Recover Password-Protected Apple iTunes Backups
Elcomsoft Phone Breaker enables forensic access to password-protected backups for smartphones and portable devices based on the Apple iOS platform. The password recovery tool supports all Apple devices running all versions of iOS including the iPhone, iPad and iPod Touch devices of all generations released to date.
Knowledgebase: Elcomsoft products > Elcomsoft iOS Forensic Toolkit. Elcomsoft iOS Forensic Toolkit FAQ, part 2. Posted by Andrey Malyshev on 14 August 2017 02:18 PM. The first step depends on the model of your iOS device. For iPhone 4 and older devices, you should enter the device into the DFU mode and load RAMdisk into it (see the manual. ACQUISITION AND ANALYSIS OF IOS DEVICES MATTIA EPIFANI SANS FORENSICS PRAGUE PRAGUE, 10 OCTOBER 2013. XRY Commercial iPhone 4 Elcomsoft iOS Forensic Toolkit Commercial iPhone 4/4s/5 iPhone Data Protection.
Retrieve Cloud Data: Apple iCloud and Microsoft Account
Cloud acquisition is a great way of retrieving information stored in mobile backups produced by Apple iOS, and a handy alternative when exploring Windows Phone, Windows 10 Mobile and desktop Windows 10 devices. Elcomsoft Phone Breaker can retrieve information from Apple iCloud and Microsoft Account provided that original user credentials for that account are known.
Online backups can be acquired by forensic specialists without having the original iOS or Windows device in hands. All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID or Microsoft Account accompanied with the corresponding password.
Two-Step Verification and Two-Factor Authentication
Elcomsoft Phone Breaker supports accounts with Apple's two-step verification as well as the new two-factor authentication. Access to the second authentication factor such as a trusted device or recovery key is required. You will only need to use it once as Elcomsoft Phone Breaker can save authentication credentials for future sessions.
Access iCloud without Login and Password
If the user’s Apple ID and password are not available, Elcomsoft Phone Breaker can use a binary authentication token created by Apple iCloud Control Panel in order to login to iCloud and retrieve information. The use of authentication tokens allows bypassing two-factor authentication even if no access to the secondary authentication factor is available.
The Forensic edition of Elcomsoft Phone Breaker comes with the ability to acquire and use authentication tokens from Windows and Mac OS X computers, hard drives or forensic disk images. Authentication tokens for all users of that computer can be extracted, including domain users (providing that their system logon passwords are known). The tools are available in both Windows and Mac editions.
![Torrent elcomsoft ios forensic toolkit iphone 8 deals free Torrent elcomsoft ios forensic toolkit iphone 8 deals free](https://www1.elcomsoft.com/images/screenshots/eppb_s9.png)
The ability to access iCloud data using authentication tokens may vary greatly according to numerous conditions. The version of iOS and the iCloud app installed on the computer, whether or not the account is enrolled in two-factor authentication as well as other limitations may affect the extent to which one can use authentication tokens.
iCloud is an integral part of Mac OS systems, and installs separately on Windows PCs. Most users will stay logged in to their iCloud Control Panel for syncing contacts, passwords (iCloud Keychain), notes, photo stream and other types of data without re-typing their password. All this means that the probability of obtaining authentication tokens from PCs with iCloud Control Panel installed is high.
Note: this functionality is only available in Forensic edition
Decrypt FileVault 2 Volumes
FileVault 2 is a whole-disk encryption scheme used in Apple’s Mac OS X. FileVault 2 protects the entire startup partition with secure 256-bit XTS-AES encryption.
If the user forgets their account password, or if the encrypted volume is moved to a different computer, a FileVault 2 can be unlocked with a special Recovery Key. If the user logs in with their Apple ID credentials, the Recovery Key can be saved into the user’s iCloud account. Should the user forget their password, the system can automatically use the Recovery Key to unlock the encrypted volume. It is important to note that Apple does not allow the end user to view or extract FileVault 2 recovery keys from iCloud.
Elcomsoft Phone Breaker can extract FileVault 2 recovery keys from the user’s iCloud account, and use these keys to decrypt encrypted disk images. Valid authentication credentials (Apple ID/password or iCloud authentication token) as well as volume identification information extracted from the FileVault-encrypted disk image are required.
Note: this functionality is only available in Forensic edition. APFS volumes are not supported at this time.
Extract Synced Data
iPhones automatically sync certain types of data with iCloud in real time. Elcomsoft Phone Breaker automatically downloads synced data including call logs, contacts, notes (included deleted notes and attachments), calendars as well as Web browsing activities including Safari history (including deleted records), bookmarks and open tabs. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.
Elcomsoft Phone Breaker supports the following types of synced data:
- Messages in iCloud: complete with media and file attachments
- Health data
- iCloud Keychain
- Screen Time passwords
- Safari (browsing history, bookmarks, tabs opened on user's devices)
- Calendars, notes, contacts and Voice Memos
- Call logs (information about calls made and received)
- Apple Maps (routes, places, searches)
- Wi-Fi (wireless access points, MAC addresses, date and device added)
- Wallet (everything except payment data)
- Account info (comprehensive information about the user and devices registered on the Apple ID account)
- iBooks (documents including PDF files that were added by the user)
iCloud Files
In addition to iCloud backups, Elcomsoft Phone Breaker can download files stored in the user’s iCloud account such as documents or spreadsheets, third-party application data (such as WhatsApp own backups, Passbook/Wallet data etc.), and more. Files from a synced Mac such as Desktop, Documents, and Trash can be extracted. Some of this data (mostly documents) is available using the iCloud feature on Windows and macOS systems, but most files are only accessible using Elcomsoft Phone Breaker. The exact set of data available may depend on the version of iOS installed, iCloud synchronization settings, the list of applications installed on the devices connected to the given account, and the options set in these applications. Note that there is no email notification sent by Apple when downloading files from iCloud.
Note: this functionality is only available in Forensic edition
Access Photos in iCloud Photo Library
Apple’s iCloud Photo Library is designed to help users store and synchronize media files between multiple devices. If iCloud Photo Library is enabled, media files are no longer saved to iOS iCloud backups. As a result, acquiring iCloud backups or downloading files stored in iCloud Drive does not automatically provide access to media files stored in the iCloud Photo Library.
Elcomsoft Phone Breaker can extract photos and videos stored in the user’s iCloud Photo Library. In addition to existing files, Elcomsoft Phone Breaker can extract media files that have been deleted from the Library during the past 30 days. Selective downloads are possible by specifying which user-created albums to download.
Recover Passwords to Apple iTunes Backups
The tool recovers the original plain-text passwords protecting encrypted backups for Apple iOS devices . The backups contain address books, call logs, SMS archives, calendars and other organizer data, camera snapshots, voice mail and email account settings, applications, Web browsing history and much more.
Note: this feature is available in the Windows version only.
Selective Access to iCloud Backups
Downloading a large backup for the very first time can potentially take hours. Subsequent updates are incremental, and occur much faster. If speed is essential, Elcomsoft Phone Breaker offers the ability to quickly acquire select information and skip data that’s taking the longest to download (such as music and videos). Information such as messages, attachments, phone settings, call logs, address books, notes, calendars, email account settings, camera roll, and many other pieces of information can be pre-selected and downloaded in just minutes, providing investigators with near real-time access to essential information.
Perform Enhanced Forensic Analysis of iOS Devices
ElcomSoft offers the complete toolkit for performing forensic analysis of encrypted user data stored in certain iPhone/iPad/iPod devices. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. Access to most information is provided in real-time. In addition to Elcomsoft Phone Breaker, the toolkit includes the ability to decrypt images of devices’ file systems, as well as a free tool that can extract the encrypted file system out of the device in raw form. More information is available on a dedicated Web page.
Features and Benefits
- Gain access to information stored in password-protected iPhone, iPad, iPod Touch and Blackberry backups
- Decrypt iPhone and BlackBerry backups with known passwords
- Decrypt BlackBerry 10 backups with known BlackBerry ID and password
- Extract FileVault 2 recovery keys and use them to decrypt FileVault 2 containers without lengthy attacks
- Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)
- iOS: view saved passwords and authentication tokens including Apple ID password or token
- iOS: access passwords/tokens to email accounts, instant messengers and social networks
- iCloud Keychain: access, decrypt and explore iCloud Keychain records
- Save time with cost-efficient GPU acceleration when one or several AMD or NVIDIA video cards are installed[1]
- Perform advanced dictionary attacks with highly customizable permutations
- Perform offline attacks without Apple iTunes installed
- Recover passwords to backups for original and ‘jailbroken’ iPhone (all models up to iPhone 8/8 Plus and iPhone X/Xr/Xs), iPad (all generations incl. iPad Pro), and iPod Touch (all generations) devices
- Download Apple iCloud backups with Apple ID and password, or authentication tokens (no hidden fees: unlimited extractions with no subscriptions or additional fees)
- Remotely extract synced data such as call logs, contacts, notes and attachments, calendars as well as Web browsing activities including Web browsing history and open tabs from iOS and Windows devices
- Download Books, Keychain and Messages with attachments from iCloud
- Locate and extract iCloud authentication tokens
- Download iCloud Photo Library including photos during the past 30 days
- Download extra data from Apple iCloud accounts (files from iCloud Drive including those not accessible by the OS)
Note: password recovery features are available in Windows version only.
GPU Acceleration
ElcomSoft offers a highly efficient, cost-effective solution to lengthy attacks by dramatically increasing the speed of password recovery when one or more supported video cards are present. The company’s patented GPU acceleration reduces the time required to recover iPhone/iPad/iPod and BlackBerry backup passwords by orders of magnitude. The latest generation of ElcomSoft GPU acceleration technology supports unlimited numbers of AMD or NVIDIA boards.
To make GPU acceleration cost-effective, ElcomSoft implemented support for multiple diverse GPU acceleration units running at the same time. Effectively, this budget-friendly solution allows mixing multiple generations of compatible video cards, extending existing systems by adding new acceleration hardware instead of replacing.
Note: not applicable to MacOS X edition
Advanced Attacks
Elcomsoft Phone Breaker supports an advanced dictionary attack with customizable permutations. According to multiple security researches, the majority of users choose meaningful, dictionary-based passwords that are easier for them to remember. Elcomsoft Phone Breaker is able to recover such passwords and their variations quickly and efficiently no matter which language they are. Elcomsoft Phone Breaker supports a variety of permutations of dictionary words, trying hundreds of variants for each dictionary word to ensure the best possible chance to recover the password.
Note: not applicable to MacOS X version
Extract, Decrypt and View Passwords Stored in iOS Keychain
iOS offers a highly secure, encrypted storage for many types of data. Stored Web forms and browser passwords, email accounts, application passwords and authentication tokens (including Apple ID account token) are stored securely in keychains that are encrypted with hardware keys unique to each individual device.
Elcomsoft Phone Breaker can extract and decrypt iOS keychain from local (iTunes-style) password-protected backups. The built-in Keychain Explorer tool allows browsing and exploring keychain items on the spot.
Note: for local non-encrypted backups and backups downloaded from iCloud, decrypting the keychain is only possible for jailbroken 32-bit devices, and only if you have physical access to the device and can obtain the encryption key (0x835, securityd) using Elcomsoft iOS Forensic Toolkit.
Compatibility Chart
![Toolkit Toolkit](http://lh5.ggpht.com/-oRU7xPTlFKA/Tqxxi-JJuLI/AAAAAAAAEFM/qPYvBkTSlCo/iphone-backup-extractor%25255B4%25255D.png?imgmax=800)
Home (Win) | Pro (Win/Mac) | Forensic (Win/Mac) | |
---|---|---|---|
General compatibility | |||
Support for iOS 3 through iOS 13 and iPadOS Beta | ✓ | ✓ | ✓ |
Support for all iPhone models | ✓ | ✓ | ✓ |
Support for iPod Touch and iPad | ✓ | ✓ | ✓ |
Support for all BlackBerry phones | ✓ | ✓ | ✓ |
Recover password to iTunes backup | ✓ | ✓/- | ✓/- |
Number of CPUs supported | 2 | 32/- | 32/- |
Number of GPUs supported[1] | 1 | 8/- | 8/- |
Apple iCloud | |||
Support for 2SV and 2FA accounts | - | ✓ | ✓ |
Download iCloud backups | - | ✓ | ✓ |
iCloud backups: iOS 11.2+, two-factor authentication | - | - | ✓ |
Download synced data | - | ✓ | ✓ |
Download iCloud Photo Library | - | ✓ | ✓ |
Download and explore iCloud Keychain | - | - | ✓ |
Download extra data from iCloud Drive | - | - | ✓ |
Obtain Messages, attachments and Health data | - | - | ✓ |
Access iCloud with authentication tokens | - | - | ✓ |
Get FileVault recovery key | - | - | ✓ |
Blackberry, Windows Phone & Windows Mobile | |||
Recover BlackBerry (<10) backup passwords | ✓ | ✓/- | ✓/- |
Decrypt BlackBerry (<10) backups | - | ✓ | ✓ |
Decrypt BlackBerry (<10) SD card | - | ✓ | ✓ |
Recover BlackBerry Password Keeper passwords | - | ✓/- | ✓/- |
Recover BlackBerry Wallet passwords | - | ✓/- | ✓/- |
Recover BlackBerry Device Password[2] | - | ✓/- | ✓/- |
Decrypt BlackBerry 10 backups | - | - | ✓ |
Download data from Microsoft accounts | - | ✓ | ✓ |
Other features | |||
Decrypt iOS backups with known password | - | ✓ | ✓ |
Explore iOS keychain data | - | ✓ | ✓ |
Note: password recovery features are available in Windows version only.
Elcomsoft Phone Breaker supports Windows 7, Windows 8/8.1/10 and Windows Server 2008/2016 with x32 and x64 architectures. Password-protected backups to iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6, iPhone 6 Plus, iPhone 6S, iPhone 6S Plus, iPhone 7, iPhone 7 Plus, iPhone 8 and 8 Plus, iPhone X/Xs/Xr, iPad (all generations including iPad Pro), iPad Mini and iPod Touch (all generations) devices are supported.
Please note that Elcomsoft Phone Password Breaker is NOT the tool to remove iOS Activation Lock or iPhone passcode lock, unlock iPhone from the carrier, jailbreak the iPhone or remove SIM card PIN code. It is intended for recovery of backup passwords only. For more information, read the EPB manual and Phone Password Breaker FAQ.
- Installing latest display driver is recommended when using GPU acceleration on NVIDIA or AMD cards.
- If an option to encrypt the media card (with password) is enabled (Blackberry 6/7 only)