iOS Forensic Toolkit full review
Forensics extraction is the process of getting into a computer device (in this case an iOS device) and extracting all the data from it. And Elcomsoft's iOS Forensics Toolkit is an incredibly powerful piece of kit that enables you to hack into, and extract pretty much everything on an iPhone (passcodes, keys, files, messages, audio recordings, and so on).
Why would you want to do such a thing? Well aside from hacker curiosity the main market for forensics software is law enforcement. In court cases there is often a requirement for detailed recording and analysis of mobile phone devices (text messages, emails, phone voicemail messages, call records, photos and so on).
- How to hack an iPad passcode: bypass iOS password security and remove the iPad's lock
- How to hack an iPad
- Apple stops password resets after iCloud hack
What piqued our interest at first was data recovery: a friend of a friend’s iPhone was showing no signs of life (the battery would not charge).
An iPhone that refuses to charge could be because of a faulty battery, but it’s often the case that it’s a firmware or iOS installation problem. In this case restoring the iPhone usually fixes the issue, but wipes the iPhone: our friend was adamant that the content on the iPhone was more important than the phone itself. And there was no backup.
All the important files are securely held inside the device itself in encrypted files, often with a passcode lock on the front of the phone. In our situation (with access to passcodes) we could use less powerful software than this; but once we’d heard of the software we asked to give it a professional test.
Elcomsoft’s iOS Forensic Toolkit is combination of software (both Mac and Windows compatible) that works alongside a USB key (which is itself a security measure to ensure that the software isn’t pirated or distributed to just anybody).
We investigated a number of different iOS forensics software options (which we’ll also look at) but this seems to us to be the most thorough and detailed on the market. It’s not the easiest to use because it's command-line based so you'll need to know your way around the Terminal. But there are advantages to this: for one thing it requires you to read the instructions carefully (no bad thing when you’re doing something as detailed as this).
Given how well it worked (more later), you’ll be pleased to hear that getting hold of forensics software like this isn’t that easy. In the word’s of Elcomsoft itself:
“ElcomSoft restricts the availability of the Elcomsoft iOS Forensic Toolkit for to select government entries such as law enforcement and forensic organizations and intelligence agencies; also, the toolkit is a subject to special license agreement.”
That license agreement insists that you are an approved enforcement agency, and are acting “under the color of the law when operating the product” and that you are the “legal owner or in legal possession and/or control” of the device.
And you know how most software licenses have a button that says “Click Here”? This one has a part where you sign it in ink and return to Elcomsoft before you get hold of the software and USB dongle.
So basically you have to prove that you have a genuine need for this software. Which is a good thing, because Elcomsoft iOS Forensic Toolkit is a set of tools aimed at making it possible to acquire and analyze the entire contents of an iOS device that is passcode protected.
The software side of things runs through Terminal. So you’ll need a good working knowledge of the command-line to get it up and running. There is a Guided Access Mode, which walks you through the steps, and a manual mode that enables you to perform each task with specific parameters. We found the Guided Access Mode achieved the task perfectly.
The Guided Access Mode that takes you through each of the necessary steps:
1. Enter DFU
2. Load Ramdisk
3. Image Disk
4. Tar Files
5. Get Keys
6. Get Passcode
8. Descrypt Disk
9. Decyrput Keychain
The first step is to put the iOS device into DFU (Device Firmware Update) mode. This is done by holding down the Sleep/Wake and Home buttons, then releasing the Sleep/Wake button and keeping the Home button held down. When in DFU mode the iPhone screen should appear blank (this is different to Recovery mode – which displays an iTunes dock connector on the device screen).
Once the device is in DFU mode you load the Toolkit Ramdisk into the iPhone memory. This is the ‘hack’ part, and ensures that the rest of the software can access and extract data from the device. It’s all automated but you do need specify exactly what model of iOS device you are dealing with. It can be confusing between models such as iPhone 3 or 3GS, 4 or 4S but if you’re unsure this information can be found out using a Jailbreak program such Redsnow (which can identify devices in DFU mode).