Password Recovery, System Security & Forensic Software

CORPORATE AND FORENSIC SOLUTIONS

Elcomsoft Phone Breaker

Download iCloud Backups with Selective Access

iCloud backups are enabled by default, and are created automatically on a daily basis when users charge their devices while connected to a Wi-Fi network. Cloud backups contain a large amount of evidence including third-party app data. Unlike local (iTunes) backups, cloud backups cannot be encrypted with a password. Apple does not provide a way to download iCloud backups other than restoring to a new device. Cloud backups can only be downloaded from the user's Apple account with a third-party tool such as Elcomsoft Phone Breaker.

Downloading a large backup for the very first time can potentially take hours. Subsequent updates are incremental, and occur much faster. If speed is essential, Elcomsoft Phone Breaker offers the ability to quickly acquire select information and skip data that’s taking the longest to download (such as music and videos). Information such as messages, attachments, phone settings, call logs, address books, notes, calendars, email account settings, camera roll, and many other pieces of information can be pre-selected and downloaded in just minutes, providing investigators with near real-time access to essential information.

Note: this functionality is only available in Forensic edition

Recover Password-Protected Apple iTunes Backups

Elcomsoft Phone Breaker enables forensic access to password-protected backups for smartphones and portable devices based on the Apple iOS platform. The password recovery tool supports all Apple devices running all versions of iOS including the iPhone, iPad and iPod Touch devices of all generations released to date.

Retrieve Cloud Data: Apple iCloud and Microsoft Account

Cloud acquisition is a great way of retrieving information stored in mobile backups produced by Apple iOS, and a handy alternative when exploring Windows Phone, Windows 10 Mobile and desktop Windows 10 devices. Elcomsoft Phone Breaker can retrieve information from Apple iCloud and Microsoft Account provided that original user credentials for that account are known.

Online backups can be acquired by forensic specialists without having the original iOS or Windows device in hands. All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID or Microsoft Account accompanied with the corresponding password. Accounts with two-factor authentication are fully supported.

Access iCloud without Login and Password

If the user’s Apple ID and password are not available, Elcomsoft Phone Breaker may be able to use an alternative authentication method.

First, one can use a binary authentication token to access a limited set of iCloud data. The use of authentication tokens allows bypassing two-factor authentication even if no access to the secondary authentication factor is available. Authentication tokens can be extracted from Windows and macOS computers, hard drives or forensic disk images with a built-in tool.

The second method offers unrestricted access to everything stored in the user's iCloud account including end-to-end encrypted data. Instead of using the login and password, you can authenticate to iCloud with the user’s trusted iOS device. By using a trusted device, experts benefit from unrestricted access to all kinds of information stored in the user’s iCloud account including the iPhone backups and end-to-end encrypted data. The trusted device must be unlocked and compatible with a jailbreak or the included agent app.

Extract Synced Data

iPhones automatically sync certain types of data with iCloud in real time. Elcomsoft Phone Breaker automatically downloads synced data including call logs, contacts, notes (included deleted notes and attachments), calendars as well as Web browsing activities including Safari history (including deleted records), bookmarks and open tabs. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.

Elcomsoft Phone Breaker supports the following types of synced data:

  • Messages in iCloud: complete with media and file attachments
  • Health data (iOS 11+)
  • iCloud Keychain
  • Screen Time passwords (iOS 12+)
  • Safari (browsing history, bookmarks, tabs opened on user's devices)
  • Calendars, notes, contacts and Voice Memos
  • Call logs (information about calls made and received) (iOS 12 and older)
  • Apple Maps (routes, places, searches)
  • Wi-Fi (wireless access points, MAC addresses, date and device added)
  • Wallet (everything except payment data)
  • Account info (comprehensive information about the user and devices registered on the Apple ID account)
  • iBooks (documents including PDF files that were added by the user)

In addition, Elcomsoft Phone Breaker can extract FileVault 2 recovery keys from the user’s iCloud account, and use these keys to decrypt encrypted HFS+ disk images without a password.

iCloud Files

In addition to iCloud backups, Elcomsoft Phone Breaker can download files stored in the user’s iCloud account such as documents or spreadsheets, third-party application data (such as WhatsApp own backups, Passbook/Wallet data etc.), and more. Files from a synced Mac such as Desktop, Documents, and Trash can be extracted. Some of this data (mostly documents) is available using the iCloud feature on Windows and macOS systems, but most files are only accessible using Elcomsoft Phone Breaker. The exact set of data available may depend on the version of iOS installed, iCloud synchronization settings, the list of applications installed on the devices connected to the given account, and the options set in these applications. Note that there is no email notification sent by Apple when downloading files from iCloud.

Note: this functionality is only available in Forensic edition

Access Photos in iCloud Photo Library

Apple’s iCloud Photo Library is designed to help users store and synchronize media files between multiple devices. If iCloud Photo Library is enabled, media files are no longer saved to iOS iCloud backups. As a result, acquiring iCloud backups or downloading files stored in iCloud Drive does not automatically provide access to media files stored in the iCloud Photo Library.

Elcomsoft Phone Breaker can extract photos and videos stored in the user’s iCloud Photo Library. In addition to existing files, Elcomsoft Phone Breaker can extract media files that have been deleted from the Library during the past 30 days. Selective downloads are possible by specifying which user-created albums to download.

Device-based iCloud Authentication

Use a trusted iPhone or iPad to perform iCloud extraction without the need to input a password or solve the two-factor authentication challenge. This new authentication method makes every type of data extractable including cloud backups, iCloud photos, and synchronized data including the end-to-end encrypted types.

Perform Enhanced Forensic Analysis of iOS Devices

ElcomSoft offers the complete toolkit for performing forensic analysis of encrypted user data stored in certain iPhone/iPad/iPod devices. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. Access to most information is provided in real-time. In addition to Elcomsoft Phone Breaker, the toolkit includes the ability to decrypt images of devices’ file systems, as well as a free tool that can extract the encrypted file system out of the device in raw form. More information is available on a dedicated Web page.

Features and Benefits

  • Gain access to information stored in password-protected iPhone, iPad, iPod Touch and Blackberry backups
  • Decrypt iPhone backups with known passwords
  • Extract FileVault 2 recovery keys and use them to decrypt HFS+ FileVault 2 containers without lengthy attacks
  • Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)
  • iOS: view saved passwords and authentication tokens including Apple ID password or token
  • iOS: access passwords/tokens to email accounts, instant messengers and social networks
  • iCloud Keychain: access, decrypt and explore iCloud Keychain records
  • Save time with cost-efficient GPU acceleration when one or several AMD or NVIDIA video cards are installed[1]
  • Perform advanced dictionary attacks with highly customizable permutations
  • Recover passwords to backups for iPhone, iPad and iPod Touch devices
  • Download Apple iCloud backups with Apple ID and password, or authentication tokens (no hidden fees: unlimited extractions with no subscriptions or additional fees)
  • Remotely extract synced data such as call logs, contacts, notes and attachments, calendars as well as Web browsing activities including Web browsing history and open tabs from iOS and Windows devices
  • Download Health, Keychain and Messages with attachments from iCloud
  • Locate and extract iCloud authentication tokens
  • Download iCloud Photo Library including photos during the past 30 days
  • Download extra data from Apple iCloud accounts (files from iCloud Drive including those not accessible by the OS)

Note: password recovery features are available in Windows version only.

GPU Acceleration and Advanced Attacks

ElcomSoft offers a highly efficient, cost-effective solution to lengthy attacks by dramatically increasing the speed of password recovery when one or more supported video cards are present. GPU acceleration reduces the time required to recover iPhone/iPad/iPod and BlackBerry backup passwords by orders of magnitude. The latest generation of ElcomSoft GPU acceleration technology supports unlimited numbers of AMD or NVIDIA boards.

Multiple diverse GPU acceleration units can be used at the same time, allowing mixing multiple generations of compatible video cards to extend existing systems by adding new acceleration hardware instead of replacing.

Advanced dictionary attack with customizable mutations target the human factor and password reuse. The tool supports a variety of mutations, trying hundreds of variants for each dictionary word to ensure the best possible chance to recover the password.

Note: not applicable to MacOS X edition

Extract, Decrypt and View Passwords Stored in iOS Keychain

iOS offers a highly secure, encrypted storage for many types of data. Stored Web forms and browser passwords, email accounts, application passwords and authentication tokens (including Apple ID account token) are stored securely in keychains that are encrypted with hardware keys unique to each individual device.

Elcomsoft Phone Breaker can extract and decrypt iOS keychain from local (iTunes-style) password-protected backups. The built-in Keychain Explorer tool allows browsing and exploring keychain items on the spot. Note: the keychain can be only decrypted when extracted from local password-protected backups.

Compatibility Chart

Pro
(Win/Mac)
Forensic
(Win/Mac)
General compatibility
Support for iOS 3 through iOS 16 (incl. iPadOS)
Support for all models of iPhone, iPod and iPad
Recover password to iTunes backup ✓/- ✓/-
GPU acceleration for password recovery 32/- 32/-
Apple iCloud
Support for 2FA accounts
Access iCloud with authentication tokens -
Download iCloud backups[2] -
Download basic synced data
Download e2e-encrypted synced data (Messages, Health etc) -
Download iCloud Photo Library
Download and explore iCloud Keychain -
Download extra data from iCloud Drive -
Get FileVault2 recovery key -
Get Screen Time password, settings and app list -
Number of iCloud accounts supported 30 300
Number of iCloud accounts per day 5 5
Other features
Decrypt iOS backups with known password
Explore iOS keychain data
Download data from Microsoft accounts
Decrypt BlackBerry backups and SD cards (OS < 10)
Decrypt BlackBerry 10 backups -

Note: password recovery features are available in Windows version only.

Elcomsoft Phone Breaker supports Windows 10 and Windows 11. Supports password-protected backups to all iPhone, iPad and iPod Touch (all generations).

Please note that Elcomsoft Phone Password Breaker is NOT the tool to remove iOS Activation Lock or iPhone passcode lock, unlock iPhone from the carrier, jailbreak the iPhone or remove SIM card PIN code. It is intended for recovery of backup passwords only. For more information, read the EPB manual and Phone Password Breaker FAQ.


  1. Installing latest display driver is recommended when using GPU acceleration on NVIDIA or AMD cards. 

  2. Note: this feature is never guaranteed. While we are working around the clock to monitor the latest developments in Apple’s cloud ecosystem, even the slightest change to Apple’s proprietary authentication and communication protocols may break cloud-based mobile forensic tools, including Elcomsoft Phone Breaker. More often than not, the changes will affect your ability to download iCloud backups, while other cloud-related featured may remain available. We are working hard to maintain our tools and restore cloud-related functionality as soon as possible. From time to time, the changes are so deep they require additional time to complete the research and testing, making iCloud backups inaccessible for the time being.

    At this time, all iCloud features offered by Elcomsoft Phone Breaker are fully functional.