Explore the content of local and cloud backups produced by all versions of iOS and review synchronized data available in Apple iCloud and Microsoft Accounts! Elcomsoft Phone Viewer is a small, lightweight tool enabling read-only access to contacts, messages, call logs, notes and calendar data located in mobile backups. In addition, the tool displays essential information about the device such as model name, serial number, date of last backup etc. Finally, the tool implements access to deleted SMS and iMessages stored in iOS backups.
Yet another “me too” forensic viewer? We looked hard for a tool we could recommend to our customers for viewing data decrypted or downloaded with Elcomsoft Phone Breaker. No single tool on the market meets our stringent requirements on speed, compatibility and ease of use. That’s why we introduced a viewing tool of our own.
Elcomsoft Phone Viewer is the ideal viewing companion for Elcomsoft Phone Breaker, enabling full support for all data formats produced by this tool. Regularly maintained and timely updated, Elcomsoft Phone Viewer is the first to receive support for the latest mobile backup formats extracted, downloaded or decrypted with other ElcomSoft tools. Using our mobile acquisition tools? Elcomsoft Phone Viewer is a perfect companion!
Note that Elcomsoft Phone Viewer can only open unencrypted backups as well as iTunes backups with a known password. Should you have a backup file encrypted with an unknown password, use Elcomsoft Phone Breaker to recover the password.
Elcomsoft Phone Viewer displays the user's online activities including Web browsing history and search queries, browser bookmarks and opened tabs including page snapshots. Information about recent search queries and last visited Web sites already helped solve multiple cases, and will undoubtedly help investigating crime.
Information such as call logs, contacts, notes, calendars as well as Web browsing activities including Safari history (including deleted items), bookmarks and open tabs can be synced with Apple servers. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.
Synchronized records can be obtained for extended periods of time; much longer than available in iOS devices and device backups. Existing and deleted records are obtained, and filter can be applied to only display deleted records.
Elcomsoft Phone Viewer is ElcomSoft's stock tool for viewing synced data extracted from Apple iCloud with Elcomsoft Phone Breaker. The following types of synced data can be viewed:
Elcomsoft Phone Viewer can display pictures and videos captured with the phone or saved by one of the many apps. But don’t you worry, there won’t be a big mess of thousands of images appearing in a single thumbnail gallery. The files will be automatically split into a number of categories, making it easy to discover which pictures were captured with the phone’s camera, or received as messages or attachments. A separate category filters out system and application images such as buttons, logos and splash screens. Album view is available to allow you better navigate through thousands of images.
Multiple sources of location data may be available in a given backup or image. Location data may be found in calendar events, iMessage attachments, map caches and system logs. Geolocation is one of the most important EXIF tags available. Elcomsoft Phone Viewer will automatically extract location data from multiple sources, and map the locations with OpenStreetMap. The ability to map GPS coordinates extracted from multiple sources can become extremely handy during investigations.
Health data can serve as essential evidence during investigations. At very least, the data includes step count, running and walking distances with exact timestamps the user was walking or running. Significantly more evidence is available if the user wears a HealthKit compliant device such as the Apple Watch or a third-party fitness tracker. A multitude of third-party apps may contribute to Health data significantly.
Elcomsoft Phone Viewer can display Health data stored in password-protected iTunes backups and file system images obtained from iOS devices in TAR/ZIP format with Elcomsoft iOS Forensic Toolkit or GrayKey during physical extraction.
Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, physical acquisition is exclusively available via file system imaging. The imaging is performed on the device itself in order to bypass full-disk encryption. Regardless of the tool performing physical acquisition, the result of these efforts is always a TAR archive containing an image of the device’s file system. Elcomsoft iOS Forensic Toolkit produces TAR files as the result of the “F” (File System) command.
Up until now, most tools available for analyzing information inside these TAR images were integral parts of fully-featured forensic toolkits. The expert's choice would be limited to either time-consuming and labour-intensive manual analysis requiring a high level of expertise, or a highly sophisticated and complex forensic suite, with nothing in between. Elcomsoft Phone Viewer offers the lightweight and convenient third option, enabling fast and easy analysis of evidence found in the results of physical acquisition.
The Applications view allows viewing information about the apps installed on the iOS device being analyzed. The expert can access the list of all apps installed on the device along with their acquisition date (date of purchase for paid apps or date of first install for the free apps). Additional information includes the app version, category, and Apple ID that was used to make the purchase. Since some of that information is not available in the backup, Elcomsoft Phone Viewer automatically requests additional data via an online connection through iTunes.
By making use of the Applications view, experts can gain insight into which apps the user had, which social networks they use, and which messaging tools they communicate with.
The Wi-Fi view enables access to the list of Wi-Fi networks saved in password-protected iOS backups. SSID, MAC address and password for each network is displayed. Additional network parameters include network BSSID and encryption standard. In addition, Elcomsoft Phone Viewer automatically extracts the date and time of first joining and last using the network.
Experts can sort the list by last connection time, thus tracking the user by seeing which networks they joined during a given time period.
Since version 2.30, Elcomsoft Phone Viewer can display iCloud Photo Library images extracted by Elcomsoft Phone Breaker. Automatic grouping by albums and advanced filtering are supported.
Elcomsoft Phone Viewer allows viewing iOS notifications extracted from iCloud backups as well as local backups produced with iTunes. The tool can display notifications going several years back, unless they are read or dismissed by the user.
Notifications are an essential part of the system, and may contain large amounts of volatile, highly sensitive information. Nearly all applications that are of forensic significance make use of notifications. Email clients, instant messengers, taxi and travel apps, social networks and many other applications can push notifications. Unless dismissed, these notifications are included into both local and cloud system backups.
Access EXIF information stored in the images with ease. Elcomsoft Phone Viewer displays when, where and in which lighting conditions the image was captured. Detailed camera info allows determining whether an image was captured on this device or received from another one. Looking for images captured around the time of an incident? Just specify a data range, and Elcomsoft Phone Viewer will automatically display images captured during that period based on the images’ EXIF tags.
Elcomsoft Phone Viewer is the perfect tool for exploring information contained in online backups downloaded from the cloud, while Elcomsoft Phone Breaker is the perfect tool for downloading mobile backups from iCloud (iOS devices), and Windows Live! (devices running Windows Phone 8/8.1 and Windows 10 Mobile).
Use Elcomsoft Phone Breaker to quickly download selective information from Apple iCloud, and review information you acquired in Elcomsoft Phone Viewer. The two tools enable investigators obtain essential information about the suspect such as their calls, messages, address books and location history in a matter of minutes.
Elcomsoft Phone Viewer is a perfect tool when time is the ultimate priority. By using Elcomsoft Phone Viewer together with other ElcomSoft tools such as Elcomsoft Phone Breaker, investigators can save time by reviewing essential bits of information in just a few moments. By quick downloading selective information from Apple iCloud with Elcomsoft Phone Breaker and viewing acquired information in Elcomsoft Phone Viewer, investigators can obtain essential information about the suspect such as their calls, messages, address books and location history in a matter of minutes. The ability to view Calls and Messages databases with many thousand entries as well as convenient full-text and category-based searching and filtering make navigating through acquired information a snap.
Export evidence in just a few clicks! You can export digital evidence obtained from iOS devices including local and cloud backups, iCloud synchronized data and file system images received as a result of physical acquisition. In addition, location data is exported into the industry-standard KML format. Elcomsoft Phone Viewer exports data in Microsoft Excel format, enabling experts to continue the investigation in their forensic product of choice. The ability to export data collected from the many supported sources allows easy interoperability with most commonly used forensic and analytic toolkits.
Search through thousands of records in a snap! Elcomsoft Phone Viewer offers real-time filtering and full-text searching, allowing examiners locate records of interest in a matter of seconds. Search through Contacts, Calls, Notes and Messages, look up contact by names, numbers and other available fields, and locate messages with full-text search.
With real-time filtering, you can opt to only display favorite contacts or only display contacts from one or more accounts (Exchange, iCloud, Google, Facebook, or any combination). For messages, you can specify date range, type of message (SMS, MMS, iMessage) and whether to display incoming, outgoing or all messages.
In iOS 12 and 13, the Screen Time password is used to secure Content & Privacy Restrictions. With Screen Time password enabled and restrictions configured, experts cannot access many features of the iPhone. Elcomsoft Phone Viewer can display iOS Screen Time passwords if they are present. In iOS 12, Screen Time passwords can be obtained from password-protected iTunes backups; the backup password must be known. Cloud extraction is the only way to obtain Screen Time passwords for devices running iOS 13.
Elcomsoft Phone Viewer is a fast, compact tool that requires no learning curve. Using Elcomsoft Phone Viewer is just as easy as viewing an Excel spreadsheet. Designed to simplify the entry into mobile forensics, Elcomsoft Phone Viewer offers more than enough features for many IT security departments, offices and one-off investigations.
Elcomsoft Phone Breaker is the only tool on the market to access, extract and decrypt iCloud Keychain, Apple's cloud-based system for storing and syncing passwords, credit card data and other highly sensitive information across devices. Elcomsoft Phone Viewer can display keychain records obtained with Elcomsoft Phone Breaker from Apple iCloud. Not limited to iCloud Keychain, the tool can display keychain records obtained from password-protected local backups and extracted with Elcomsoft iOS Forensic Toolkit from jailbroken devices or using the acquisition agent.
Elcomsoft Phone Viewer can decrypt Signal conversation databases extracted from the iPhone via physical acquisition. Experts using Elcomsoft iOS Forensic Toolkit will open the file system image in Elcomsoft Phone Viewer and use the extracted keychain file to decrypt the Signal database. Elcomsoft Phone Viewer will then decrypt the database and display its content in a blink of an eye.
Telegram supports secure chats. According to Telegram developers, all messages in secret chats use end-to-end encryption. Secret chats are device specific. They are not part of the Telegram cloud, and they cannot be extracted with cloud acquisition. Elcomsoft Phone Viewer can display Telegram conversations and secret chats obtained from TAR images extracted with Elcomsoft iOS Forensic Toolkit.
|Encrypted iTunes backups with known password||✓||✓||✓|
|iCloud backups downloaded with Elcomsoft Phone Breaker||✓||✓||✓|
|iCloud synchronized data downloaded with Elcomsoft Phone Breaker||✓||✓||✓|
|iOS device image created by Elcomsoft iOS Forensic Toolkit or GrayKey device||-||-||✓|
|Microsoft Cloud data||✓||✓||✓|
|Calls, Contacts, Calendars, Tasks||Last 10 records only||✓||✓|
|Apple Health||Only 10 recent records are displayed in each category||✓||✓|
|iCloud photos||Copying file properties is not allowed||✓||✓|
|Media files||Copying file properties is not allowed||✓||✓|
|SMS & iMessages||Last 10 records only||✓||✓|
|Notes||Last 10 records only||✓||✓|
|Notifications||Last 10 records only||✓||✓|
|Voice Memos||Last 10 records only||✓||✓|
|Web and History data||Last 10 records only||✓||✓|
|Wi-Fi connections||Last 10 records only||✓||✓|
|Skype data||Last 10 records only||✓||✓|
|Keychain records||Only 2 first characters of passwords are displayed||✓||✓|
|Apple Pay transactions||-||-||✓|
|Export data to Microsoft Excel||-||Contacts and Notes categories can be exported only||✓|
Elcomsoft Phone Viewer enables access to the following information:
For iOS device backups, Elcomsoft Phone Viewer can work with ones in the original iTunes format, and supports backups with converted/restored file names. Partial backups (select categories downloaded from iCloud) are also supported.
Elcomsoft Phone Viewer supports information saved to local or cloud backups by all of the following devices:
Apple iOS 6 to iOS iOS 13, iPadOS (iTunes and iCloud backups):
Elcomsoft Phone Viewer for Windows runs in 32-bit and 64-bit editions of Windows 7, 8, 8.1, 10, as well as Windows 2008, 2012 and 2016 Server; Mac version requires OS X from 10.12 to OS X 10.15 (Catalina). Elcomsoft Phone Viewer operates without Apple iTunes or BlackBerry Desktop Software being installed.
Not available for Windows Phone.