iOS Forensic Toolkit 2.40 Extracts More Information from Locked iPhones

iOS Forensic Toolkit 2.40 is updated with enhanced support for lockdown records, enabling forensic experts to extract more information from locked down iPhones and iPads in “cold boot” situations. The new release can access advanced device information through the use of lockdown records even if the device is completely locked down and has never been unlocked since powered on or rebooted.

iOS Forensic Toolkit 2.40 extends the use of lockdown (pairing) records for the purpose of extracting additional device info from iPhone and iPad devices that are locked with an unknown passcode. In particular, the new build extracts more information from iOS devices that are locked and have never been unlocked after being powered off or rebooted (the “cold boot” situation). The ability to use lockdown records for extracting information from locked devices in “cold boot” state can be extremely important for investigations.

  • Device model and name
  • iOS version and build number
  • Device ID
  • MAC addresses of the phone’s Wi-Fi and Bluetooth adapters
  • ICCI/IMEI/IMSI and phone number
  • Whether or not an iTunes backup password is enabled
  • Date and time of last iTunes and iCloud backups
  • List of synced accounts including email address for Google accounts
  • Various bits such as total and available disk space, time zone and language settings

If the iOS device has been unlocked at least once, iOS Forensic Toolkit 2.40 can additionally extract comprehensive information about the apps installed on the device. This includes app names and versions, access permissions, as well as the names of their data folders. While this information is also available via full local backups, a local backup may come out encrypted with an unknown password, in which case the data will be encrypted unless the password is known.

Więcej, dodatkowo