Password Recovery, System Security & Forensic Software

CORPORATE AND FORENSIC SOLUTIONS

Elcomsoft Phone Breaker

Recover Password-Protected Apple iTunes Backups

Elcomsoft Phone Breaker enables forensic access to password-protected backups for smartphones and portable devices based on the Apple iOS platform. The password recovery tool supports all Apple devices running all versions of iOS including the iPhone, iPad and iPod Touch devices of all generations released to date.

Retrieve Cloud Data: Apple iCloud and Microsoft Account

Cloud acquisition is a great way of retrieving information stored in mobile backups produced by Apple iOS, and a handy alternative when exploring Windows Phone, Windows 10 Mobile and desktop Windows 10 devices. Elcomsoft Phone Breaker can retrieve information from Apple iCloud and Microsoft Account provided that original user credentials for that account are known.

Online backups can be acquired by forensic specialists without having the original iOS or Windows device in hands. All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID or Microsoft Account accompanied with the corresponding password. Accounts with two-factor authentication are fully supported.

Access iCloud without Login and Password

If the user’s Apple ID and password are not available, Elcomsoft Phone Breaker may be able to use a binary authentication token to access a limited set of iCloud data. The use of authentication tokens allows bypassing two-factor authentication even if no access to the secondary authentication factor is available.

Authentication tokens can be extracted from Windows and macOS computers, hard drives or forensic disk images with a built-in tool. The ability to access iCloud data using authentication tokens is subject to numerous conditions such as the version of iOS and the iCloud app installed on the computer, whether or not the account is enrolled in two-factor authentication as well as other limitations may affect the extent to which one can use authentication tokens.

Extract Synced Data

iPhones automatically sync certain types of data with iCloud in real time. Elcomsoft Phone Breaker automatically downloads synced data including call logs, contacts, notes (included deleted notes and attachments), calendars as well as Web browsing activities including Safari history (including deleted records), bookmarks and open tabs. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.

Elcomsoft Phone Breaker supports the following types of synced data:

  • Messages in iCloud: complete with media and file attachments
  • Health data (iOS 11+)
  • iCloud Keychain
  • Screen Time passwords (iOS 12+)
  • Safari (browsing history, bookmarks, tabs opened on user's devices)
  • Calendars, notes, contacts and Voice Memos
  • Call logs (information about calls made and received) (iOS 12 and older)
  • Apple Maps (routes, places, searches)
  • Wi-Fi (wireless access points, MAC addresses, date and device added)
  • Wallet (everything except payment data)
  • Account info (comprehensive information about the user and devices registered on the Apple ID account)
  • iBooks (documents including PDF files that were added by the user)

In addition, Elcomsoft Phone Breaker can extract FileVault 2 recovery keys from the user’s iCloud account, and use these keys to decrypt encrypted HFS+ disk images without a password.

iCloud Files

In addition to iCloud backups, Elcomsoft Phone Breaker can download files stored in the user’s iCloud account such as documents or spreadsheets, third-party application data (such as WhatsApp own backups, Passbook/Wallet data etc.), and more. Files from a synced Mac such as Desktop, Documents, and Trash can be extracted. Some of this data (mostly documents) is available using the iCloud feature on Windows and macOS systems, but most files are only accessible using Elcomsoft Phone Breaker. The exact set of data available may depend on the version of iOS installed, iCloud synchronization settings, the list of applications installed on the devices connected to the given account, and the options set in these applications. Note that there is no email notification sent by Apple when downloading files from iCloud.

Note: this functionality is only available in Forensic edition

Access Photos in iCloud Photo Library

Apple’s iCloud Photo Library is designed to help users store and synchronize media files between multiple devices. If iCloud Photo Library is enabled, media files are no longer saved to iOS iCloud backups. As a result, acquiring iCloud backups or downloading files stored in iCloud Drive does not automatically provide access to media files stored in the iCloud Photo Library.

Elcomsoft Phone Breaker can extract photos and videos stored in the user’s iCloud Photo Library. In addition to existing files, Elcomsoft Phone Breaker can extract media files that have been deleted from the Library during the past 30 days. Selective downloads are possible by specifying which user-created albums to download.

Selective Access to iCloud Backups

Downloading a large backup for the very first time can potentially take hours. Subsequent updates are incremental, and occur much faster. If speed is essential, Elcomsoft Phone Breaker offers the ability to quickly acquire select information and skip data that’s taking the longest to download (such as music and videos). Information such as messages, attachments, phone settings, call logs, address books, notes, calendars, email account settings, camera roll, and many other pieces of information can be pre-selected and downloaded in just minutes, providing investigators with near real-time access to essential information.

Perform Enhanced Forensic Analysis of iOS Devices

ElcomSoft offers the complete toolkit for performing forensic analysis of encrypted user data stored in certain iPhone/iPad/iPod devices. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. Access to most information is provided in real-time. In addition to Elcomsoft Phone Breaker, the toolkit includes the ability to decrypt images of devices’ file systems, as well as a free tool that can extract the encrypted file system out of the device in raw form. More information is available on a dedicated Web page.

Features and Benefits

  • Gain access to information stored in password-protected iPhone, iPad, iPod Touch and Blackberry backups
  • Decrypt iPhone backups with known passwords
  • Extract FileVault 2 recovery keys and use them to decrypt FileVault 2 containers without lengthy attacks
  • Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)
  • iOS: view saved passwords and authentication tokens including Apple ID password or token
  • iOS: access passwords/tokens to email accounts, instant messengers and social networks
  • iCloud Keychain: access, decrypt and explore iCloud Keychain records
  • Save time with cost-efficient GPU acceleration when one or several AMD or NVIDIA video cards are installed[1]
  • Perform advanced dictionary attacks with highly customizable permutations
  • Perform offline attacks without Apple iTunes installed
  • Recover passwords to backups for iPhone, iPad and iPod Touch devices
  • Download Apple iCloud backups with Apple ID and password, or authentication tokens (no hidden fees: unlimited extractions with no subscriptions or additional fees)
  • Remotely extract synced data such as call logs, contacts, notes and attachments, calendars as well as Web browsing activities including Web browsing history and open tabs from iOS and Windows devices
  • Download Health, Keychain and Messages with attachments from iCloud
  • Locate and extract iCloud authentication tokens
  • Download iCloud Photo Library including photos during the past 30 days
  • Download extra data from Apple iCloud accounts (files from iCloud Drive including those not accessible by the OS)
  • FileVault 2: extract escrow decryption keys from the user’s Apple account, and make use of those keys to decrypt macOS FileVault 2 volumes even if user account password is not known

Note: password recovery features are available in Windows version only.

GPU Acceleration and Advanced Attacks

ElcomSoft offers a highly efficient, cost-effective solution to lengthy attacks by dramatically increasing the speed of password recovery when one or more supported video cards are present. GPU acceleration reduces the time required to recover iPhone/iPad/iPod and BlackBerry backup passwords by orders of magnitude. The latest generation of ElcomSoft GPU acceleration technology supports unlimited numbers of AMD or NVIDIA boards.

Multiple diverse GPU acceleration units can be used at the same time, allowing mixing multiple generations of compatible video cards to extend existing systems by adding new acceleration hardware instead of replacing.

Advanced dictionary attack with customizable mutations target the human factor and password reuse. The tool supports a variety of mutations, trying hundreds of variants for each dictionary word to ensure the best possible chance to recover the password.

Note: not applicable to MacOS X edition

Extract, Decrypt and View Passwords Stored in iOS Keychain

iOS offers a highly secure, encrypted storage for many types of data. Stored Web forms and browser passwords, email accounts, application passwords and authentication tokens (including Apple ID account token) are stored securely in keychains that are encrypted with hardware keys unique to each individual device.

Elcomsoft Phone Breaker can extract and decrypt iOS keychain from local (iTunes-style) password-protected backups. The built-in Keychain Explorer tool allows browsing and exploring keychain items on the spot. Note: the keychain can be only decrypted when extracted from local password-protected backups.

Compatibility Chart

Pro
(Win/Mac)
Forensic
(Win/Mac)
General compatibility
Support for iOS 3 through iOS 13.x (incl. iPadOS)
Support for all models of iPhone, iPod and iPad
Recover password to iTunes backup ✓/- ✓/-
GPU acceleration for password recovery 32/- 32/-
Apple iCloud
Support for 2FA accounts
Access iCloud with authentication tokens -
Download iCloud backups (iOS<11.2)
Download iCloud backups (11.2-13.4) -
Download basic synced data
Download e2e-encrypted synced data (Messages, Health etc) -
Download iCloud Photo Library
Download and explore iCloud Keychain -
Download extra data from iCloud Drive -
Get FileVault2 recovery key -
Get Screen Time password, settings and app list -
Other features
Decrypt iOS backups with known password
Explore iOS keychain data
Download data from Microsoft accounts
Decrypt BlackBerry backups and SD cards (OS<10)
Decrypt BlackBerry 10 backups -

Note: password recovery features are available in Windows version only.

Elcomsoft Phone Breaker supports Windows 7, Windows 8/8.1/10 and Windows Server 2008/2016 with x32 and x64 architectures. Supports password-protected backups to iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6, iPhone 6 Plus, iPhone 6S, iPhone 6S Plus, iPhone 7, iPhone 7 Plus, iPhone 8 and 8 Plus, iPhone X/Xs/Xr, all editions of the iPhone 11, iPad (all generations including the iPad Pro), iPad Mini and iPod Touch (all generations).

Please note that Elcomsoft Phone Password Breaker is NOT the tool to remove iOS Activation Lock or iPhone passcode lock, unlock iPhone from the carrier, jailbreak the iPhone or remove SIM card PIN code. It is intended for recovery of backup passwords only. For more information, read the EPB manual and Phone Password Breaker FAQ.


  1. Installing latest display driver is recommended when using GPU acceleration on NVIDIA or AMD cards.