iOS Forensic Toolkit now with Keychain decryption
ElcomSoft released a major update to its iOS Forensic Toolkit, implementing an all-in-one toolkit for iOS acquisition on both Windows and Mac platforms.
Elcomsoft iOS Forensic Toolkit provides near-instant forensic access to encrypted information stored in iPhone devices, and offers researchers the ability to access protected file system dumps extracted from iPhone devices even if the data was encrypted with a security chip by iOS 4.
The newest release adds Windows support, supports logical acquisition in addition to physical acquisition, and can instantly retrieve the original passcode in devices running iOS 3.x.
Brute-force passcode recovery is available for devices running iOS 4.x. In addition, the software now supports full recovery of keychain information, decrypting login and password information to Web sites and protected resources, and records a comprehensive log of all operations. The latest iOS 4.3.4 featuring additional anti-tampering measures is now fully supported.
The physical acquisition method uses the dumped contents of the physical device to perform a comprehensive analysis of user and system data stored in the device. Before Elcomsoft iOS Forensic Toolkit, decrypting the encrypted dump was simply not possible, with or without the passcode. The process is possible without brute-forcing the original passcode (a lengthy process that was slowing down forensic investigations based on the analysis of iPhone backup files).
Typically, the complete acquisition of a 32 Gb iPhone 4 running iOS 4.x takes less than 1.5 hours. Physical acquisition analysis provides access to a lot more information about the usage of an iOS device than a backup file can store, and offers investigators a number of additional benefits not available with the analysis of backup files.