Apple ecosystem includes a comprehensive backup ecosystem that includes both local and cloud backups, and data synchronization with end-to-end encryption for some categories. Today we’ll discuss the iCloud backups, particularly targeting issues that are not covered in the official documentation.

Apple describes backups of both types in Backup methods for iPhone, iPad and iPod touch; some information specific to iCloud backups is published in How to back up your iPhone, iPad, and iPod touch with iCloud. Let’s start with basic information, and then proceed with some technical data and tips & tricks.

User experience

iCloud backups are enabled by default, along with the many synchronization options. Please note:

• Almost the same risks are imposed by iCloud synchronization, which is silently enabled by default.
• Everyone should have a recovery plan for lost or broken devices. Remember, your data can be either unique or valuable: if you don’t have a backup, you don’t value that data at all.

Another issue is that Apple only provides 5 GB of iCloud storage for free, and that’s definitely not enough to keep a full device backup. Once you are over your free cloud quota, further backups cannot be created. Since iOS 15, however, Apple offers an iCloud+ plan with lots of benefits, including 50 GB of cloud storage at a very fair price.

iCloud backups, when enabled, are created automatically when all of the following conditions are met:

• The device is connected to a power source, and
• The device is connected to Wi-Fi network, and
• The screen is locked.

The backups are created once a day, usually around 2 AM. Creating the initial (full) backup takes some time, while subsequent (differential) backups are created much faster as they are incremental, and only the changes are being uploaded.

In the past, Apple used to keep three backup snapshots regardless of the user’s iCloud plan. There was no setting to adjust the number of snapshots. These days, only two most recent snapshots are stored.

A fresh iCloud backup can be created manually by tapping the Back Up Now command in the Settings app. In this mode, the phone does not need to be connected to a power source, yet a Wi-Fi connection is still required. iOS 16 adds the ability to create backups using your mobile plan.

There are a few other things worth mentioning. Apple only provides some very basic backup management. By logging in to an iCloud account (or accessing backups from any logged-in device), you can only see the list of backups including device name and last backup date and size. You can also delete individual backups by device. No other options are available. You can restore a new device from almost any backup (the iOS version on the device being restored should be the same or newer than the OS version of the original device). Note that you can only restore from a cloud (or local) backup during the initial device setup (for new devices or devices after a factory reset).

What’s inside

There is almost no documentation on iCloud backups content. In What does iCloud back up? Apple says:

Here’s what iCloud Backup includes

• App data
• Apple Watch backups1
• Device settings
• Home screen and app organization
• iMessage, text (SMS), and MMS messages2
• Photos and videos on your iPhone, iPad, and iPod touch2
• Purchase history from Apple services, like your music, movies, TV shows, apps, and books3
• Ringtones
• Visual Voicemail password (requires the SIM card that was in use during backup)

The other one mentions something slightly different:

 iCloud backups include nearly all data and settings stored on your device. iCloud backups don’t include: 

• Data that’s already stored in iCloud, like Contacts, Calendars, Notes, iCloud Photos, iMessages, Voice Memos, text (SMS) and multimedia (MMS) messages, and Health data
• Data stored in other cloud services, like Gmail and Exchange mail
• Apple Mail data
• Apple Pay information and settings
• Face ID or Touch ID settings
• iCloud Music Library and App Store content

I would say that iCloud backups contain about the same set of data as local (iTunes-style) backups without a password, yet there is a notable difference:

Your iPhone, iPad, and iPod touch backups only include information and settings stored on your device. They do not include information already stored in iCloud such as Contacts, Calendars, Bookmarks, Notes, Reminders, Voice Memos, Messages in iCloud, iCloud Photos, and shared photos. Some information is not included in an iCloud backup but can be added to iCloud and shared across multiple devices like Mail, Health data, call history, and files you store in iCloud Drive.

So, local backups do contain all of the above, but iCloud backups miss at least media files, messages and voice memos if the user enables iCloud sync; see Set up and use iCloud Photos and Use Messages in iCloud. Software such as Elcomsoft Phone Breaker allows downloading this data directly from iCloud. Just note that messages and voice memos use “end-to-end encryption” (see iCloud security overview); in order to decrypt them, you need the passcode of one of the trusted devices in addition to the user’s iCloud credentials.

Also, iCloud backups do not include call logs, Safari browsing history and Health data; this data is synced directly through iCloud (call logs appear to sync directly across devices; they may be the only category that cannot be extracted from the cloud, even if you have all credentials including the second authentication factor and the passcode, and even the trusted device itself).

Finally, the keychain. The keychain is included in iCloud backups; it can be downloaded along with the rest of the data; however, you’ll be unable to decrypt it as it is encrypted with a device-specific key that cannot be extracted even from the device itself. However, the keychain can be also being synchronized through iCloud; see Set up iCloud Keychain for more details. iCloud keychain also uses end-to-end encryption, yet Elcomsoft Phone Breaker can download and decrypt it.

The technical side

iCloud has a very complex structure; I’d say it is not just a cloud service but an ecosystem. All the files are stored in third-party datacenters all over the world. Some servers are hosted by Google, Amazon, Microsoft, and others; Apple’s own infrastructure is also there, but the company does not have a lot of physical servers. The data is split into chunks of variable size, and every chunk is encrypted using its own key. The keys are exclusively stored on Apple-owned servers.

As this topic is slightly outside of scope of this article, please watch our presentations to get more details on iCloud internals (protocols, encryption etc.):

• Cracking and analyzing iCloud protocols
• Advanced Smartphone Forensics
• Breaking into the iCloud Keychain
• iCloud syncing and 2FA
• iCloud Security: What if someone gets your password?

Acquisition

While Apple dos not provide the ability to download a cloud backup, you’ll have to resort to third-party tools such as Elcomsoft Phone Breaker for obtaining a copy of the data without restoring a new Apple device (and attempting to extract the data from the device afterwards). We were the first who implemented this feature almost 9 years ago (the news came out in August 2013).

At that time, iCloud security was much lower than it is now. For example, there was no two-factor authentication for backups; also, we have discovered a way to access backups without an Apple ID and password by using an authentication token that can be easily extracted from a Windows or macOS desktop logged into the same iCloud account.

Since then, Apple learned their lessons, and current iCloud backups are more difficult to download and to decrypt.

The (not so) fun side

Quite a few Apple users never enable iCloud backups because of privacy and security concerns. These are valid concerns. There were several cases related to iCloud hacks; here are just a few:

• 2014 celebrity nude photo leak
• Hackers sell information from Medvedev’s gadgets
• La Puente man steals 620,000 iCloud photos in plot to find images of nude woman

And that’s not only about stealing someone’s credentials and downloading iCloud data using third-party software. Apple, under certain circumstances, hands the data to law enforcement officials; see Examining a Leaked Criminal Warrant for Apple iCloud Data in a High Profile Case (part one, part two) for example.

Conclusion

Let me speculate about the future. I believe Apple will eventually get rid of local (iTunes-style) backups entirely, leaving iCloud backups as the only option. This may or may not coincide with the removal of the Lightning port from iPhones. Whether you are using iCloud backups or not, educate yourself about the security risks:

• Acquiring and Utilizing Apple ID Passwords, Mitigating the Risks and Protecting Personal Information
• Apple vs. Google: If you get hacked, which account could be bigger trouble?

 

 

We often write about full file system acquisition, yet we rarely explain what it is, when you can do it, and which methods you can use. We decided to clarify low-level extraction of Apple mobile devices (iPhones and iPads, and some other IoT devices such as Apple TVs and Apple Watches).

What

Data acquisition is the first and most important step in mobile forensics. Multiple extraction methods exist, but you rarely have a choice: often, only one or two will be available for a given device in a given condition.

These methods extract different types and amounts of data. Full files system extraction is exactly what is says on the tin: you get every bit of data from the device except unallocated data, right from the root folder and including all applications data, temporary files, logs, system files (which is important if you suspect a malware infection), detailed location history etc.

How does it compare to other methods? The difference is huge; the simplest (and almost always available method) is logical extraction. Logical acquisition is the most compatible and the easiest to use (yet not as simple as it sounds) returning the least amount of data; it is not fit for file system extraction, but still returns a copy of the keychain if you do it right.

While logical extraction is 100% compatible regardless of the device model and version of iOS (or iPadOS, watchOS, tvOS), it returns a limited set of data. Most common categories such as contacts, calls, notes, media files are there, but that’s really far from what you can actually get with full file system extraction. A lot of data is simply missing with logical extraction.

Also, the keychain. Remember the “do it right” part? With logical extraction, you can sometimes decrypt the keychain, but not every record. Some records including encryption keys and authentication tokens are only available with full file system extraction.

Also, do not forget that logical extraction of Apple TV and Apple Watch is very limited: there are no backup services there, and all you can get is media files and some logs. With full file system extraction, you get everything.

When

The answer is probably obvious, but we still want to say it: do full file system extraction whenever you can (there are several models and iOS versions compatibility issues).

If you only need such things as call log or notes, you can get about without a copy of the file system. You will only waste your time if you try, without getting any extra value. If, however, you require as much evidence as possible extracted in the cleanest possible way, get the whole file system if you can.

Unfortunately, many modern devices running up to date versions of iOS are incompatible with low-level extraction methods. In that case, you will be limited to logical acquisition – but there is a lot of ticks & tricks about it.

How

You need low-level extraction to access the file system. Low-level extraction comes in many flavors. The hardware-bound checkm8 extraction is the cleanest of the pack, while software-based extraction agent works on any hardware if it runs a compatible version of iOS. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

How do these methods compare? Checkm8 extraction is based on a hardcoded bootloader exploit available on Apple’s legacy models. The acquisition agent gains the required level of privileges by exploiting vulnerabilities in iOS (thus being software-bound). Both return almost the same set of data, but have their own pros and cons. Here they are:

checkm8

+ works with all iOS versions
+ does not care about MDM
+ forensically sound
– does not work with modern devices
– you may need to remove the passcode (and so lose some data)

agent

+ works with all devices up to iPhone 13 Pro Max and even M1-based 5^th gen iPad Pro
+ do not need to remove the passcode
– mot exactly forensically sound, make some changes to the system
– limited compatibility with iOS versions
– MDM may prevent the method from working
– requires Apple Developer account to use

Conclusion

Make a copy of the file system and extract the keychain if you can, and you will not be disappointed. Do not expect a “one click” solution there, though; low-level extraction is always tricky no matter which method you use. But it is worth it.

Today’s data protection methods utilize many thousands (sometimes millions) hash iterations to strengthen password protection, slowing down the attacks to a crawl. Consumer-grade video cards are commonly used for GPU acceleration. How do these video cards compare, and what about the price-performance ratio? We tested five reasonably priced NVIDIA boards ranging from the lowly GTX 1650 to RTX 3060 Ti.

Why using a video card instead of a high-end multi-core CPU? A single NVIDIA RTX 3090 board can break passwords up to 600 times faster compared to 12^th-generation Intel Core i9-12900K, while costing twice as much as Intel’s high-end CPU. Not everyone can afford a 3090, and not everyone needs it. Mid-range video cards can deliver respectable performance at a fraction of the flagship’s price.

Until today, the GPU market was extremely overheated. High-performance video cards were almost entirely consumed by crypto miners, skyrocketing the prices of all but the lowest-performing models. We attempted addressing the issue with heterogeneous GPU acceleration, a technology allowing the use of multiple video cards of different makes and models in the same computer. The technology (built into Elcomsoft Distributed Password Recovery) allows utilizing existing hardware in mix-and-match scenarios and postponing the upgrade.

Next, we looked around to find what was still available. We found a number of reasonably priced low-end video cards that could not be economically used for crypto-mining. We even toyed with the idea of using integrated GPUs built into many modern processors with some interesting results.

Today, GPU prices are in free fall. The highly anticipated NVIDIA Ada Lovelace and GeForce RTX 40-Series cards are around the corner, which lowers the demand on existing stock. Intel is about to enter the game with Xe-based Intel Arc Alchemist discrete GPUs, while AMD is refreshing its GPU range while teasing .

This time we tested the following five boards:

1. NVIDIA GTX 1650
2. NVIDIA RTX 3050
3. NVIDIA RTX 3060
4. NVIDIA RTX 2070
5. NVIDIA RTX 3060 Ti

All the boards except the RTX 2070 were tested on the same system based on Intel’s Alder Lake i9-12900K CPU, while the RTX 2070 was tested in a workstation based on the Intel Core i5-8500 CPU. Note that GPU-accelerated attacks put little load onto the CPU (approximately 3 to 6 per cent utilization per CPU core), which makes such tests CPU-agnostic.

Benchmarks

The benchmarks demonstrate an almost linear growth of performance depending on the video card – with one exception.

This is the exception: the RTX 2070 benchmarked higher than expected in the SHA-256 test. Since the other tests were consistent, and since we had to use a different workstation to benchmark this card, we’d recommend taking this result with a grain of salt.

Price/performance ratio

Our price/performance charts are based on today’s mid-market prices in Germany. We based the “performance” part on the WinZip/AES-256 benchmark using the latest and highly optimized version of Elcomsoft Distributed Password Recovery. While not perfect, this method allowed us to do a more-or-less fair price/performance comparison.

Normalized price/performance assumes the p/p of a CPU-only attack as a “1”

Model	Passwords/sec	Price, EUR	Price/performance
GTX 1650	1440000	186	1,00
RTX 3050	1860000	297	0,81
RTX 3060	2650000	377	0,91
RTX 2070	3200000	478	0,86
RTX 3060 Ti	3440000	549	0,81

The numbers from the benchmarks and this table allow us making a simple conclusion: with NVIDIA, you get what you pay for. NVIDIA RTX 3060 Ti is naturally the fastest and GTX 1650 the slowest model with linear scalability. There are no significant deviations in price/performance that would make a certain model stand out, except that we don’t recommend buying past generation video cards today unless you can source them below market prices. The GTX 1650 only ‘wins’ in the price/performance listing because of the very low costs being such an old model. If you can source a certain model above or below these listed prices, your price/performance ratio will be different.

 

Speaking of mobile devices, especially Apple’s, “logical acquisition” is probably the most misused term. Are you sure you know what it is and how to properly use it, especially if you are working in mobile forensics? Let us shed some light on it.

Introduction

You have probably seen charts depicting and comparing the various acquisition methods for mobile devices, sometimes starting with “chip-off” (or even “micro-read”) and going all the way to manual extraction.

Logical acquisition is the simplest, most reliable, and compatible method that supports 99% of Apple mobile devices. If you follow our blog, you should know that this method it does not return the maximum amount of data compared to other methods. But due to its compatibility and simplicity it remains the most popular extraction method. There are a few tricks to learn that will help you make use of it in the most effective way.

What does it mean?

Speaking of Apple mobile devices (iPhone, iPad) and some gadgets (Apple Watch, Apple TV), “logical” is almost always a synonym to “backup”, but there are caveats.

First, neither Apple TV nor Apple Watch devices make full backups; only iPhones and iPads do.

Second, logical acquisition is not just about backups, but also includes media files available via AFC (Apple File Conduit) protocol, as well as diagnostics logs and shared files. Let’s elaborate.

Media files

Media files such as photos, videos and music are stored in a slightly different way that most other files. Even if a backup is password-protected, these files can be easily extracted. It’s not just the files, but also the metadata stored in special system databases; the metadata includes information on how these files were edited, what albums they belong to, objects and people recognized using built-in engines, thumbnails, EXIF data (including geolocations and timestamps), and more. Sometimes you can even get some information on deleted files, but this is outside the scope of this article.

Diagnostics logs

Do not underestimate device logs! They can be easily extracted using proper software (such as Elcomsoft iOS Forensic Toolkit), and they contain lots of timeline data.

Shared files

Some applications (such as Microsoft Office, some password managers etc.) allow sharing their data across the system; it is not sandboxed but accessible from the outside. Like with media files, you can get access to this data even if the backup is password-protected (again, using proper software).

Connecting and pairing the device

You may encounter the first obstacle right from the get go. Connecting the device to the computer may not immediately establish connection over the USB (Lightning) cable due to USB restrictions. We have an article on USB restricted mode that may help you work around this limitation. Note that simply unlocking the device with a passcode or biometrics turns off the restriction and re-enables USB connectivity.

Accessing any data on the device beyond basic information requires pairing the device to the computer, which requires entering the correct passcode on the device itself. There is currently no practical way around it as lockdown files are extremely short-lived.

Password-protected backups

Old backups (both local and cloud) may be everything you have access to. The backups have a value of their own, often containing evidence that was later deleted in the device itself.

A backup may have a password set, and this is a problem. As we explained, the backup password is a property of the device, and once it is set, you cannot just create another backup without a password. It does not matter which computer you connect the device to; all backups will be created with the same password, and there is no way to change it unless you know it – with a caveat.

Starting with iOS 10.2, you can run a brute-force attack on iTunes backups, albeit very slowly (just several passwords per second on a CPU, and a couple hundred p/s on a modern video card); even relatively short password cannot be cracked in a reasonable time.

Starting with iOS 11, Apple introduced a way to remove the backup password by resetting device settings (you’ll need to enter the device passcode to do that). Sounds simple? It is, but this operation has some negative consequences, as the device passcode is also being reset:

• Some user’s data is deleted (e.g. Apple Wallet transaction history)
• Microsoft Exchange mail (downloaded to the device)
• The data of some applications that require the passcode to be set
• Some keychain items are deleted
• iCloud tokens are deleted
• Login data for some applications and online services (including some messengers for example) is lost

The last item probably needs some explanation. If you have the device logged in to iCloud and that device has a passcode set (and you know that passcode), in most cases you can change the iCloud password without knowing the old one. That gives you full access to all iCloud data: the files stored on iCloud drive, iCloud backups, iCloud synced data (including “end-to-end encrypted” one. But once you reset device settings (and so the device passcode), this opportunity is lost.

Somewhat counterintuitively, if the backup password is not set, you should set it yourself. Password-protected backups contain a lot more data compared to unencrypted ones. This includes the device keychain, Health data, call logs, Safari browsing history, and more.

There is one more thing: sometimes you may be unable to reset device settings. At least two things may block the reset:

• MDM (Mobile Device Management) profile
• Screen Time password

Screen Time password is always for digits only, yet it is hard to crack. After several unsuccessful attempts, iOS enforces a one-hour delay before you can enter another passcode. Worst case scenario, it takes 10,000 hours, and this process cannot be accelerated.

The keychain

iOS keychain keeps user passwords and system authentication data such as keys and tokens. The keychain is included in both encrypted and unencrypted backups. However, if the backup is produced without a password, the keychain in that backup will be encrypted with a device-specific hardware key that is not accessible with logical acquisition. If you set a known backup password, you’ll be able to extract many keychain items.

Note that you cannot access some keys and tokens via logical acquisition regardless of the password. Also note that low-level extraction methods allow extracting the entire keychain as well as the original backup password.

iCloud backups

iCloud backups contain almost the same set of data as local (‘iTunes’) backups. Apple does not provide any way to download them; one can only restore new device. However, we have a tool for that: Elcomsoft Phone Breaker. Downloading an iCloud backup requires the user’s Apple ID and password plus access to the second authentication factor (trusted device or SIM card). See above how to reset the password.

Apart from the backups, there is usually a lot of synced data stored in the iCloud (including so-called “end-to-end encrypted” data), as well as files and documents. Wil proper credentials (device passcode or macOS system password), you can have access to all those.

This, however, is not usually called “logical acquisition” but fits into the “cloud acquisition” category.

Conclusion

We wrote about it many times but wanted to say it again: carefully learn how acquisition methods work, and do not blindly trust any forensic tool regardless of who it comes from. There are no simple ways in mobile forensics, and even the best software won’t do the job for you with a push of a button.

The ninth beta of iOS Forensic Toolkit 8.0 for Mac introduces forensically sound, checkm8-based extraction of sixteen iPad, iPod Touch and Apple TV models. The low-level extraction solution is now available for all iPad and all iPod Touch models susceptible to the checkm8 exploit.

checkm8 is applicable to all devices with bootloader vulnerability, yet there are technical differences when it comes to implementing the exploit on the various devices. In this update we are targeting non-iPhone devices, spending efforts to support the many iPads equipped with the corresponding SoCs. While other vendors have been offering their own implementations of checkm8 extraction for quite a while, we found their solutions to lack in device/iOS version coverage and miss the “forensically sound” mark.

Typically, service life of an iPad is several times as long as an iPhone of the same generation. This is reflected in the number of supported battery charge cycles. While Apple claims that a typical iPhone battery is designed to retain up to 80% of its original capacity at 500 complete charge cycles, an iPad battery is designed to retain similar capacity at 1000 complete charge cycles. In other words, despite their age, many of these tablets are still actively used – and can now be extracted.

In addition to extended service life, iPads are real workhorses compared to the iPhone. They are actively used in companies and as BYOD. Unlike iPhones, which are designated as media consumption devices, iPads (especially the Pro lineup) are made for creative tasks, which results in a lot of highly valuable potential evidence.

Compatibility

The newly added iPad models include the full-size iPad 5, 6, and 7, the iPad Mini 2, 3, and 4, the iPad Air 1 and 2, and the iPad Pro 1 and 2 (9.7” and 12.9” models respectively). In addition, iPod Touch 6 and 7 are also supported. This is in addition to previously supported iPad and iPod Touch models. Currently, our checkm8 extraction solution supports all iPad and all iPod Touch models having the bootloader vulnerability with no exceptions.

All versions of iOS up to and including iOS 15.5 are supported. Here is the full list of supported iPad models:

Technical notes

For most devices the exploit can be applied directly. However, there are several requirements when it comes to some other devices.

The Apple TV 4K does not have a USB port anymore. Connecting it to the computer requires additional hardware and some soldering skills.

For iPad 6/7 and iPad Pro 2 devices running iOS 14 or 15, the passcode must be removed prior to the extraction. Follow this guide to disable the passcode: How to Remove The iPhone Passcode You Cannot Remove

Will I need the Pico board?

In the seventh beta, we introduced a hardware/software solution to help place the iPhone 4s into PwnedDFU. The solution requires a Raspberry Pi Pico board with custom firmware. You won’t need the Pico board to work with most iPad and iPod Touch models except those based on the same USB controller as the iPhone 4s.

Please refer to the following table for devices requiring the Raspberry Pi Pico board to utilize our checkm8 extraction solution:

Conclusion

It is difficult to underestimate the importance of checkm8 for mobile forensic specialists. Our solution is the only one on the market supporting forensically sound checkm8 extraction for all Apple devices with the bootloader vulnerability, including all compatible iPhone, iPad, and iPod Touch models, as well as the Apple TV and Apple Watch devices.

 

iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.

What’s it all about

Low-level extraction is commonly used by forensic specialists to obtain digital evidence not otherwise accessible via the lighter and simpler logical acquisition process. Elcomsoft pioneered agent-based low-level extraction, utilizing a lightweight app for accessing the file system and establishing a communication channel between the expert’s computer and the device being extracted. Once sideloaded onto the device, the extraction agent applies an exploit to obtain superuser privileges and gain low-level access to the file system.

Prior to this update, iOS Forensic Toolkit could perform low-level extraction of most iPhone models running iOS 9 through iOS 14.8, iOS 15-15.1, and iOS 15.1.1 on select platforms. For the A14 platform specifically, the extraction agent supported iOS 14.0-14.3, and 15.0-15.1, making the entire range of iOS 14 builds missing. This made for a rather fragmented support matrix. In this release, we closed the two remaining gaps, once again offering truly gapless file system extraction for all supported platforms. With this update, we made it possible to perform full file system extraction of iOS 9.0 through 15.1 for all iPhone and iPad models that can run these versions of iOS, and iOS 15.1.1 on some models.

Benefits of agent-based extraction

There are several extraction methods of varying complexity and compatibility. Logical acquisition is the most compatible and the easiest to use yet returning the least amount of data. Low-level extraction delivers tangible extras such as location data, comprehensive device usage stats, as well as all sandboxed app data including communication histories in the most secure messaging apps.

Low-level extraction come in multiple flavors, checkm8 being the cleanest and jailbreaks being the most obtrusive of the pack. Agent-based acquisition is second best to checkm8, delivering robust file system extraction for all Apple devices running a compatible version of iOS. Agent-based extraction comes as close to being forensically sound as possible, only installing a lightweight app and not altering any user data.

What makes a certain iOS version ‘compatible’ with the agent? The extraction agent obtains the required level of privileges by exploiting one of the known vulnerabilities in iOS kernel. To do this, the app packs a number of kernel-level exploits and uses one or another to escape its sandbox and access the file system. Such exploits require time and effort to find and to implement, while Apple actively patches known vulnerabilities in iOS updates. This is why the latest versions of iOS are generally immune to exploits developed for earlier builds (although we know of several exceptions).

iOS 14.8.1

In earlier versions of iOS Forensic Toolkit, we supported iOS versions up to and including iOS 14.8. We also supported iOS 15.0-15.1 on all compatible devices, and iOS 15.1.1 on some platforms. iOS 14.8.1 was notably missing from the list due to the lack of a proper exploit.

For other iOS versions including iOS 15, the extraction agent relied on kernel exploits that are publicly available. The situation is different with iOS 14.8.1, which does not have a public exploit. For this iOS build we incorporated a new, unpublished exploit, making our extraction agent the first tool of its kind to support this version of iOS.

iOS 14.4-14.8.1 (Apple A14)

Prior to this release, we supported iOS 15.0-15.1 on all platforms, and iOS 15.1.1 on some devices. Notably, on Apple A14 Bionic devices the entire range of iOS 14.4-14.8.1 was not supported. iOS Forensic Toolkit 7.40 brings iOS 14.4-14.8.1 support to A14 devices, now offering gapless coverage all compatible devices and all versions of iOS ranging from iOS 9.0 through 15.1.1.

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the following picture for the matrix of supported device models and iOS versions:

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. A workaround is available to Mac users. Comprehensive instructions on How to Sideload the Extraction Agen are available in our blog.

Steps to extract the file system and decrypt the keychain

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.40 or newer.
3. On the computer, sideload the extraction agent by using the corresponding command in iOS Forensic Toolkit.
4. On the iPhone, launch the extraction agent by tapping its icon.
   Windows: developer account required. Use app-specific password.
   macOS: developer account not required but strongly recommended.
5. If supported, extract the keychain. Extract file system image (full file system or data partition). We recommend extracting the data partition only; the full image may be usable e.g. to check the system partition for persistent malware.
6. On the iPhone, uninstall the extraction agent in a regular way.
7. You may now disconnect the iPhone and start analyzing the data.

Live system analysis is the easiest and often the only way to access encrypted data stored on BitLocker-protected disks. In this article we’ll discuss the available options for extracting BitLocker keys from authenticated sessions during live system analysis.

Imaging physical disks installed in the computer is a mandatory first step in forensic analysis. However, BitLocker drive encryption, if enabled, effectively blocks access to encrypted data. If the computer is equipped with a TPM2.0 module or its emulation (Intel PTT or AMD fTPM), a password attack would be meaningless: the protector is stored in the TPM module, and one cannot extract it from there.

Windows developers designed an alternative way of gaining access to encrypted data in case of emergencies. Should the user alter their computer hardware or the TPM module malfunctions, Windows will prompt for an all-digits recovery key.

 

The recovery key is unique per encrypted disk. It may be stored in the user’s Microsoft Account online, or it may be saved elsewhere. Experts can use such keys to mount or decrypt BitLocker disks and disk images. What shall you do if the recovery key is not available but you have access to the user’s unlocked computer?

How to extract BitLocker keys during live system analysis

There are several options for extracting BitLocker keys when analyzing a live system. Administrative privileges are required using either of them.

Option 1: extract BitLocker keys using Windows built-in GUI or command-line tools.

Option 2: use Elcomsoft Forensic Disk Decryptor to image the computer’s RAM and search the resulting image for disk encryption keys.

Note that administrative privileges are absolutely required with either method. Non-administrative accounts do not have access to either the keys or the RAM.

The easiest method employs the BitLocker Drive Encryption applet in Windows Control Panel. If the system disk is encrypted, three options will be available:

 

1. Suspend protection: this is the easiest way to temporarily suspend BitLocker protection. If you use this command, the BitLocker key will be saved in the volume header unprotected. This in turn allows Windows to automatically mount the disk without the need to enter any additional keys. However, Windows may automatically re-encrypt the volume key once the suspended disk is mounted. For this reason, we still recommend extracting the recovery key as opposed to suspending protection.
2. Back up your recovery key: saves the backup key (numerical password) into a file. Note: Windows may refuse saving the backup key to the root of the storage media (you’ll need to use a subfolder) or onto another BitLocker-encrypted disk.

You can also extract BitLocker keys via the command line or Power Shell.

To save a copy of the BitLocker recovery key run cmd.exe with administrative privileges  (“Run as administrator”), then type the following command:

manage-bde -protectors -get C:

You will get the following output:

C:\WINDOWS\system32>manage-bde -protectors -get C:
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [NVME]

All Key Protectors

TPM:
ID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
PCR Validation Profile:
0, 2, 4, 11

Numerical Password:
ID: {YYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}
Password:
123456-123456-123456-123456

The Password field under “Numerical Password:” contains the BitLocker recovery key for the given key ID.

You can also use Power Shell to save the recovery keys to all currently mounted BitLocker volumes. To do that, create a text file and give it the .ps1 extension (e.g. “backup-bitlocker.ps1”), paste the code from the listing below, save the file, and run in in powershell launched as administrator.

# Export the BitLocker recovery keys for all drives and display them at the Command Prompt.
$BitlockerVolumers = Get-BitLockerVolume
$BitlockerVolumers |
ForEach-Object {
$MountPoint = $_.MountPoint
$RecoveryKey = [string]($_.KeyProtector).RecoveryPassword
if ($RecoveryKey.Length -gt 5) {
Write-Output ("The drive $MountPoint has a BitLocker recovery key $RecoveryKey")
}
}

Using Elcomsoft Forensic Disk Decryptor

Alternatively, you can use Elcomsoft Forensic Disk Decryptor to image the computer’s RAM and scan it for disk encryption keys. To capture the RAM image, run the command line tool included with Elcomsoft Forensic Disk Decryptor on the computer being investigated. You will need administrative privileges for the tool to work. The RAM image must be saved to external media with sufficient free space; the media must be formatted in NTFS or exFAT. Note that FAT32 does not support files larger than 4GB, which is smaller than the typical amount of RAM in modern computers.

Once you have obtained the RAM image, open it with Elcomsoft Forensic Disk Decryptor and scan it for encryption keys. Despite the fact that this method is more complicated and takes longer, it may also discover encryption keys for third-party disk encryption tools such as TrueCrypt or VeraCrypt.

Mounting or decrypting the disk

Once the encryption keys have been discovered, you can decrypt or mount the disk. You can either decrypt the entire drive or mount it as a volume. We use ImDisk virtual disk driver installed with Elcomsoft Forensic Disk Decryptor to mount the disks.

 

You can opt to decrypt the entire disk image for offline analysis:

The decryption may take a while:

Alternatively, you can mount the disk as a drive letter. This process is instant.

Once the disk is mounted, you can access it via its assigned drive letter.

Conclusion

Extracting BitLocker keys with Windows tools is easy if the authenticated user has administrative privileges. You can use the extracted BitLocker keys to mount the disk or decrypt the disk image using Windows and third-party programs.

Elcomsoft Forensic Disk Decryptor is more complicated. The encryption keys it discovers can only be used in Elcomsoft Forensic Disk Decryptor. However, the tool can be used to locate keys for third-party disk encryption tools such as TrueCrypt or VeraCrypt, which is something you cannot do with Windows built-in tools.

In Alder Lake, Intel introduced hybrid architecture. Large, hyperthreading-enabled Performance cores are complemented with smaller, single-thread Efficiency cores. The host OS is responsible for assigning threads to one core or another. We discovered that Windows 10 scheduler is not doing a perfect job when it comes to password recovery, which requires a careful approach to thread scheduling.

Alder Lake: the hybrid architecture

Alder Lake is Intel’s codename for the 12th generation of Intel Core processors. The architecture introduced a new hybrid design combining high-performance P-cores and power-efficient E-cores in a single CPU. The P-cores come with hyperthreading support, and can simultaneously execute two threads, while the smaller E-cores lack hyperthreading. This makes for some unusual combinations. For example, an Intel Core i9-12900K CPU with 8 P-cores and 8 E-cores can run 24 threads in parallel. The low-end Core i3-12300 comes with 4 P-cores and no E-cores, making it an 8-thread CPU. The mid-range 12th generation Core i5 CPUs are released in multiple SKUs, some with 6P+4E-cores and 16 threads, and some with 6 P-cores and 12 threads only.

The new hybrid CPU topology has important performance implications. The host operating system is responsible for assigning a given task to a certain core. The decision must be made by the OS thread scheduler in real-time depending on the task priority, its foreground or background status, the current load of each of the cores, and many other parameters. For CPUs equipped with both P and E cores, Intel introduced a new technology called Intel Thread Director. This technology is designed to assist the OS thread scheduler with more efficient load distribution between heterogeneous CPU cores. Intel Thread Director requires support in the operating system.

Both Intel and Microsoft announced support for Intel Thread Director (ITD) in Windows 11. While Windows 10 did not receive ITD support, its version of the thread scheduler can still differentiate between P-cores and E-cores. For certain loads, this can be either too little or way too much.

Breaking passwords on hybrid processors

In today’s world of high-performance video cards being used for almost everything including password recovery jobs, using computers’ central processors for breaking passwords seems old-fashioned. Well, it is not. While GPU-assisted recovery delivers 50 to 500 times the performance compared to a CPU alone, GPU-accelerated recovery is not always an option. Some algorithms are designed specifically to deter hardware-assisted attacks. For example, Scrypt, the algorithm used in password-based key derivation functions, was specifically designed to make hardware-assisted attacks unfeasible by requiring large amounts of memory.

A GPU is faster than a CPU because of its ability to perform massively parallel computations. Tens or hundreds of threads can be executed on a video card at the same time. The performance of each of these threads may be lower than single-threaded performance of a central processor, but the sheer number of threads executed on a video card makes the attack much faster than any CPU.

The idea behind Scrypt and similar PBKDF algorithms is requiring a certain amount of memory for calculating each hash value. This is not a problem if you run 8, 16 or even 64 threads on a computer with large enough RAM. However, running 2560 threads on a video card with 8 GB of RAM is a no-go. Scrypt and other algorithms are used in multiple products to increase resistance against massively parallel hardware-assisted attacks. For this reason, getting the fastest CPU may be the only option to break certain types of passwords (such as these) in reasonable time.

How does Windows 10 handles multi-threaded load on hybrid CPUs? Shortly after the official release of 12th-generation CPUs, we tested Elcomsoft Distributed Password Recovery on the new Core i9-12900K and saw some very low numbers. Here’s what we saw:

Before optimization, a new 16-core, 24-thread CPU consuming 241W at full load was noticeably slower than an AMD APU with 65W TDP. It was clear that only the E-cores of the Intel Core i9-12900K were loaded, while the P-cores were idling. The reason for this was lower than normal priority of the threads. In Windows, each process or thread belongs to a certain priority class. By default, the priority class of a process is a normal priority class. Elcomsoft Distributed Password Recovery was designed to run in background, spawning the password recovery jobs and assigning them the below normal priority class. This allowed Distributed Password Recovery to run on computers with homogeneous CPU cores without affecting the use of other foreground apps.

On heterogeneous CPUs, Windows thread scheduler treats our password recovery threads as background tasks and assigns them to E-cores. This happens regardless of the number of threads or the number of available E-cores, and this was the reason for poor performance.

We optimized Elcomsoft Distributed Password Recovery to fully support the new hybrid architecture, and improved some algorithms (e.g. compressed archive encryption) to unlock the full performance potential of Alder Lake. The results are presented below:

Setting up Elcomsoft Distributed Password Recovery for Alder Lake

All you need to do to set up your password recovery rig for the latest Alder Lake CPUs is updating Elcomsoft Distributed Password Recovery to version 4.4 or newer. Make sure to roll out the update to all the agents as well; it is the agent that controls the CPU cores.

By default, Elcomsoft Distributed Password Recovery agents are configured to utilize all CPU threads. Since this update bumps process and thread priority to ‘normal’ (as opposed to ‘below normal’ in previous builds), running a CPU-only attack can make the computers lag. This happens because all CPU cores will be loaded to 100% utilization. If you need the computer(s) for other tasks, we recommend lowering the maximum number of CPU threads that Elcomsoft Distributed Password Recovery can utilize. This is especially true if you run an agent alongside with the server (on the same computer). If this is the case, adjust the number of CPU threads to (CPU_maximum – 2).

Conclusion

Alder Lake CPUs are today’s golden standard among consumer hardware in sheer performance. Elcomsoft Distributed Password Recovery 4.4 now fully supports the new heterogeneous architecture while bringing other important performance optimizations allowing to achieve the highest performance in CPU-only attacks.

The seventh beta of iOS Forensic Toolkit 8.0 for Mac introduces passcode unlock and forensically sound checkm8 extraction of iPhone 4s, iPad 2 and 3. The new solution employs a Raspberry Pi Pico board to apply the exploit. Learn how to configure and use the Pico microcontroller for extracting an iPhone 4s!

Introduction

We are introducing a hardware add-on to help experts use checkm8-based extraction on supported iPhone and iPad devices. The Raspberry Pi Pico board can be used to streamline the process of placing the iPhone or iPad into DFU and performing the initial steps of the exploit. By offloading this job onto the hardware board we are making the process easier for the expert while adding support for Apple hardware for which software-only support is unfeasible or plain impossible.

For most devices susceptible to the checkm8 exploit experts can do with or without the Pico board. However, there is one notable exception, which includes the entire range of Apple devices based on the A5 SoC: the iPhone 4s, iPod Touch 5, iPad 2 and 3, the original iPad mini and Apple TV 3. Due to device specifics, the exploit requires a fine-grained control that we get by using a microcontroller. To achieve this task, checkm8 developers had only released the exploit for Arduino boards, while we opted for the Raspberry Pi Pico instead.

If you need to unlock and/or extract an iPhone 4s, you will require a custom firmware image for the Pico board. The firmware image is included with iOS Forensic Toolkit free of charge. We are planning to add support for newer generations of Apple devices in near future.

Compatibility

This guide is applicable to the iPhone 4s, iPod Touch 5, iPad 2 and iPad 3, iPad Mini, Apple TV 3 devices running any version of iOS.

Before you begin

Checkm8 is a complex exploit with several pre-requisites, while the iPhone 4s uses a different USB controller requiring a very special approach for entering pwned DFU. Make sure you have everything handy before you begin.

1. A Mac computer. You will need a Mac to install the exploit and perform the extraction. We support both Intel and M1-based Macs with a universal build of iOS Forensic Toolkit. At this time, Windows is not supported.
2. iOS Forensic Toolkit 8.0 beta for Mac. You will require the Mac edition of the tool. Both Windows and Mac editions are included with every purchase of iOS Forensic Toolkit. iPhone 4s support has appeared in the seventh beta of the tool.
3. A compatible iPhone 4s, iPod Touch 5, iPad 2 or iPad 3, iPad Mini, Apple TV 3 device. At this time, devices based on the A5 (S5L8940), A5 Rev A (S5L8942) and A5X (S5L8945) are supported. The device must be functional enough to be placed into DFU mode.
4. If the screen lock passcode is unknown, you will have an option to recover it.
5. A Raspberry Pi Pico board built to specification (see below).

Building the Pico board

You will need a Raspberry Pi Pico to apply the checkm8 exploit to the iPhone 4s. Since the Pico board has a single USB port, which will be used to connect to the iPhone, you will also need a power source. We recommend the following configuration:

1. A Raspberry Pi Pico board with soldered pin headers:
2. A battery “UPS” solution for the board such as the Pico-UPS-A-EN (Amazon link, manufacturer) as well as a compatible battery.We used the following battery backup based on a single 14500N element because we had it handy; battery not shown and must be purchased separately:
3. An micro-USB OTG cable:
4. A regular USB to micro-USB cable to flash the Pico board.

The finished board will look as follows:

A word on battery backup

The listed battery backup solution for the Pico board based on a single 14500 element will only provide 3.7V, which is enough to apply the exploit but NOT enough to place the iPhone into DFU. For placing the device into DFU you’ll have to do it manually (and then connect the iPhone to the Pico board).

Installing iOS Forensic Toolkit 8.0

Please refer to checkm8 Extraction of iPhone 8, 8 Plus and iPhone X for detailed installation instructions. The only difference will be the folder name; EIFT8B7 instead of EIFT8B4. Please note that there are two different images for macOS Big Sur and newer (normal), as well as High Sierra through Catalina (legacy).

1. There are separate installation packages for current and legacy versions of macOS.
   • macOS Monterey and Big Sur: Intel and M1 are supported
   • For legacy macOS versions including macOS High Sierra, Mojave, Catalina: Intel only
2. Download the .dmg image and mount it with a double-click (you will need a password for that; the password was provided in your order confirmation email).
3. Copy the EIFT8B8 or EIFT8B7L to a known location on your computer (e.g. desktop).
4. Launch Terminal and remove the quarantine flag (make sure to specify the full path to the installation folder).
5. In Terminal, cd into the EIFT installation folder and launch ./EIFT_cmd with required command-line parameters.

Flashing the Pico board

Before connecting the iPhone to the Pico board, you will need to flash it with a custom firmware image. The firmware image is provided with iOS Forensic Toolkit.

To flash the Raspberry Pi Pico board, follow these steps.

1. Make sure that the latest build of iOS Forensic Toolkit 8.0 for Mac is installed. You will need the beta 7 or newer.
2. Press and hold the button on the Pico board.
3. Connect the board to the Mac with a regular micro-USB cable.
4. The board will appear as an external storage.
5. Drag and drop the “picom8.uf2” file from the EIFT root folder onto the storage.
6. The Pico board will be flashed and rebooted.
7. After the board finishes rebooting, it is ready for work.

Command line parameters

Once again, refer to checkm8 Extraction of iPhone 8, 8 Plus and iPhone X to understand the basic command line  parameters of iOS Forensic Toolkit. We’ll use those commands in the subsequent step-by-step guide.

iPhone 4s checkm8 extraction

First, you will need to place the iPhone into DFU. You will need to connect the device to a computer first to put into DFU mode, then disconnect from computer and connect to the Pico board.

• The device will not go into DFU mode if less than 5V are applied.
• The device will not go into DFU mode if it’s not connected to anything at all.

To place the device into DFU, follow these steps:

1. Plug the iPhone into the computer.
2. Turn it off.
3. Press and hold the Power button for 3 seconds.
4. Press and hold the Home button without releasing the Power button for 10 seconds.
5. Release the Power Button but keep holding the Home button.
6. Keep holding the Home button until you are alerted by iTunes saying that it has detected a device in Recovery Mode.

The phone screen should remain blank. If the iTunes logo is present, you are in Recovery and not DFU. If this is the case, repeat the steps to get into DFU.

Once the iPhone is in DFU, connect it to the Raspberry Pi Pico board to apply the exploit. The exploit is applied automatically by the board. A repeated short blink and long pause of the LED will indicate success once the device is exploited. For error codes and for more information on LED status please refer to the user manual provided with EIFT.

Once the exploit has been applied, disconnect the iPhone from the Pico board and connect it to the computer. You will then use iOS Forensic Toolkit normally by following the unlock and extraction process for 32-bit devices (iPhone 4 and 5/5c).

Notes on applying the exploit

Sometimes it takes two to three tries for the exploit to work. The Pico board may indicate an error; if that happens, place the iPhone into DFU again and connect it to the Pico for another try.

Once device is exploited, boot the ramdisk by executing the following command in iOS Forensic Toolkit:

./EIFT_cmd boot

The command launches the exploit. The code detects the OS version installed on the iPhone and provides a download link. If there are multiple potential matches, several download links will be displayed; we recommend taking the last link from the list. Download the file from the link, and drop the .ipsw file onto the console window.

Our extraction solution does not use the operating system installed on the iPhone to boot the device. Instead, a separate, patched version of the original Apple firmware is booted in the device RAM.

Like with other checkm8-compatible devices, you will see “Booting” then “Exploited” on the device screen. For 32-bit devices, use the following commands:

Mount the filesystem:

./EIFT_cmd ramdisk mount

This may require running fsck if there was an unclean shutdown and the dirty bit is set:

EIFT_cmd ramdisk fsck_hfs –data

Unlock

If the iPhone is locked and the passcode is not known, run the following command to brute-force the passcode:

./EIFT_cmd ramdisk passcode

Dump keys:

./EIFT_cmd ramdisk dumpkeys -p <passcode> -o keys.plist

Dump data by imaging the user partition:

./EIFT_cmd ramdisk diskdump -o data.dmg

Decrypt data using the previously extracted keys:

./EIFT_cmd tools decrypthfs -i data.dmg -o data_dec.dmg -k keys.plist

Decrypt keychain:

./EIFT_cmd tools keychain -i data.dmg -o keychain.xml -k keys.plist

For faster decryption you can optionally add the -j parameter to decrypt with more threads. For example “-j 10” for spawning ten decryption threads.

Conclusion

The iPhone 4s and iPad 2 and 3 are undoubtedly legacy. Despite that, these devices are still relatively common. They may still contain valuable evidence ranging from personal pictures to messages and other data, not to mention the passwords. The hardware-based approach made it possible to create a truly reliable and complete solution for unlocking and extracting the device and decrypting the user’s passwords. As opposed to software-only solutions, the Pico-based one is very reliable, as there are no dependencies on the host system or version, USB controller and voltage, cables, and so on (everyone who worked with checkm8 knows what I am talking about).

A pre-requisite to successful forensic analysis is accurate information about the device being investigated. Knowing the exact model number of the device helps identify the SoC used and the range of available iOS versions, which in turn pre-determines the available acquisition methods. Identifying the iPhone model may not be as obvious as it may seem. In this article, we’ll go through several methods for finding the iPhone model.

The most reliable method

Apple recommends the following way to identify the iPhone model number:

“Go to Settings > General > About. To the right of Model, you’ll see the part number. To see the model number, tap the part number.” (Find the model number of your iPhone, iPad, or iPod touch)

This, indeed, is the most reliable way to find the device model number. The model number printed on the case may not be a fully accurate representation of the actual model number due to potential unauthorized repairs, wear and tear, and cosmetic damage. In some situations, one must pull the SIM tray to see the model ID, which may lead to undesirable consequences.

Identify the iPhone by looking at it

It may or may not be possible to unambiguously determine the iPhone model by its appearance as some models may look very similar while others may have distinctive features. Apple published a series of articles to help identify such models:

• Identify your iPhone model
• Identify your iPhone model
• Identify your iPod model
• Identify your Apple TV model
• Identify your Apple Watch

This method is the least reliable. You may want to look for a model ID on the case.

Finding the printed model number

You can try identifying the model number by checking the markings on the device as described in the following Apple article:

• Find the model number of your iPhone, iPad, or iPod touch

Older devices (iPhone 7 and earlier, iPad,  iPod touch) have their model number printed on the back of the device. iPhone 8 and newer models have the model number printed under the SIM slot. To find the model number, you will need to remove the SIM tray and look in the SIM tray slot:

Important: removing the SIM card from a powered-on device may cause undesired consequences. On newer versions of iOS, removing the SIM card may block USB port and biometric sensors (Touch ID and Face ID); you will need a passcode to unlock the phone.

The model number reads “Axxxx” where “xxxx” represent four digits. This number identifies the iPhone generation and model (such as “iPhone 8 Plus”). You can also determine the SoC and the range of iOS versions available for that model. This, in turn, identifies the available acquisition methods (for example, whether or not a checkm8 extraction is available). The four-digit code does not contain information about the intended market of the device, its color or storage size. For all of that, you’ll need to check the device settings.

In addition to device model number, the removable SIM tray may contain information about the device IMEI. Treat this information with due diligence as the SIM tray is easily replaceable.

The iPhone settings

Some iPhone and iPad models look alike, while information printed on the case may be missing, illegible or plain misleading if an unauthorized repair was carried on. The only truly reliable way of checking the model number requires unlocking the iPhone and opening Settings > General > About. To the right of Model Number, you’ll see the part number.

The Model Number will contain the part number. The part number can be used to find out the intended device region, storage capacity, and color. For example, try googling the following part number to find as much information about the device as you can: MGDC3ZD/A.

To find the four-digit model number, tap the part number. You can also tap Software Version to see information about iOS build number.

Using DFU and recovery modes

You can also discover the model number by placing the device to recovery or DFU mode as shown in Everything about iOS DFU and Recovery Modes. This method can be recommended when you cannot determine the model number by examining the phone’s external features, and the iPhone is powered off. You won’t need the passcode for DFU and Recovery.

The recovery mode is the easiest one to use. To place the iPhone to recovery, follow the steps described in If you can’t update or restore your iPhone or iPod touch (under Put your device in recovery mode and set it up again). A limited set of information will be available. While the iPhone is in recovery, you may obtain the following information about the device:

Device Model: iPhone8,1
Model: n71map
ECID: XXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXX
IMEI: XXXXXXXXXXXXXXX
MODE: Recovery

Recovery mode may return the following information:

• Device model: two representations of the device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc. You can use The iPhone Wiki and List of Apple’s mobile device codes types – GitHub to determine the model number based on the returned device code.
• ECID (UCID): XXXXXXXXXXXXXXXX. The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
• Serial number: XXXXXXXXXXX (or N/A)
• IMEI: XXXXXXXXXXXXXXX (or N/A). Note that we have not seen IMEI information on any of our test devices, with or without a SIM card.
• Mode: Recovery

To obtain this information, you can use a recent build of iOS Forensic Toolkit. In addition to model number, iOS Forensic Toolkit can display iBoot version, which it then uses to ‘guesstimate’ the installed version of iOS (or a range of iOS versions if there is no specific iOS build linked to that iBoot version):

The DFU mode is significantly more difficult to enter, and is significantly less documented compared to Recovery. In DFU mode, you will see significantly less information compared to Recovery. The only reason to use DFU mode is checkm8 extraction, where applicable.

Why SoC generation matters

The SoC generation affects the range of iOS versions available for a given device, and determines which extraction methods are applicable. We have collected information about SoC generations and extraction methods available for different devices in the following table:

Note: the iPhone SE 3 was released in 2022 with iOS 15.4 on board. While we do support the A15 SoC, we don’t currently have support for iOS 15.4, which means that low-level extraction is not yet available for the iPhone SE 3 (2022).

 

While we continue working on the major update to iOS Forensic Toolkit with forensically sound checkm8 extraction, we keep updating the current release branch. iOS Forensic Toolkit 7.30 brings low-level file system extraction support for iOS 15.1, expanding the ability to perform full file system extraction on iOS devices ranging from the iPhone 8 through iPhone 13 Pro Max.

Agent-based file system extraction

There are several extraction methods of varying quality and applicability starting with logical acquisition. Low-level is vastly superior to logical extraction, offering a significantly larger set of data and generally cleaner extraction process. Low-level extractions can be implemented in a few different ways. For older devices, the checkm8 extraction delivers the best results; our solution is unrivaled in providing truly forensically sound results. At this time, the checkm8 extraction process is still in beta (although you are welcome to test iOS Forensic Toolkit 8.0, which was just updated to beta 6).

Notably, checkm8 only works with older iPhones; it is simply not applicable to newer devices. To deliver low-level extraction for the rest of Apple hardware, we developed an in-house extraction agent that comes as close to being forensically sound as possible. This method is highly dependent on kernel exploits, which are extremely difficult to implement. This is why low-level extraction almost never comes to the current, up-to-date and fully patched versions of iOS. For newer models starting with iPhone Xr/Xs, using the extraction agent is the only way to access the file system.

What is the extraction agent?

When extracting an iOS device, we still need low-level access to the device. For this, we developed our own solution based on the extraction agent, which is an app sideloaded to the iPhone. The extraction agent establishes a communication channel between the device and the computer, escalates privileges, and gains access to the file and the encryption keys required to decrypt the content of the keychain.

iOS Forensic Toolkit 7.30 adds support for iOS 15.1.1. This, however, does not result in gapless coverage. For example, we don’t currently have support for iPhone 12 devices running iOS versions 14.4 through 14.8, while iOS 14.8.1 is not supported at all. In addition, for A12-A15 devices we are only able to decrypt keychain items if the device is running iOS versions up to and including 14.4.2. We are working hard to overcome these limitations. Finally, we are working on iOS 15.2, which has an exploit available but is more complex to support.

Does all of that sound confusing? We’ve made a glanceable infographics to make the current compatibility matrix easier to grasp:

Using the extraction agent

You’ll need a supported iPhone or iPad device running a compatible version of iOS. Please refer to the above picture for the matrix of supported device models and iOS versions.

Using an Apple ID registered in Apple’s Developer Program is strongly recommended for installing the agent as it alleviates the need to open Internet access on the device. You can read more about installing the agent in iOS Low-Level Acquisition: How to Sideload the Extraction Agent.

Steps to extract the file system and decrypt the keychain

To extract the file system and decrypt the keychain from an iOS device without a jailbreak, follow these steps.

1. Connect the iPhone to your computer. Pair the device (establish trusted relationship) by confirming the prompt on the iPhone and entering the screen lock passcode.
2. Launch iOS Forensic Toolkit 7.30 or newer.
3. On the computer, sideload the extraction agent by using the corresponding command in iOS Forensic Toolkit. Please refer to iOS Low-Level Acquisition: How to Sideload the Extraction Agent for instructions.
4. On the iPhone, launch the extraction agent by tapping its icon.
5. If supported, extract the keychain. The keychain can be extracted from supported devices and iOS versions (please check the compatibility matrix above).
6. Extract file system image (full file system or data partition). We recommend extracting the data partition only; the full image may be usable e.g. to check the system partition for persistent malware.
7. On the iPhone, uninstall the extraction agent in a regular way.
8. You may now disconnect the iPhone and start analyzing the data.

Troubleshooting

If you encounter the “Cannot start installation proxy service on the device” error, disconnect and restart the iPhone. Reconnect it to the computer and re-establish pairing if necessary, then try again.

Regular or disposable Apple IDs can now be used to extract data from compatible iOS devices if you have a Mac. The use of a non-developer Apple ID carries certain risks and restrictions. In particular, one must “verify” the extraction agent on the target iPhone, which requires an active Internet connection. Learn how to verify the extraction agent signed with a regular or disposable Apple ID without the risk of receiving an accidental remote lock or remote erase command.

What’s this all about

Elcomsoft iOS Forensic Toolkit utilizes an advanced low-level extraction technique for imaging the file system and, for many iOS devices, decrypting the keychain. Utilizing the unique extraction agent, this technique is second best to checkm8 extraction. Unlike checkm8, the extraction agent supports iPhone and iPad devices equipped with Apple A12 and newer SoC (this includes the iPhone Xr/Xs and newer, as well as the corresponding iPad models). While agent-based acquisition provides numerous benefits over logical extraction, the extraction agent must be sideloaded onto the device, which poses certain difficulties if you are not using an Apple ID enrolled in the Apple’s developer program. In particular, sideloading the extraction agent with a regular Apple ID only works on Mac computers, and the process requires the expert to “trust” the signing certificate by connecting to an Apple server.

Allowing the device being investigated to make an Internet connection is risky due to potential sync issues and the probability of receiving a remote lock or remote wipe command via Find My. Sideloading the extraction agent with an Apple ID enrolled in Apple’s developer program completely avoids the issue. If a developer account is not available, mitigating this risk is possible by restricting on-device connectivity to a single subdomain of apple.com that is required to verify the signing certificate. We’ll talk about the two methods in detail.

Why you need to become an Apple developer

It’s common knowledge that Apple restricts its mobile ecosystem to apps distributed through the company’s App Store. For obvious reasons, Elcomsoft low-level extraction agent is not available in the App Store, and will never be. A workaround must be used to sideload the extraction agent onto an Apple device being investigated.

Developers use an alternative method of sideloading apps without having to submit them to App Store. This method requires becoming a registered developer by enrolling an Apple ID into Apple’s developer program. You can enroll by using the following link: Enrollment – Support – Apple Developer

Alternatively, you can install the Apple Developer app and enroll through the app: Enrolling and Managing your Account in the Apple Developer App – Support – Apple Developer

You can apply as an individual developer or as a company. In the past, individual and accounts registered as an organization were functionally identical for the purpose of sideloading apps. Recently, Apple limited personal developers in such a way that they can only sideload apps from macOS computers. Accounts registered as an organization accounts do not have this limitation, and can be used to sideload apps from either macOS or Windows computers.

The limit of 100 devices a year

Both types of accounts only allow sideloading to 100 devices of each type a year (for example, 100 iPhones plus 100 iPads plus 100 Apple TV’s and so on). Removing a previously enrolled device does not reset the counter; the limit resets automatically on yearly basis. As a result of this limitation, you will be only able to sideload the extraction agent on up to 100 devices a year for each Apple ID enrolled in the developer program. This and other restrictions, as well as the cost of participation, waiting time, and relatively low acceptance rate make experts consider the use of regular (non-developer) Apple ID’s for sideloading the extraction agent.

Sideloading with a non-developer Apple ID

If a developer account with Apple is not an option, there is a limited possibility to sideload the extraction agent using a regular (non-developer) Apple ID. For this, you would use your personal account or disposable (single-use) Apple ID; not the suspect’s Apple ID. This method has two limitations:

1. It is only available if you have a macOS computer (Windows is not supported).
2. You will have to validate the signing certificate on the iPhone/iPad, which requires connecting the device to the Internet.

Authentication

There are also differences in how you authenticate depending on the type of account (regular/non-developer, individual developer, or organization) and the host OS of the computer you are sideloading the extraction agent from. In some cases, you will have to create and use an app-specific password, while in other cases your regular account password followed by two-factor authentication must be used. The following table explains the differences.

	Windows	macOS
Non-dev account – normal password+2fa	–	+
Non-dev account – app-specific password	–	–
Developer (individual) – normal password+2fa	–	+
Developer (individual) – app-specific password	*	*
Developer (organization) – normal password+2fa	–	+
Developer (organization) – app-specific password	+	+

* feature disabled by Apple; error message “Failed to retrieve development certificate for the entered Team ID. Please check your Team ID and try again”

In a word, if you are sideloading the agent from a Mac, authenticate with your login, password and second authentication factor. If you are using Windows, you will be only able to use a developer account registered as an organization, in which case you can also authenticate with your login and password or use an app-specific password.

Mitigating the risks

As mentioned above, if you use a non-developer Apple ID to sideload the extraction agent, you will have to validate the signing certificate on the iPhone/iPad. This in turn requires bringing the device online, exposing the device to the Internet with all the risks involved. To reduce the risks of exposing the iPhone device being remotely tampered with, one needs to restrict it’s online connectivity. Ideally, the iPhone should be only able to connect to a single certificate validation server – with all other communications being terminated.

Using wireless router

The easiest way is creating a dedicated Wi-Fi network on your wireless router, whitelisting a single server:

Apple Certificate Validation Server: ppq.apple.com (17.173.66.213), port 443.

You can then connect the iPhone to that Wi-Fi network without further ado.

Creating a wired bridge

If you are not familiar with your wireless router settings, or if your wireless router does not allow firewall rules, you may use a Mac computer to create a wired bridge to the iPhone.

Pre-requisites: you will need a Mac computer running macOS 10.14 Mojave or newer. The iPhone being investigated must remain in Airplane mode with all radios switched off until you install the firewall rules.

The firewall script: https://www.elcomsoft.com/download/firewall.zip

You can use your Mac to share the Internet connection with the iPhone while preventing the iPhone from connecting to unwanted services. To do that, you will need to create a simple firewall rule that allows the iPhone accessing the Apple Certificate Validation Server exclusively.

Step 1. Disconnect the Mac from the Internet (disable al wired and wireless connections). Connect the iPhone being investigated to the Mac. Open [Settings] | [Shared] and make sure that Internet Sharing in “To computers using:” contains the “iPhone USB” item.

Step 2.  Make sure that the iPhone is connected to the Mac, and activate firewall (for this specific interface only, i.e. iPhone USB), allowing access to ppq.apple.com only. That can be easily done by running our script as a root user, e.g.:

sudo ./install_firewall.sh

The script detects all potential bridged connections on the computer, and applies the blocking rules just for them. The computer itself will remain connected to the Internet, while the iPhone connected to the USB bridge will be able to connect to a single server for validating the certificate.

Important: all the changes are made in the computer’s RAM. This means that simply rebooting the computer removes the temporary firewall rules. You can also restore the original configuration without rebooting by running the uninstall_firewall script.

Step 3. Restore Internet connectivity on the Mac.

Step 4. Sideload the extraction agent to the iPhone and enable Internet Sharing to iPhone USB.

Step 5. Approve/verify the certificate (issued to the Apple ID you used for sideloading the agent).

Step 6. Do the extraction with EIFT.

Step 7. You can uninstall the firewall rules now by running the second script, again as a root user:

sudo ./uninstall_firewall.sh

If you reboot the computer, the original firewall rules will be restored even if you don’t run the second script.

You can also keep the current setup for further extractions (if you ever need to install the agent onto other iPhones). From now on, any iPhone connected to this Mac (after the firewall setup) will only have access to the particular Apple server required for certificate approval; it will not sync (neither the system nor any applications) or have access to any remote lock/wipe commands.

That’s it, you can now acquire the data from the device, including the full file system and keychain.

A new version of iOS Forensic Toolkit is on the way with broader compatibility and greater support for the many iPhone models. Stay tuned!

Encrypting a Windows system drive with BitLocker provides effective protection against unauthorized access, especially when paired with TPM. A hardware upgrade, firmware update or even a change in the computer’s UEFI BIOS may effectively lock you out, making your data inaccessible and the Windows system unbootable. How to prevent being locked out and how to restore access to the data if you are prompted to unlock the drive? Read along to find out.

Why am I locked out?

If you are seeing the following screen, you have been locked out of your system because of BitLocker encryption.

The lock-out often occurs if the computer is equipped with TPM, and one of the following things had occurred:

1. You removed the disk from the original computer and are attempting to read it on a different device.
2. You updated the computer’s UEFI BIOS or installed a firmware update to a certain component such as a video card, fingerprint reader, etc.
3. You modified security-related settings in the computer’s UEFI BIOS.
4. Root of trust was altered (e.g. by malware).

What can I do if I am locked out?

If you are locked out of your Windows system and are prompted for a BitLocker recovery key, this can mean that the recovery key might be the only option to unlock the disk. If this is the case, read the prompt carefully. In modern versions of Windows 10 (and all versions of Windows 11), such prompts usually have a hint as to when the backup copy of the BitLocker key was produced and where it was stored.

In some cases, there may be other ways to unlock the disk such as a PIN code or password. You can check if this is the case by booting your computer with Elcomsoft System Recovery and examining the BitLocker-protected drive. We have comprehensive instructions here: Unlocking BitLocker: Can You Break That Password? | ElcomSoft blog

If no password is available, you will see the following screen:

I do not recall enabling encryption

In certain cases, your computer’s boot drive might be encrypted with BitLocker Device Encryption without you even knowing. According to Microsoft, modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box. In Overview of BitLocker Device Encryption in Windows – Windows security, Microsoft explains how BitLocker Device Encryption works.

Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.

Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:

• When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
• If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
• If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). […] With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
• Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.

In plain English, the important consequences are:

1. If your device supports BitLocker Device Encryption (most laptops and some modern desktops do), the system disk will be automatically encrypted. A clear encryption key will be saved in the disk header. At this point, the data on the disk is encrypted, but the volume encryption key is not.
2. The clear key is only removed when the BitLocker recovery key is backed up. This is very important: Windows will never remove the clear key without a backup.
3. For personal users, a cloud copy of the BitLocker recovery key will be made into the Microsoft account of the first Microsoft account user who signs-in to the computer with administrative privileges.
4. For corporate users, Active Directory and Azure AD can be used to back up the BitLocker recovery key.

All this means that if you are locked-out of your BitLocker-encrypted system, there always is a backup copy of the recovery key. Finding that recovery key is often the only way to regain access to the encrypted system.

You (still) have access to BitLocker-encrypted data: preventing the lockout

If you have a working Windows system, and your system drive is protected with BitLocker or BitLocker Device Encryption, you can easily prevent the lock-out by saving your BitLocker recovery key. That Recovery Key can then be used to unlock the encrypted disk regardless of the type of protector used.

Ensuring that you have a BitLocker recovery key available and accessible is crucial to safeguard your BitLocker-encrypted disk. A unique recovery key is produced for every encrypted volume, so make sure to familiarize yourself with the recovery process.

There are generally two ways to save the recovery key, one is using the Windows GUI, and another using the command-line interface.

Saving the BitLocker recovery key through Windows UI

To produce the recovery key, launch the “BitLocker Drive Encryption” applet in the Windows Control Panel. You can do this by either going through the Control Panel, or by typing “bitlocker” in the Windows search and launching “Manage BitLocker”.

If your system disk is encrypted, you will have several options: Suspend protection, Backup your recovery key, or Turn off BitLocker. To save a BitLocker recovery key, click “Backup your recovery key”.

You will have the opportunity to save the recovery key into your Microsoft account (if you used one for Windows sign-in), save it to a file (preferably onto a USB flash drive, but a folder on an unencrypted disk will do as well), or print it out on a piece of paper.

Note: since Windows 10, version 1903 (or any version of Windows 11) the system will save information about when and where the BitLocker recovery key was backed up. You won’t be able to see that information anywhere but toe BitLocker recovery screen.

Saving the BitLocker recovery key via command-line

Alternatively, you can produce the recovery key by using the command line. Launch the command line with administrative privileges with “Run as administrator”, then type the following command:

manage-bde -protectors -get C:

You will receive the following output:

C:\WINDOWS\system32>manage-bde -protectors -get C:
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [NVME]

All Key Protectors

TPM:
ID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
PCR Validation Profile:
0, 2, 4, 11

Numerical Password:
ID: {YYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}
Password:
123456-123456-123456-123456

Here, the “Numerical Password” field will contain the required recovery key. You can save it into a file or print it out. Make sure to record the corresponding key ID.

Saving the BitLocker recovery key via PowerShell

Windows has a powerful replacement of the classic command line. We created a PowerShell script that extracts all BitLocker recovery keys for all encrypted disks.

Save the script below as a .ps1 file (for example, “backup-bitlocker.ps1”) by creating a text file and pasting the following content:

# Export the BitLocker recovery keys for all drives and display them at the Command Prompt.
$BitlockerVolumers = Get-BitLockerVolume
$BitlockerVolumers |
ForEach-Object {
$MountPoint = $_.MountPoint
$RecoveryKey = [string]($_.KeyProtector).RecoveryPassword
if ($RecoveryKey.Length -gt 5) {
Write-Output ("The drive $MountPoint has a BitLocker recovery key $RecoveryKey")
}
}

Launch the script on the computer with BitLocker drives mounted from a Windows account with administrative privileges. Run PowerShell with “Run as administrator”, then type the name of your script file (e.g. “backup-bitlocker.ps1”). You will see all BitLocker recovery keys as the output.

Preventing BitLocker lock-out when upgrading computer hardware or updating UEFI BIOS

When updating the computer’s UEFI BIOS, removing or installing hardware (such as a video card), or modifying UEFI security settings, your BitLocker-encrypted drive may no longer mount when you attempt to boot Windows. This happens because your computer’s chain of trust is broken (we have a comprehensive article on how it works), and the computer’s TPM module does not release the encryption key.

If you followed the steps from the previous chapter, you already have the BitLocker recovery key, and mounting the encrypted BitLocker drive will be as simple as keying in that recovery key into BitLocker recovery screen. You can identify the required key by its Recovery key ID.

However, this situation can be easily avoided altogether if you simply suspend BitLocker protection temporarily before updating BIOS or altering computer hardware. To suspend BitLocker protection, open the BitLocker applet in the Windows Control Panel and click “Suspend protection”.

Once you do that, the decrypted volume key is stored in the disk header, allowing the system to pick it up the next time it boots. After suspending BitLocker protection, shut down the computer and perform the planned upgrade or update. When you turn it on, Windows will boot normally, establish a new chain of trust and provision the TPM accordingly. After that, Windows will automatically re-enable BitLocker protection.

You are locked out

If you own the computer that has its system drive encrypted with BitLocker Device Encryption and manage to break the system’s boot chain of trust, you will be unable to boot. If this happens, you will see a screen that looks like the one below:

On that screen, Windows is asking you to unlock the drive by providing a valid BitLocker recovery key that corresponds to the displayed Recovery key ID. If you’ve come to that point, there might be no other way to unlock the system but enter the valid recovery key. Your Windows account password or any other password cannot be used to unlock the system drive because the actual binary encryption key is or was stored in the computer’s TPM module. If the TPM module does not want to provide that encryption key, or if the TPM module was reset or re-initialized, you no longer have access to that key. The BitLocker recovery key contains the encoded encryption key that can be used to decrypt and unlock the protected drive.

Important: if the computer was equipped with TPM, there may be no other way to unlock the disk except the BitLocker recovery key.

Where do I get the recovery key?

In Windows 10 and Windows 11 one cannot enable BitLocker encryption without saving a copy of the recovery key. In the case of automatic BitLocker Device Encryption, the recovery key is automatically saved into the cloud account of the first user who signs in as a system administrator with their Microsoft Account (as opposed to a local Windows account).

Important: BitLocker Device Encryption will not be enabled until the first eligible sign-in. It will not be enabled until the BitLocker recovery key is saved into that user’s Microsoft Account.

So where do you get the BitLocker recovery key? If you are using a recent version of Windows 10 or any version of Windows 11, you will get a hint as to the location of the recovery key. According to Microsoft, “BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.” BitLocker recovery guide (Windows 10) – Windows security | Microsoft Docs

According to Microsoft, this is where you can find the recovery key:

In your Microsoft account: Sign in to your Microsoft account on another device to find your recovery key. If other users have accounts on the device you can ask them to sign in to their Microsoft account to see if they have the key.

On a printout you saved: Your recovery key may be on a printout that was saved when BitLocker was activated. Look where you keep important papers related to your computer.

On a USB flash drive: Plug the USB flash drive into your locked PC and follow the instructions. If you saved the key as a text file on the flash drive, use a different computer to read the text file.

In an Azure Active Directory account: If your device was ever signed in to an organization using a work or school email account, your recovery key may be stored in that organization’s Azure AD account associated with your device. You may be able to access it directly or you may need to contact a system administrator to access your recovery key.

Held by your system administrator: If your device is connected to a domain (usually a work or school device), ask a system administrator for your recovery key.

(Source: Find my BitLocker recovery key (microsoft.com))

Conclusion

Read more about BitLocker protection and BitLocker recovery in our blog:

Unlocking BitLocker Volumes by Booting from a USB Drive

Unlocking BitLocker: Can You Break That Password?

Understanding BitLocker TPM Protection

Introduction to BitLocker: Protecting Your System Disk

Accessing the content of password-protected and encrypted documents saved as DOC/XLS files (as opposed to the newer DOCX/XLSX files) is often possible without time-consuming attacks regardless of the length of the password. Advanced Office Password Recovery enables experts quickly breaking the encryption of password-protected DOC and XLS files, which are Microsoft Word and Excel documents saved by modern versions of the app in the “compatibility” format. Organizations are still using the “compatible” Office 97/2000 formats for their document workflow.

Advanced Office Password Recovery can quickly remove protection and decrypt documents saved in the following formats:

• Microsoft Office 97 and 2000: these versions of Microsoft Office use 40-bit encryption exclusively
• Microsoft Office XP and 2003: 40-bit encryption is used by default; adds optional CSP support
• Newer versions of Microsoft Office: documents saved as “Word 97-2003 .doc” or “Excel 97-2003 .xls” still using 40-bit encryption

Why does it work that way, what is the difference in encryption between the “compatible” and modern formats, and how exactly can you remove protection from DOC and XLS files? Read along to find out.

Microsoft Office: legacy encryption in “compatible” formats

For compatibility reasons, Microsoft Office apps are still using legacy encryption when a document is saved as a .DOC instead of a .DOCX. You can read more about it in our previous article Microsoft Office 40-bit Encryption and Thunder Tables in Advanced Office Password Recovery.

Microsoft Office 97 was once released with deliberately weak encryption due to US export restrictions. That encryption scheme was carried over to Microsoft Office 2000 unchanged, even though by the time the export restrictions ceased to exist. The native US versions of Microsoft Office could be configured to use stronger encryption, yet the setting was rarely enabled because of valid compatibility concerns – the same concerns that are driving many organizations today to keep using the “compatible” DOC/XLS formats for their document workflow.

Technically speaking, the “compatible” formats are using the RC4 cipher for encryption and MD5 for hashing. A weak 40-bit encryption key and a single iteration of MD5 hashing are used to protect information. Even twenty years ago, 40-bit encryption was considered weak enough to be cracked in reasonable time. Today, several hours of brute forcing is all that is needed to break 40-bit encryption on an average consumer-grade CPU; much less if you use a video card.

The newer DOCX/XLSX files are with a much stronger AES encryption. 256-bit encryption keys require attacking the original plain-text passwords in order to decrypt the content, while the large number of iterations (hash rounds) makes such attacks deliberately slow. In other words, while the older formats have known vulnerabilities allowing for near-instant recovery of encrypted content, the newer DOCX/XLSX files must be attacked with Elcomsoft Distributed Password Recovery to recover the original password. The original password is then used to decrypt the content of the DOCX/XLSX file.

In other words, Advanced Office Password Recovery today can decrypt a password-protected Word .doc documents or an Excel .xls spreadsheet saved as “compatible” within a guaranteed, limited timeframe. The exact time needed for the attack will depend on your CPU power and will NOT depend on the length and complexity of the user’s password.

Please not: the hashes are salted. This means that the different documents protected with the same password are encrypted with different encryption keys. Because of this, you must run individual attacks on these documents – even if they share the same password.

However, brute forcing is not even needed to break 40-bit encryption if you use Thunder Tables, a feature available in the Forensic edition of Advanced Office Password Recovery.

Thunder Tables

In the past, enumerating the entire set of 40-bit encryption keys would take several days on an average computer. To cut this time, we fully refactored all possible 40-bit keys to build Elcomsoft Thunder Tables , an extension of the Rainbow Tables attack. Using Thunder Tables, you can break all compatible Word documents and about 97% of compatible Excel spreadsheets in just seconds instead of hours. The Thunder Tables are available in the Forensic edition of Advanced Office Password Recovery. You can read more about the Thunder Tables in Thunder Tables Explained | ElcomSoft blog.

In the past, users would have to obtain Thunder Tables separately by either copying them from the supplied DVD or flash drive or manually downloading them from our Web site. This is no longer the case: Thunder Tables will be downloaded automatically when you need them. Advanced Office Password Recovery automatically detects the document format and the type of protection and suggests downloading Thunder Tables if the document uses 40-bit encryption. Thunder Tables are exclusive to the Forensic edition; Home edition users still have an option to brute-force all available 40-bit keys, which is plenty fast on modern CPUs.

Thunder Tables take a lot of space on your computer; they occupy several gigabytes of disk space. By default, the tables will be stored in %APPDATA%\Elcomsoft Password Recovery\Thunder Tables. If your system drive does not have the amount of free space required, or if you don’t want to store something as large as Thunder Tables on your boot drive, consider specifying a different path. You can do that by editing the following Registry key:

Computer\HKEY_CURRENT_USER\SOFTWARE\Elcomsoft\Advanced Office Password Recovery\TTPath

Please note that Thunder tables should be stored on an SSD drive or USB flash drive due to the large amount of random access operations.

It is important to note that the actual password is not needed to decrypt documents as the tool attacks the binary encryption key instead. If, for any reason, you absolutely must recover the password, you can run a GPU-assisted attack that offers speeds in the order of tens of millions password combinations per second.

Breaking 40-bit encryption step by step

To break a document protected with 40-bit encryption, do the following.

1. Launch Advanced Office Password Recovery.
2. Open the document you are about to recover. The tool will automatically detect the type of protection. In the case of 40-bit encryption, the following message will be displayed:
3. If you already have Thunder tables on your computer, the key search will begin immediately. Otherwise, the tool will suggest downloading Thunder tables. Depending on your connection speed, this may take some time; the size of Thunder tables is in the range of several gigabytes.
4. Please note that Thunder tables require several gigabytes of free disk space. If your system disk does not have the required amount of free space, edit the following registry key and restart Advanced Office Password Recovery:
   Computer\HKEY_CURRENT_USER\SOFTWARE\Elcomsoft\Advanced Office Password Recovery\TTPath
5. Once Thunder tables are downloaded to your computer, the key search will be performed automatically.
6. With Thunder tables, the recovery of a Word document is 100% guaranteed, and only takes several seconds (up to several minutes). For Excel spreadsheets, success rate is 97%. If the key is not found, continue to the next step, and repeat the key search without using the Thunder tables.
7. If you skip the download (or if Thunder tables cannot locate the key for a given .xls file), the key search will commence without Thunder tables. The search may take from several minutes to several hours.
8. Once the key is found, the document will be decrypted using the discovered encryption key. The password will not be discovered and is not required to decrypt the document.

We are continuing the consolidation of our product line, now adding WordPerfect and Lotus office apps into Advanced Office Password Recovery. The tool can help experts unlock a host of digital document formats including Microsoft Office, OpenDocument, Hangul/Hancell, and many others without lengthy attacks.

What’s it all about?

For a long time, we used to offer many individual tools for breaking specific types of passwords and unlocking specific types of documents. We had a tool for decrypting legacy Microsoft Office documents and a tool for breaking 40-bit encryption, a tool for unlocking WordPerfect files and a tool for Lotus SmartSuite documents. That was a lot of tools and a lot of confusion.

Some time ago, we started work on consolidating our product range. The first step was merging Advanced Office Password Breaker and Advanced Office Password Recovery, integrating the former tool’s features into the latter. Today, we are making another important step: adding WordPerfect and Lotus support into Advanced Office Password Recovery.

What is it for?

Advanced Office Password Recovery is a tool for instantly removing password protection from office documents in a large number of formats. The tool can quickly unlock Microsoft Office documents (and quickly decrypt files saved as “compatible” with 40-bit encryption), recover passwords, unlock and decrypt files in files saved by MyOffice, Apple iWork, and Hangul/Hancell Office, and recover passwords for files in the OpenDocument standard. The tool exploits all known backdoors and tricks in the Office family for instant recovery and delivers the fastest attacks where the original password must be recovered. Low-level optimization combined with GPU acceleration and numerous smart attacks make Elcomsoft Advanced Office Password Recovery the fastest office recovery tool on the market.

The new functionality allows instantly unlocking password-protected files produced in IBM/Lotus SmartSuite, Supports Lotus Organizer, Lotus WordPro, Lotus 1-2-3, Lotus Approach and Freelance Graphics, as well as in Corel WordPerfect Office, WordPerfect, Paradox, and Corel WordPerfect Lightning.

WordPerfect: still no proper encryption in proprietary formats

WordPerfect is an office suite that was popular in the legal workflow. The current version of Corel-owned WordPerfect suite is WordPerfect Office 2021. WordPerfect documents were used by lawyers and courts for legal workflow. Today, WordPerfect offers several unique features targeted specifically at these audiences. For example, the Redaction feature can be used to “black out sensitive or confidential information and ensure that text cannot be retrieved or revealed”. The feature can also “search a document for words and phrases to hide, and automatically apply redaction. Redacted files can be saved to .pdf or .wpd formats, keeping your information safe and secure from onlookers.” (source).

Interestingly, the original (proprietary) file formats produced by WordPerfect apps still use a wishy-washy “password protection” approach. According to the official Knowledge Base article, users can use “original” and “advanced” protection. The “advanced” protection allows using case-sensitive passwords “for greater security”. Unsurprisingly, such passwords can be removed instantly or very quickly (in a matter of minutes) regardless of whether the “original” or “greater security” option was selected.

There are some nuances when breaking WordPerfect passwords depending on which version of the suite was used to produce the file, as well as the type of encryption (original or enhanced). In some cases, Advanced Office Password Recovery will decrypt the document without recovering the original password, while in some other cases the password must be recovered to decrypt the document. In either case, the process is nearly instant. For QuattroPro files, Advanced Office Password Recovery can find the original password but not decrypt the document (you’ll have to use the original QuattroPro app for that).

Lotus SmartSuite

Once a popular office suite, Lotus SmartSuite was discontinued some time in 2009.

All Lotus passwords can be removed instantly. Elcomsoft Advanced Office Password Recovery supports all tools, components and formats including Lotus Organizer, Lotus WordPro, Lotus 1-2-3, Lotus Approach and Freelance Graphics.

What about Lotus Notes? Do not let the similar name fool you: HCL Notes (formerly Lotus Notes) is a different product that belongs to a different family. HCL/Lotus Notes is and actively maintained product with proper encryption. Advanced Office Password Recovery cannot instantly remove strong protection; to decrypt HCL/Lotus Notes files, you’ll need to attack the original password with Elcomsoft Distributed Password Recovery.

More information

Read how the encryption in Microsoft Office apps evolved over the years:

• Microsoft Office 40-bit Encryption and Thunder Tables in Advanced Office Password Recovery
• Microsoft Office encryption evolution: from Office 97 to Office 2019

Conclusion

The Advanced Office Password Recovery update streamlines the recovery of office documents saved by popular contemporary and legacy apps. Instant unlock or guaranteed timeframe decryption is offered for legacy formats, while GPU-assisted password recovery is available for modern documents with strong encryption.

 

Windows 11 introduces increased account protection, passwordless sign-in and hardware-based security. What has been changed compared to Windows 10, how these changes affect forensic extraction and analysis, and to what extent can one overcome the TPM-based protection? Read along to find out!

Windows 11 “passwordless” accounts

Traditionally, Windows users used to sign-in to their computers with a password. A local (or managed, which is another story) Windows account was the only way to authenticate in Windows 7 and earlier versions.

Starting with Windows 8, Microsoft introduced a new way to sign-in by using the online credentials to the user’s Microsoft Account. Microsoft continued pushing these online accounts in subsequent Windows updates, up to the point that certain Windows editions can no longer be installed with a local account. The Microsoft Account credentials can be used to sign-in to Windows to any computer that runs Windows 8, 10, or Windows 11.

The first Microsoft Account sign-in requires an active Internet connection as the account credentials are sent to Microsoft for authentication. The hashed Microsoft Account password is then cached on the local computer to facilitate offline sign-ins. This in turn enables the attacker to brute-force the hashed password and gain access to the entire content of the user’s Microsoft Account complete with pictures and documents they store in their OneDrive account, Skype conversations, browsing history, all passwords kept by the Edge browser and a lot more (Breaking into Microsoft Account: It’s No Google, But Getting Close). Just think about it for a moment: a high-speed offline attack on the computer’s NTLM database can break a password to an online account containing sensitive personal information.

Granted, the use of two-factor authentication may help prevent the worst, but brute-forcing the password also enables access to everything in the user’s Windows account, including the Edge stored passwords. Microsoft attempted to address the issue by introducing PIN and Windows Hello authentication, but the common lack of hardware to back these authentication methods made them comparatively ineffective (more on that below).

The situation was hardly acceptable, and Microsoft started work on an alternative sign-in method that would still make use of a Microsoft Account but mitigate the security risk associated with cached credentials. In September 2021 Microsoft announced the passwordless future of authentication. Windows 11 brings passwordless sign-on to every user, adding a new type of accounts that does not require, does not store, and does not use a password to sign in.

Microsoft considers passwordless sign-in a more secure authentication option compared to passwords. Enabling passwordless authentication automatically disables the possibility of an unauthorized party accessing a local computer by knowing (or brute-forcing) the user’s existing local or cloud-based Microsoft Account password.

“Passwordless solutions such as Windows Hello, the Microsoft Authenticator app, SMS or Email codes, and physical security keys provide a more secure and convenient sign-in method.

While passwords can be guessed, stolen, or phished, only you can provide fingerprint authentication, or provide the right response on your mobile at the right time.”

(Source: How to go passwordless with your Microsoft Account)

For general (non-domain) users there are currently three types of accounts available in Windows 11.

1. [default] Passwordless Microsoft Account. A password cannot be used to sign in; users authenticate via PIN (TPM), Windows Hello or Microsoft Authenticator app (online).
2. Microsoft Account (password-enabled). Users can authenticate via PIN (TPM), Windows Hello or their Microsoft Account password.
3. Local Windows account (password-enabled). Users can authenticate via password, PIN (TPM) or Windows Hello.

Which accounts use passwordless sign-in in Windows 11?

Windows 11 allows both password-based and passwordless sign-in. The passwordless mode is the new default when configuring a new Windows 11 system or adding a new account into existing Windows 11 installation. User accounts that were migrated during the upgrade from Windows 10 retain their existing authentication properties.

While Windows 11 users can manually choose password-based or passwordless sign-in, the default settings are:

• New Windows 11 installations: Microsoft Account, passwordless sign-in.
• Windows 10 migration: password-based sign-in carried over; reuses existing authentication method.
• New accounts created in Windows 11 after Windows 10 migration: Microsoft Account, passwordless sign-in.

Please note that users can switch between password-based and passwordless sign-in at any time by flipping a setting:

Additionally, users can modify a Registry entry to achieve the same effect:

Windows 10 can use TPM, too

Interestingly, Windows 10 can and does use TPM-based sign-in protection. If the computer has a TPM module or TPM emulation provisioned and enabled in the computer’s UEFI BIOS, Windows 10 utilizes the hardware protection for PIN-based authentication. This, however, does not tell the whole story.

Windows 10 can utilize the features of TPM2.0 if the module is installed or emulated in the system. In Why a PIN is better than an online password (Windows) – Windows security, Microsoft claims that PIN-based account protection is “better” than password-based authentication because…

PIN is tied to the device

One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware.

PIN is backed by hardware

The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM. Windows 10, on the other hand, has a defect of not linking local passwords to TPM. This is the reason why PINs are considered more secure than local passwords.

The information in this section is not entirely correct and misleading. See, Windows 10 can and does run on computers without a TPM module installed. Moreover, it runs just fine and without a single warning on computers that do have the firmware-based TPM emulation feature, but have that feature disabled in their UEFI BIOS. As an example, this 9^th generation Gigabyte Z390 board does support Intel Platform Trust Technology, but the default setting for it is “off”. I had to actively look for it under the ”Miscellaneous” tab, and manually enable the “Intel Platform Trust Technology (PTT)” setting. On a scale of 1 to 10, how likely is an average user to do that on a perfectly working Windows 10 system?

With TPM missing or disabled, Windows can still use PIN-based sign-in, and Microsoft still claims this is more secure than password-based authentication.

Without a TPM or with TPM not explicitly enabled in the computer’s UEFI BIOS and provisioned in Windows, the account PIN code is not “tied to the device” as Microsoft claims in the overly broad statement in Why a PIN is better than an online password (Windows) – Windows security | Microsoft Docs. Additionally, if the computer’s TPM, Intel Platform Trust Technology or AMD fTPM (firmware trusted platform module) is not enabled in the computer’s UEFI BIOS (and there are legitimate reasons to keep that module disabled), the PIN code will be cached in the local credentials database and can be brute-forced in pretty much the same way as the user’s password.

Without a TPM, PIN-based Windows authentication is insecure

We made several tests to verify security of PIN-based authentication by moving a Windows installation between computers and attempting to sign-in with a PIN.

Test 1: A Windows 10 installation with PIN-enabled account moved from one TPM-less system to another TPM-less system (i7-4700S) via physical disk swap. Booting the computer and entering PIN on the new system resulted in successful sign-on.

Test 2: A Windows 10 installation with PIN-enabled account moved from one TPM-less system to another TPM-less system (i7-4700S) via disk clone. No single piece of hardware (not even the boot drive) was left from the original system. Booting the computer and entering PIN on the new system resulted in successful sign-on.

Test 3: A Windows 10 installation with PIN-enabled account moved from the TPM-less system to a system with TPM enabled (i7-9700K) via disk clone. No single piece of hardware (not even the boot drive) was left from the original system. Booting the computer and entering PIN on the new system resulted in successful sign-on.

Test 4: A Windows 10 installation with PIN-enabled account moved from the TPM-enabled system to another system with TPM enabled (i9-12900K) via disk clone. PIN authentication on the new system failed; password-based sign-in was required; PIN code had to be removed and reentered to re-enable PIN sign-in.

These tests allowed us to conclude that the PIN code is not tied to hardware if the source system lacks TPM. If the source system does have TPM enabled and provisioned, the PIN code is then, indeed, tied to hardware.

Do I have a TPM?

Most portable computers (Windows laptops, tablets and 2-in-1 devices) utilizing an 8^th generation Intel processor or newer or an AMD Zen and newer are equipped with firmware-based trusted platform, which is enabled by default by most manufacturers. This means that most portable computers can use the TPM for additional protection.

For desktop computers, the firmware-based trusted platform is also available since 8^th-generation Intel and AMD Zen. However, the default setting for most AMD boards and Intel chipsets before the 12^th generation Alder Lake is disabled. To use TPM, users must manually enable fTPM (AMD) or Intel Platform Trust Technology (PTT) in their computers’ UEFI BIOS.

Most desktop computers with Intel 8th through 11th generation CPUs are equipped with TPM emulation; many have Platform Trust Technology (PTT) disabled by default. Most recent AMD boards also have the fTPM technology but have it disabled by default.

Note: OEMs started enabling firmware-based TPM in BIOS updates in lieu of Windows 11. Example:

Can Windows 10 use passwordless sign-in?

Windows 10 users can indeed make use of passwordless authentication. However, this would become a cloud-based, account-wide setting, removing the user’s ability to use a password when signing-in to their Microsoft Account online.

To use passwordless authentications, users are suggested to edit Advanced Security settings in their Microsoft Account online (How to go passwordless with your Microsoft Account):

How TPM affects Windows authentication

According to Microsoft documentation (How Windows uses the TPM – Windows security | Microsoft Docs), Windows may utilize the security coprocessor for a variety of tasks ranging from key protection to device encryption. According to our tests, real-life use of TPM in Windows is not as widespread as the documentation claims. For example, Microsoft Edge passwords are protected with a key managed via DPAPI (Data Protection API). If that key would be protected with TPM, an intruder would be unable to extract browser passwords by analyzing the disk image even if that disk image was unencrypted. However, even in Windows 11 that DPAPI key is not TPM-protected, and one can extract the user’s passwords kept by Microsoft Edge by unlocking the vault with the user’s Windows account password.

Instead of moving all DPAPI keys into TPM, Microsoft attempts to solve this problem by introducing a new type of Windows authentication that does not use a password. With TPM-protected passwordless authentication, neither passwords nor PIN codes are stored on the computer’s hard drive, hashed or not. Instead, the keys are protected by the TPM module (or its firmware emulation, which is no less secure from what we know).

This results in several important consequences.

First, the obvious: if passwordless sign-in is enabled on a Windows 11 PC, offline brute-force becomes unavailable for passwords and PINs for affected accounts.

It is technically possible to convert a passwordless account into a local Windows account and assign a known password to that account. However, once this is done, the DPAPI keys are lost, which means that a lot of protected information (including Edge passwords and NTFS-encrypted files) will be rendered permanently unavailable after such conversion. Nevertheless, “we have a tool for that”, and in a moment I will demonstrate how to do the conversion.

More information: How to Enable or Disable Password-less Sign-in for Microsoft Accounts in Windows 11?

Will it work on BitLocker volumes?

Yes and no. Before answering this question, I’d like to clear a common misconception that the Windows 11 TPM requirement is based on the premise of automatic BitLocker encryption of the system partition. This is not the case. Windows 11 default encryption policies differ very little from what we’ve seen in Windows 10 (and Windows 8.1 before it). While most portable devices such as laptops and 2-in-1 devices are automatically encrypted with BitLocker Device Encryption on all Windows editions, this is not the case for desktops regardless of the TPM or whether Windows 11 was an upgrade or a new install. Users of Windows 11 Pro, Enterprise, and Education editions can manually encrypt the system partition, while Home edition users will not have this option.

If BitLocker encryption is enabled on the Windows system partition, you will need to unlock the BitLocker volume first to access the required account database files. Since Windows 11 does require TPM by default, I will assume that the TPM module is installed (there is no practical difference between dedicated and integrated TPM devices or CPU emulation), and the encryption key is stored in the TPM. When you boot the computer into a different system (which, in this case, is Elcomsoft System Recovery), the TPM will not release the encryption key (here’s why: Understanding BitLocker TPM Protection). You won’t be able to attack the password because the ‘password’ protector (what’s that? Unlocking BitLocker: Can You Break That Password?) is not used for TPM-based system drive encryption.

The only option to unlock such BitLocker volumes is by using the BitLocker Recovery Key. For portable devices with BitLocker Device Encryption, Windows creates a recovery key automatically when encrypting the system partition; the recovery key will be automatically (and silently) uploaded into a Microsoft Account of the first user who signs in on that computer with administrative privileges and uses their Microsoft Account credentials (as opposed to a local Windows account). You may be able to request that key from Microsoft or download it by signing in to the user’s Microsoft Account and visiting the following link: https://account.microsoft.com/devices/recoverykey

For desktops, the recovery key may still be found in the user’s Microsoft Account. If it is not, you’ll need to find that key to mount the affected volume. There is a very small chance that the user enabled one or more additional protectors (such as ‘password’); you can check that by using Elcomsoft System Recovery to extract encryption metadata from the affected volume.

Once you have the BitLocker Recovery Key, mount the encrypted volume in Elcomsoft System Recovery to proceed:

Note: the disk will be mounted as a new drive letter.

After the system disk is successfully mounted, you will be able to access the list of Windows accounts.

How to unlock Windows 11 passwordless accounts

A passwordless Windows 11 account can be converted into a local password-protected account with Elcomsoft System Recovery. To launch the tool, boot the computer being investigated from a dedicated USB media with Elcomsoft System Recovery 8.20 or newer. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery, you will need to accept the license agreement and make the choice between read-only forensically sound processing and regular mode. To deal with account conversions, you must opt out of the forensically sound mode as it mounts the disk(s) read-only, while resetting Windows account passwords requires full read-write access to system files.

To convert a passwordless Windows account with Microsoft Account authentication into a local Windows account, follow these steps.

Select the user account to convert.

Type a new account password (optionally assign administrative privileges).

Make sure to backup the SAM database before conversion.

The tool automatically detects the “passwordless” option and prompts to remove it.

Elcomsoft System Recovery will display one final warning, then proceed with account conversion.

Note: after converting the account and assigning a known password, you will be able to boot the computer and sign-in to the user’s account. However, you will not gain access to NTFS-encrypted files (if any), as well as any DPAPI-protected items including but not limited to Edge stored passwords.

Conclusion

Despite the controversy surrounding Windows 11 elevated system requirements, Microsoft did the right thing. The use of passwordless authentication combined with TPM protection does a lot to secure Windows accounts. At the same time, we have not seen a change to default encryption policies. BitLocker Device Encryption is still a thing on portable devices only; on desktops, BitLocker encryption is not enforced and not automatically enabled. If enabled on a system partition, you will still require the correct BitLocker Recovery Key to unlock and decrypt the volume, same as in Windows 10.

Elcomsoft System Recovery speeds up in-field investigations by providing experts with a forensic tool they can use by booting a PC from a dedicated USB media. The recent update extended the functionality of the tool by adding three new forensic tools.

What’s it all about?

Elcomsoft System Recovery is a digital triage tool for examining computers in the field. The tool helps overcome the challenger of accessing a locked system, delivering a straightforward workflow for investigating computers in the field.

Originally released as a simple tool for resetting Windows users’ passwords, Elcomsoft System Recovery is now evolving into a feature-rich bootable forensic toolkit. The new release makes field analysis faster and more straightforward while still producing court admissible evidence with write-blocking disk imaging. Conveniently, using the new features does not require the user’s or administrator’s password. The newly added forensic tools include:

Timeline: allows reviewing the user’s activities logged by the Windows Timeline. This includes the list of launched apps and past activities laid out in the convenient timeline view.

Recent files and folders: lists recently accessed files and folders.

Installed apps: lists applications installed in the system.

Thanks to these new analysis features, experts can simply boot a PC from a USB flash drive and quickly review the user’s latest activities. The shortcut saves the time and effort of removing and imaging the hard drive(s), making it possible to make real-time decisions in the field.

Using Elcomsoft System Recovery forensic tools

To access the new Forensic Tools section, boot the computer being investigated from a dedicated USB media with Elcomsoft System Recovery 8.20 or newer. If you have not done it already, here’s how to make the bootable USB drive with Elcomsoft System Recovery: A Bootable Flash Drive to Extract Encrypted Volume Keys, Break Full-Disk Encryption.

Once you boot the computer into Elcomsoft System Recovery and accept the license agreement, you will see the program’s main window. Click the newly added “Forensic Tools” shortcut at the bottom of the window.

At this time, three forensic tools are available: Installed Apps, Timeline, and Recent files and folders.

Installed apps

The Installed apps tool displays the list of applications installed in the system being investigated:

When using this tool, you can choose between listing regular applications of installation packages. This is how the list of regular applications looks like:

The list of installation packages corresponds to the list of apps displayed in the Windows Control Panel (add/remove programs). This is how it looks like:

You can export the list of installed applications into a text file.

Timeline

Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications, searches, documents, and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage.

Microsoft used to synchronize the Timeline with the user’s Microsoft Account. This is no longer the case today. Since April 2021 Microsoft discontinued the Timeline as a cloud service. However, the corresponding low-level data is still collected and stored locally on all Windows 10 and Windows 11 systems. This information can be extracted and analyzed with Elcomsoft System Recovery. By analyzing the Timeline data, experts can access to timestamped information about the app usage and Web page visits.

Timeline data is collected individually per user. When analyzing the timeline, you will have to specify the Windows installation path as well as the path to the user profile. The user’s password is not required.

The process can be repeated for every user account registered on the computer.

Recent files and folders

Just like the Timeline, Recent files and folders is a user-specific feature, requiring the path to the user profile.

By default, the tool only returns the list of recently accessed files. You can check the “Show recent folders” box to display the list of recently accessed folders.

The result will be sorted by last access time. You can change the order by clicking on the corresponding column or export the list of recent files and folders for future analysis.

 

Most password protection methods rely on multiple rounds of hash iterations to slow down brute-force attacks. Even the fastest processors choke when trying to break a reasonably password. Video cards can be used to speed up the recovery with GPU acceleration, yet the GPU market is currently overheated, and most high-end video cards are severely overpriced. Today, we’ll test a bunch of low-end video cards and compare their price/performance ratio.

Making use of GPU cores instead of the CPU helps break passwords faster. Even the slowest built-in GPU with a TDP of several watts may demonstrate performance comparable to a 190W CPU without a sweat. High-end GPUs such as the NVIDIA RTX 3080 can break passwords up to 500 times faster compared to a common Intel Core i7 CPU, while mid-range video cards delivering up to a 250x boost.

GPU acceleration offloads computational-intensive calculations from the computer’s CPU onto the video card’s Compute Units (CUs). A dedicated video card can deliver the speed far exceeding the metrics of a high-end CPU. Even a modest integrated GPU (the one built into a CPU) may be able to match or exceed the performance of the central processor while consuming significantly less electricity and dissipating a fraction of the heat produced by the CPU with similar load.

The price of GPU acceleration

The entire GPU market today is badly overheated, and that isn’t exactly AMD’s or Nvidia’s fault. Due to the high performance, high-performance video cards are consumed by crypto miners, driving the prices of all but the lowest-performing video cards to the sky. We first tried to address the situation by developing heterogeneous GPU acceleration, which is a technology that allows simultaneous use of multiple video cards of different makes and models in the same computer. The technology (built into Elcomsoft Distributed Password Recovery) allows users to effectively utilize existing hardware in mix-and-match scenarios, utilizing video cards of different makes, models, and generations.

Unfortunately, the crypto craze continued driving the prices of video cards up, making even mid-range video cards out of the reach of an average consumer. What’s left on the market are the lowest-performing cards that cannot be economically used for mining cryptocurrencies, as well as integrated GPUs built into many modern processors. Today, we’ll be testing their performance in an attempt to discover a password recovery acceleration unit with acceptable price-performance ratio.

We’ll be testing several hardware configurations in multiple scenarios. The configurations are:

1. CPU only: Intel i7-9700K system with no GPU.
2. Integrated graphics: the same system but using Intel’s built-in UHD Graphics 630.
3. Integrated graphics: AMD Radeon Vega 8 Graphics built into the AMD Ryzen 7 5700G.
4. Dedicated graphics: NVIDIA T600.
5. Dedicated graphics: NVIDIA 1650.

While the systems use different CPUs, this only matters for CPU-only benchmarks. GPU-accelerated attacks put very little load onto the CPU (approximately 3 to 6 per cent utilization per CPU core), which makes such tests pretty much CPU-agnostic.

We struggled to get a copy of NVIDIA RTX 3050 for benchmarking, yet we could not source one for a reasonable price (<400€). We’ll update the article once that card becomes available.

Intel UHD Graphics 630

The Intel UHD Graphics 630 (GT2) is an integrated GPU of the Coffee Lake generation or processors. The version of the GPU built into the Intel(R) Core(TM) i7-9700K CPU offers 24 Compute Units (CUs) and clocks at 1200 MHz. This GPU has no dedicated graphics memory and relies on the system memory (4x16GB DDR4 modules @ 3000MT/s installed in our system).

AMD Radeon RX Vega 8

The AMD Radeon RX Vega 8 is an integrated GPU in the Ryzen 5000 series processors. In our case, it is part of the AMD Ryzen 7 5700G CPU. The GPU is based on the Vega architecture announced way back in August 2017 and has 8 Compute Units (CUs) clocked at 2000 MHz. Just like above, this GPU has no dedicated graphics memory and relies on the system memory (2x8GB DDR4 modules @ 3200MT/s installed in our system).

AMD makes decent APU units with great integrated graphics. The RX Vega 8 looks unexciting on paper, yet we received unexpected benchmarks.

Nvidia T600 Quadro

The Nvidia T600 GPU is a fairly modern dedicated graphics card that was launched in April 2021 based on the Turing architecture (TU117 chip). It is equipped with 640 CUDA units and a 128 Bit memory bus for 4GB of GDDR6 dedicated graphics memory. The GPU is similar to NVIDIA 1650 with some of its CUDA cores disabled (640 vs. 896 CUs), while the price of a T600 Quadro is significantly less than the price of the NVIDIA 1650. Our sample is clocked at 1335 MHz. Spec sheet (PDF).

This fairly modern video card is based on a stripped-down, low-end video card and architecture from three years back. You cannot go any lower with any modern video card that can be bought new (unless you consider a truly ancient architecture such as the NVIDIA 1030 or 1050). The Quadro T600 can be bought for around 150€, and its performance sounds tempting, at least on paper.

Nvidia GeForce GTX 1650

The Nvidia GeForce GTX 1650 is a dedicated graphics card based on the Turing architecture (TU117 chip) that was launched in April 2019. The card is equipped with 4GB of GDDR5 dedicated graphics memory connected with a 128 Bit memory bus. Our sample is clocked at 1830 MHz.

The NVIDIA 1650 is a low-end video card released three years back. At the time of release, the card was priced around 200€; the lowest price today floats around 265€. We’ll use this card as a point of reference.

Test bench

The tests have been performed on computers with the following configurations.

1. Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz; 4x16GB DDR4 @3000 MT/s
2. Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz, Intel(R) UHD Graphics 630 (24 CU @ 1200 MHz, 1638 MB)
3. AMD Ryzen 7 5700G with Radeon Graphics, AMD Radeon(TM) Graphics (8 CU @ 2000 MHz, 3072 MB); 2x8GB DDR4 @3200 MT/s
4. Intel(R) Core(TM) i7-4770S CPU @ 3.10GHz , NVIDIA T600 (640 SP @ 1335 MHz, 4095 MB)
5. Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz, NVIDIA GeForce GTX 1650 (896 SP @ 1830 MHz, 4095 MB)

Benchmarks

Using Elcomsoft Distributed Password Recovery, we ran several benchmarks and received the following results (values in passwords per second).

Relative performance was calculated based on the performance of the Intel Core i7-9700K CPU (with no GPU acceleration). The exception is the AMD RX Vega 8, which is built into the AMD Ryzen 7 5700G. For this GPU, we took two different points of reference, one being the CPU cores of the Intel Core i7-9700K, and the other one (marked in red) the CPU cores of the AMD Ryzen 7 5700G.

	7-Zip	Hancom	SHA-256	ZIP (AES-256)
Intel i7-9700K	1,00	1,00	1,00	1,00
Intel UHD 630	1,55	2,23	1,97	0,68
AMD 5700G	7,81	1,89	6,05	1,70
AMD RX Vega 8*	0,85	13,43	2,89	3,86
AMD RX Vega 8	6,65	25,41	17,50	6,57
NVIDIA T600	22,77	32,52	19,04	8,70
NVIDIA 1650	41,74	60,09	30,42	15,50

* We compared the performance of the AMD RX Vega 8 with the performance of CPU cores of the AMD Ryzen 7 5700G.

The CPU-only test returns the expected low numbers on the Intel Core i7-9700K. When using this processor’s integrated GPU, most numbers were higher except one: the ZIP (AES-256) benchmark speeds were slower than the CPU alone. This has nothing to do with ZIP or AES-256 but the recent optimization of CPU-only code for ZIP encryption in EDPR.

AMD Ryzen 7 5700G shows respectable results with its integrated RX Vega 8 GPU. The built-in graphic cards delivers a 6.6 to 25 times performance boost compared to the Intel Core i7-9700K CPU. This is what GPU acceleration is all about: a significant performance boost at a fraction of TDP. We were surprised to see how much faster the AMD APU was in our CPU tests compared to the Intel Core i7-9700K.

The NVIDIA T600 is 8.7 to 32 times faster than the Intel Core i7-9700K, while the older NVIDIA 1650 is 15 to 60 times faster than the CPU.

Price/performance ratio

Calculating the price/performance ratio was difficult, especially for the built-in GPUs. The “performance” part is based on the SHA-256 benchmark, which is about the most optimized algorithm for every platform. To calculate the price, we took the lowest available cost of a dedicated GPU (German marketplace) and added 300€ as a cost of a Core i7 equivalent CPU to calculate the “Complete system price”. While not perfect, this method allowed us to do a more-or-less fair price/performance comparison.

Complete system price = cost of dedicated GPU + 300€ (cost of a Core i7 equivalent CPU).

Price/performance is calculated as SHA-256 performance / complete system price

Normalized price/performance assumes the p/p of a CPU-only attack as a “1”

	Dedicated GPU price	Complete system price	SHA-256	Price/performance	Normalized price/performance
Intel i7-9700K	0	300	33200000	110666	1
Intel UHD 630	0	300	65500000	218333	1,97
AMD RX Vega 8	0	300	581000000	1936666	17,5
NVIDIA T600	150	450	632000000	1404444	12,69
NVIDIA 1650	270	570	1010000000	1771929	16,01

Looking at the numbers from the benchmarks above and this table, we made several conclusions.

1. CPU-only attacks don’t make sense at all.
2. Intel UHD graphics built into Intel’s desktop CPUs does not make much sense either. It is only worth enabling if there is no dedicated GPU installed, in which case it may or may not increase the performance (depending on the format).
3. The AMD Ryzen 7 5700G offers great price/performance ratio (arguably the best from the sampled hardware), but its absolute performance is lower compared to a 3 year old entry-level dedicated GPUs such as NVIDIA 1650.
4. Among the cheap graphic cards, the NVIDIA T600 Quadro does not look spectacular. Its 3 year old counterpart, the NVIDIA GTX 1650, delivers nearly double the performance at less than double the price. Considering the cost of the entire system, the T600 does not make much sense (unless purchased in bulk for way less than the 150€ as sampled).
5. The NVIDIA 1650 is the absolute performance champion among the tested units, while offering good price/performance ratio. Paired with an older/inexpensive CPU, these cards can deliver an even better price/performance ratio.

Cloud backups are an invaluable source of information whether you download them from the user’s iCloud account or obtain directly from Apple. But why some iCloud backups miss essential bits and pieces of information such as text messages, particularly iMessages? The answer is “end-to-end encryption”, and there’s more to it than just backups.

Where do iMessages go

Apple is known to have one of the best backup systems for mobile devices. Offering the choice of encrypted and unencrypted local backups, permanent and temporary iCloud backups, as well as providing a host of synchronization options (some of which work in parallel to backups), Apple makes every reasonable effort to protect their users’ valuable data.

When analyzing an iPhone backup, you may or may not find the messages (SMS/iMessage). Why does it happen, and can you do anything about it? First, let us see where the messages go, and why.

Local backups

Local backups (the ones made with the iTunes app or Finder in recent versions of macOS) contain the entire iMessage database, complete with text and attachments. If the backup is not protected with a password, the messages are stored in plain sight. If the backup is protected with a password, this will also encrypt the iMessage database.

Conclusion: iMessages always appear in local backups, both encrypted and unencrypted. Access via logical acquisition with Elcomsoft iOS Forensic Toolkit, view with Elcomsoft Phone Viewer.

iCloud backups

Text messages and iMessages may or may not appear in iCloud backups if the Settings – <Apple_ID> – iCloud – Messages toggle is switched on. That toggle enables real-time synchronization of iMessages across devices sharing same Apple ID. If the switch is on, the messages will be synchronized, but not backed up.

If the option is disabled, you can access the messages by downloading iCloud backups with Elcomsoft Phone Breaker; view with Elcomsoft Phone Viewer. Things get much more interesting if the sync is enabled; more on that in the next chapter.

Conclusion: Apple only stores iMessages in iCloud backups if syncing (the iCloud – Messages option) is not enabled.

More information:

• Protecting iMessage Communications
• The Forensic View of iMessage Security

Synchronized data and end-to-end encryption

Once the user enables the “iCloud Messages” toggle on their device, the messages sent and received will be stored in the user’s iCloud account, making it possible to sync iMessage conversations between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would be deleted on their iPad, and vice versa. The would be no way to extract such messages remotely, which was probably the case in the infamous Danish mink case.

Once the user enables the toggle, one more thing will happen: the messages will be no longer included in iCloud backups. This is also the case for many (but not all) other types of data that can be either synchronized or backed up. As a result, you will likely not see the iMessages when analyzing iCloud backups downloaded from the user’s account.

Apple protects their users’ personal information such as their browsing history, physical activities and messages with end-to-end encryption. End-to-end encrypted data is protected with a key that, in turn, is protected with another key derived from the user’s screen lock passcode. The whole scheme is designed in a way that even Apple themselves cannot (and explicitly will not, according to the company’s official stance) read any of that data. End-to-end encrypted data includes information from numerous apps such as Health, Messages, Maps, Keychain, and even Safari, making the users’ physical and online activities away from the preying eye.

Apple officially states that the company does not have access to keys protecting end-to-end encrypted data, and thus it cannot decrypt iMessages stored in iCloud. This also applies to information requests the company serves when presented a law enforcement order. According to Apple, “your messages are encrypted on your device and can’t be accessed by anyone without your device passcode”.

Extracting  iMessages from iCloud

To extract iMessages from iCloud, you will need an up to date version of Elcomsoft Phone Breaker. We strongly recommend updating to the last build as Apple is constantly changing their proprietary  communication protocols.

Before you begin

To extract iMessages from the user’s Apple account, one must be able to both authenticate into the account and decrypt the messages. End-to-end encryption is based on the user’s screen lock passcode, which can be taken from a trusted device registered on the user’s Apple account. It can be an iPhone, an iPad, or even a Mac (the user’s system password will be used in this case). Here’s how Apple defines a trusted device:

A trusted device is an iPhone, iPad, or iPod touch with iOS 9 or later, or Mac with OS X El Capitan or later that you’ve already signed in to using two-factor authentication. It’s a device we know is yours and that can be used to verify your identity by displaying a verification code from Apple when you sign in on a different device or browser. An Apple Watch with watchOS 6 or later can receive verification codes when you sign in with your Apple ID, but cannot act as a trusted device for password resets.

(from Two-factor authentication for Apple ID – Apple Support)

Note that end-to-end encryption is only available for Apple accounts with two-factor authentication enabled, so you will also need to pass two-factor authentication. Therefore, access to iMessages (as well as other end-to-end encrypted data) carries the following requirements:

• The user’s Apple ID and password
• Access to the second authentication factor (SIM card with a trusted phone number, or unlocked iPhone or iPad device registered on the same Apple account)
• Passcode (iPhone/iPad) or system password (Mac) of a trusted device

Steps to extract iMessages from iCloud:

1. Launch Elcomsoft Phone Breaker and select Apple > Download from iCloud > Synced Data
2. Specify the user’s Apple ID and password.
3. Provide one-time code to pass Two-Factor Authentication.
4. Select data to obtain from iCloud. Make sure the “Messages” box is selected.
5. Elcomsoft Phone Breaker will sign in to the user’s Apple account. Select a trusted devices to which you know the passcode or system password, and type in the passcode/password.
6. Messages will download.
7. After the messages are downloaded, click Finish.
8. You can now use Elcomsoft Phone Viewer to analyze downloaded messages.

Troubleshooting

From time to time, we receive reports that no messages (or only some messages) could be downloaded from a particular users’ account despite the full authentication. The most common reason for this is the sync deficiency on one or several users’ devices. While the message synchronization mechanism is similar to iCloud Keychain, these separate services appear to be interconnected; the iCloud Keychain keeps (and syncs) the encryption key that protects iCloud Messages. Disabling iCloud Keychain  on a certain device effectively prevents messages from syncing. A misconfiguration on one or several users’ devices may effectively prevent iMessage sync on those devices. In addition, messages will only sync if 2FA is enabled on the user’s account.

Alternatives to Elcomsoft Phone Breaker

At this time, Elcomsoft Phone Breaker is the only third-party forensic tool that can extract end-to-end encrypted data from Apple iCloud. The only alternative would be logical or low-level extraction of a trusted Apple device, which can be more difficult and time-consuming compared to cloud extraction.

More information:

• iMessage Security, Encryption and Attachments
• How to Obtain iMessages from iCloud

 

 

Do you have to know which SoC a certain Apple device is based on? If you are working in mobile forensics, the answer is positive. Along with the version of iOS/watchOS/iPadOS, the SoC is one of the deciding factors that affects the data extraction paths available in each case. Read this article to better understand your options for each generation of Apple platforms.

It’s been more than a year since we compiled essential information on Apple mobile devices into a single easy-to-use table; see Apple Mobile Devices Cheat Sheet. There have been several updates since then, and we added more information on the available acquisition methods.

We covered the possible acquisition scenarios in iPhone Acquisition Methods Compared, but that article is slightly outdated too. The compatibility matrix currently looks as follows:

What do the colors mean?

• Green: you can do almost everything, including passcode cracking.
• Blue: devices vulnerable to the checkm8 exploit. It means that BFU (Before First Unlock) is possible regardless of iOS version. For unlocked devices acquisition options are wide enough.
• Red: you cannot extract a locked device.  For unlocked devices, keychain and file system image can be extracted for the listed iOS versions.
• Black: only logical and iCloud acquisition methods are available for now.

checkm8 acquisition is something very special. Our tools support it for iPhones up to and including the iPhone X. At this time, the following devices are not supported even if their SoC has the bootloader vulnerability exploited by checkm8:

• iPhone 4s. Despite the age of this device, it’s really hard to work with; a reliable checkm8 implementation exists for Arduino only.
• iPads (all models). Noted the ‘X’ in SoC names? Processors like A12X and A12Z are not really different from A12, yet the checkm8 implementation needs some changes. It may or may not work, but no official support.
• Apple TV. The 3^rd model is similar to the iPhone 4s, which is really troublesome (see above); there are some issues with the newer 4 and 4K models as well. The 2021 model is not supported.

On the other side, we do support the Apple Watch Series 3. It does not appear in the table, yet the S3 model is compatible with the checkm8 exploit, and we can extract the keychain and the file system for all watchOS versions. To make it easier, here is the full list of devices with checkm8 support (in fact, iPhone 4 is handled with another bootloader exploit):

• iPhone 4 (iPhone3,1/iPhone3,2/iPhone3,3): A1332, A1349
• iPhone 5 (iPhone5,1): A1428, A1429, A1428
• iPhone 5c (iPhone5,4): A1507, A1526, A1529, A1516
• iPhone 5S (iPhone6,1/iPhone6,2): A1453, A1533, A1457, A1518, A1528, A1530
• iPhone 6 (iPhone7,2): A1549, A1586, A1589
• iPhone 6 Plus (iPhone7,1): A1522, A1524, A1593
• iPhone 6s (iPhone8,1): A1633, A1688, A1691, A1700
• iPhone 6s Plus (iPhone8,2): A1634, A1687, A1690, A1699
• iPhone SE (iPhone8,4): A1662, A1723, A1724
• iPhone 7 (iPhone9,1/iPhone9,3): A1660, A1778, A1779, A1780, A1853, A1866
• iPhone 7 Plus (iPhone9,2/iPhone9,4): A1661, A1784, A1785, A1786
• iPhone 8 (iPhone10,1/iPhone10,4): A1863, A1905, A1906, A1907
• iPhone 8 Plus (iPhone10,2/iPhone10,5): A1864, A1897, A1898, A1899
• iPhone X (iPhone10,3/iPhone10,6): A1865, A1901, A1902, A1903
• iPod touch 6th gen (iPod7,1): A1574
• AppleTV 3 (AppleTV3,2): A1469
• Apple Watch S3 (Watch3,1, Watch3,2, Watch3,3, Watch3,4 ): A1858, A1859, A1860, A1861, A1889, A1890, A1891, A189

Agent acquisition is 100% compatible with all iPod models “corresponding” to the iPhones.

As for the iOS versions, there are some notes too:

• checkm8 works on many devices up to and including the iPhone X, but for iPhone 7, iPhone 8 and iPhone X running iOS 14 and 15 you will need to remove the passcode prior to acquisition. It is sometimes troublesome, and has some consequences, see How to Remove The iPhone Passcode You Cannot Remove for details.
• One of the exploits we use only support devices based on the A11-A13 SoC only.
• For A12 and A13 devices running iOS 14.5+, we cannot decrypt the keychain (only the file system is extracted).
• We do support iOS 15.0 and 15.0.1 on A11-A13 with the agent, as well as iOS 14.8 and lower, but we do NOT support iOS 14.8.1 (the latest available iOS 14 version).

Sounds confusing? With the number of models and OS versions, it is virtually impossible to provide a straightforward roadmap, step by step instructions, or implement a single push button solution.

The software

“We have a tool for that!” For everything low-level, including agent-based and checkm8-based extractions, use Elcomsoft iOS Forensic Toolkit. Note that you’ll need the Mac edition of the tool for checkm8 extractions. Also use the Toolkit for advanced logical extractions as well as file system imaging with jailbreaks. Finally, if you have a legacy 32-bit iPhone protected with an unknown passcode, Elcomsoft iOS Forensic Toolkit is the tool to use to unlock the device.

Use Elcomsoft Phone Breaker for everything cloud related. Cloud backups, iCloud Photos, synchronized data, iCloud Keychain and other end-to-end encrypted data can be extracted with this tool. We are constantly working to keep it up to date with the latest changes in Apple’s communication and encryption protocols.