iOS Forensic Toolkit enables physical acquisition support for 32-bit iOS devices running iOS 9.3.5, the last version of iOS 9. Thanks to the recently released Phoenix jailbreak, the Toolkit can now perform physical acquisition of iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, and iPod 5g running the last version of iOS 9.
The recently released semi-untethered Phoenix jailbreak adds physical acquisition support for Apple’s 32-bit devices such as iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, iPod 5g running iOS 9.3.5, which is the last version of iOS 9. While 32-bit iPhones and iPads are already old by smartphone standards, their full physical acquisition support enables ElcomSoft’s law enforcement and forensic customers to image a number of legacy devices, extracting evidence that might be available in these previously inaccessible devices.
With the help of the Phoenix jailbreak, Elcomsoft iOS Forensic Toolkit can perform the complete range of services including physical-level imaging and decryption of the data partition, decryption and examination of keychain items, and unrestricted access to sandboxed app data. This level of access is simply not possible with any other acquisition methods. As an example, physical acquisition of jailbroken devices enables forensic access to saved email messages, passwords, and full conversation logs saved by some of the most secure messengers such as WhatsApp, Telegram, Signal, Skype and Facebook Messenger. Compared to iOS backup analysis, this method adds access to browser cache and temporary files, email messages, extended location history, and data that belongs to apps that explicitly disable backups.
Physical acquisition of 32-bit devices running iOS 9.3.5 requires installing the Phoenix jailbreak from https://phoenixpwn.com/.