The tool logs the Java version and the WhatsApp version in AndroidScripts.log file located at

  • %AppData%\Elcomsoft\Elcomsoft eXplorer for WhatsApp\AndroidScripts.log

If you are experiencing any problems with Elcomsoft eXplorer for WhatsApp, please create a ticket in our online support system (see Contacting us for details), providing us with the log file mentioned above and the EXWA.log file.

NOTE: EXWA is not guaranteed to work with Android devices connected to virtual machines.

If you have rooted the Android device, please make sure to restart the device before connecting it to EXWA to ensure that the data is loaded properly.

If you are loading data from the device, but the device does not prompt to “trust” the computer, and the connection is not performed,make sure the latest USB drivers for your device are installed and try again.

If you are loading data from an unrooted device and experiencing issues entering the password on your device, do the following:

  1. Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 to your computer.
  2. Extract the jar and US_export_policy.jar files to the <java installation folder>\jre1.8.0_111\lib\security folder, replacing the original files.
  3. Try loading the data from the device and re-entering the password.