Elcomsoft Phone Breaker enables forensic access to password-protected backups for smartphones and portable devices based on the Apple iOS platform. The password recovery tool supports all Apple devices running all versions of iOS including the iPhone, iPad and iPod Touch devices of all generations released to date.
Cloud acquisition is a great way of retrieving information stored in mobile backups produced by Apple iOS, and a handy alternative when exploring Windows Phone, Windows 10 Mobile and desktop Windows 10 devices. Elcomsoft Phone Breaker can retrieve information from Apple iCloud and Microsoft Account provided that original user credentials for that account are known.
Online backups can be acquired by forensic specialists without having the original iOS or Windows device in hands. All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID or Microsoft Account accompanied with the corresponding password. Accounts with two-factor authentication are fully supported.
If the user’s Apple ID and password are not available, Elcomsoft Phone Breaker may be able to use a binary authentication token to access a limited set of iCloud data. The use of authentication tokens allows bypassing two-factor authentication even if no access to the secondary authentication factor is available.
Authentication tokens can be extracted from Windows and macOS computers, hard drives or forensic disk images with a built-in tool. The ability to access iCloud data using authentication tokens is subject to numerous conditions such as the version of iOS and the iCloud app installed on the computer, whether or not the account is enrolled in two-factor authentication as well as other limitations may affect the extent to which one can use authentication tokens.
iPhones automatically sync certain types of data with iCloud in real time. Elcomsoft Phone Breaker automatically downloads synced data including call logs, contacts, notes (included deleted notes and attachments), calendars as well as Web browsing activities including Safari history (including deleted records), bookmarks and open tabs. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.
Elcomsoft Phone Breaker supports the following types of synced data:
In addition, Elcomsoft Phone Breaker can extract FileVault 2 recovery keys from the user’s iCloud account, and use these keys to decrypt encrypted HFS+ disk images without a password.
In addition to iCloud backups, Elcomsoft Phone Breaker can download files stored in the user’s iCloud account such as documents or spreadsheets, third-party application data (such as WhatsApp own backups, Passbook/Wallet data etc.), and more. Files from a synced Mac such as Desktop, Documents, and Trash can be extracted. Some of this data (mostly documents) is available using the iCloud feature on Windows and macOS systems, but most files are only accessible using Elcomsoft Phone Breaker. The exact set of data available may depend on the version of iOS installed, iCloud synchronization settings, the list of applications installed on the devices connected to the given account, and the options set in these applications. Note that there is no email notification sent by Apple when downloading files from iCloud.
Note: this functionality is only available in Forensic edition
Apple’s iCloud Photo Library is designed to help users store and synchronize media files between multiple devices. If iCloud Photo Library is enabled, media files are no longer saved to iOS iCloud backups. As a result, acquiring iCloud backups or downloading files stored in iCloud Drive does not automatically provide access to media files stored in the iCloud Photo Library.
Elcomsoft Phone Breaker can extract photos and videos stored in the user’s iCloud Photo Library. In addition to existing files, Elcomsoft Phone Breaker can extract media files that have been deleted from the Library during the past 30 days. Selective downloads are possible by specifying which user-created albums to download.
Downloading a large backup for the very first time can potentially take hours. Subsequent updates are incremental, and occur much faster. If speed is essential, Elcomsoft Phone Breaker offers the ability to quickly acquire select information and skip data that’s taking the longest to download (such as music and videos). Information such as messages, attachments, phone settings, call logs, address books, notes, calendars, email account settings, camera roll, and many other pieces of information can be pre-selected and downloaded in just minutes, providing investigators with near real-time access to essential information.
ElcomSoft offers the complete toolkit for performing forensic analysis of encrypted user data stored in certain iPhone/iPad/iPod devices. The toolkit allows eligible customers acquiring bit-to-bit images of devices’ file systems, extracting phone secrets (passcodes, passwords, and encryption keys) and decrypting the file system dump. Access to most information is provided in real-time. In addition to Elcomsoft Phone Breaker, the toolkit includes the ability to decrypt images of devices’ file systems, as well as a free tool that can extract the encrypted file system out of the device in raw form. More information is available on a dedicated Web page.
Note: password recovery features are available in Windows version only.
ElcomSoft offers a highly efficient, cost-effective solution to lengthy attacks by dramatically increasing the speed of password recovery when one or more supported video cards are present. GPU acceleration reduces the time required to recover iPhone/iPad/iPod and BlackBerry backup passwords by orders of magnitude. The latest generation of ElcomSoft GPU acceleration technology supports unlimited numbers of AMD or NVIDIA boards.
Multiple diverse GPU acceleration units can be used at the same time, allowing mixing multiple generations of compatible video cards to extend existing systems by adding new acceleration hardware instead of replacing.
Advanced dictionary attack with customizable mutations target the human factor and password reuse. The tool supports a variety of mutations, trying hundreds of variants for each dictionary word to ensure the best possible chance to recover the password.
Note: not applicable to MacOS X edition
iOS offers a highly secure, encrypted storage for many types of data. Stored Web forms and browser passwords, email accounts, application passwords and authentication tokens (including Apple ID account token) are stored securely in keychains that are encrypted with hardware keys unique to each individual device.
Elcomsoft Phone Breaker can extract and decrypt iOS keychain from local (iTunes-style) password-protected backups. The built-in Keychain Explorer tool allows browsing and exploring keychain items on the spot. Note: the keychain can be only decrypted when extracted from local password-protected backups.
|Support for iOS 3 through iOS 14 beta (incl. iPadOS)||✓||✓|
|Support for all models of iPhone, iPod and iPad||✓||✓|
|Recover password to iTunes backup||✓/-||✓/-|
|GPU acceleration for password recovery||32/-||32/-|
|Support for 2FA accounts||✓||✓|
|Access iCloud with authentication tokens||-||✓|
|Download iCloud backups (iOS<11.2)||✓||✓|
|Download iCloud backups (11.2-13.6 and 14 beta)||-||✓|
|Download basic synced data||✓||✓|
|Download e2e-encrypted synced data (Messages, Health etc)||-||✓|
|Download iCloud Photo Library||✓||✓|
|Download and explore iCloud Keychain||-||✓|
|Download extra data from iCloud Drive||-||✓|
|Get FileVault2 recovery key||-||✓|
|Get Screen Time password, settings and app list||-||✓|
|Decrypt iOS backups with known password||✓||✓|
|Explore iOS keychain data||✓||✓|
|Download data from Microsoft accounts||✓||✓|
|Decrypt BlackBerry backups and SD cards (OS<10)||✓||✓|
|Decrypt BlackBerry 10 backups||-||✓|
Note: password recovery features are available in Windows version only.
Elcomsoft Phone Breaker supports Windows 7, Windows 8/8.1/10 x32 and x64 architectures. Supports password-protected backups to iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPhone 5C, iPhone 5S, iPhone 6, iPhone 6 Plus, iPhone 6S, iPhone 6S Plus, iPhone 7, iPhone 7 Plus, iPhone 8 and 8 Plus, iPhone X/Xs/Xr, all editions of the iPhone 11, iPad (all generations including the iPad Pro), iPad Mini and iPod Touch (all generations).
Please note that Elcomsoft Phone Password Breaker is NOT the tool to remove iOS Activation Lock or iPhone passcode lock, unlock iPhone from the carrier, jailbreak the iPhone or remove SIM card PIN code. It is intended for recovery of backup passwords only. For more information, read the EPB manual and Phone Password Breaker FAQ.
Installing latest display driver is recommended when using GPU acceleration on NVIDIA or AMD cards.
Note: this feature is never guaranteed. While we are working around the clock to monitor the latest developments in Apple’s cloud ecosystem, even the slightest change to Apple’s proprietary authentication and communication protocols may break cloud-based mobile forensic tools, including Elcomsoft Phone Breaker. More often than not, the changes will affect your ability to download iCloud backups, while other cloud-related featured may remain available. We are working hard to maintain our tools and restore cloud-related functionality as soon as possible. From time to time, the changes are so deep they require additional time to complete the research and testing, making iCloud backups inaccessible for the time being.
At this time, all iCloud features offered by Elcomsoft Phone Breaker are fully functional.