Explore the content of local and cloud backups produced by iOS, BlackBerry 10, Windows Phone 8 and Windows 10 Mobile devices! Elcomsoft Phone Viewer is a small, lightweight tool enabling read-only access to contacts, messages, call logs, notes and calendar data located in mobile backups. In addition, the tool displays essential information about the device such as model name, serial number, date of last backup etc. Finally, the tool implements access to deleted SMS and iMessages stored in iOS backups.
A Perfect Viewing Companion
Yet another “me too” forensic viewer? We looked hard for a tool we could recommend to our customers for viewing data decrypted or downloaded with Elcomsoft Phone Breaker. No single tool on the market meets our stringent requirements on speed, compatibility and ease of use. That’s why we introduced a viewing tool of our own.
Elcomsoft Phone Viewer is the ideal viewing companion for Elcomsoft Phone Breaker, enabling full support for all data formats produced by this tool. Regularly maintained and timely updated, Elcomsoft Phone Viewer is the first to receive support for the latest mobile backup formats extracted, downloaded or decrypted with other ElcomSoft tools. Using our mobile acquisition tools? Elcomsoft Phone Viewer is a perfect companion!
Note that Elcomsoft Phone Viewer can only open unencrypted backups as well as iTunes backups with a known password. Should you have a backup file encrypted with an unknown password, use Elcomsoft Phone Breaker to recover the password.
Analyzes Online Activities
Elcomsoft Phone Viewer displays the user's online activities including Web browsing history and search queries, browser bookmarks and opened tabs including page snapshots. Information about recent search queries and last visited Web sites already helped solve multiple cases, and will undoubtedly help investigating crime.
Access to Synced Data, Passwords and Messages
Information such as call logs, contacts, notes, calendars as well as Web browsing activities including Safari history (including deleted items), bookmarks and open tabs can be synced with Apple servers. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.
Synchronized records can be obtained for extended periods of time; much longer than available in iOS devices and device backups. Existing and deleted records are obtained, and filter can be applied to only display deleted records.
Elcomsoft Phone Viewer is ElcomSoft's stock tool for viewing synced data extracted from Apple iCloud with Elcomsoft Phone Breaker. The following types of synced data can be viewed:
- Messages in iCloud: complete with attached media files and documents
- Safari (browsing history, bookmarks, tabs opened on user's devices)
- Voice Memos
- Calendars, notes and contacts
- Call logs (information about calls made and received)
- Apple Maps (routes, places, searches)
- Wi-Fi (wireless access points, MAC addresses, date and device added)
- Wallet (everything except payment data)
- Account info (comprehensive information about the user and devices registered on the Apple ID account)
Elcomsoft Phone Viewer can display pictures and videos captured with the phone or saved by one of the many apps. But don’t you worry, there won’t be a big mess of thousands of images appearing in a single thumbnail gallery. The files will be automatically split into a number of categories, making it easy to discover which pictures were captured with the phone’s camera, or received as messages or attachments. A separate category filters out system and application images such as buttons, logos and splash screens. Album view is available to allow you better navigate through thousands of images.
Multiple sources of location data may be available in a given backup or image. Location data may be found in calendar events, iMessage attachments, map caches and system logs. Geolocation is one of the most important EXIF tags available. Elcomsoft Phone Viewer will automatically extract location data from multiple sources, and map the locations with OpenStreetMap. The ability to map GPS coordinates extracted from multiple sources can become extremely handy during investigations.
Analyze Apple Health Data
Health data can serve as essential evidence during investigations. At very least, the data includes step count, running and walking distances with exact timestamps the user was walking or running. Significantly more evidence is available if the user wears a HealthKit compliant device such as the Apple Watch or a third-party fitness tracker. A multitude of third-party apps may contribute to Health data significantly.
Elcomsoft Phone Viewer can display Health data stored in password-protected iTunes backups and file system images obtained from iOS devices in TAR/ZIP format with Elcomsoft iOS Forensic Toolkit or GrayKey during physical extraction.
TAR Images: The iOS File System
Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, physical acquisition is exclusively available via file system imaging. The imaging is performed on the device itself in order to bypass full-disk encryption. Regardless of the tool performing physical acquisition, the result of these efforts is always a TAR archive containing an image of the device’s file system. Elcomsoft iOS Forensic Toolkit produces TAR files as the result of the “F” (File System) command.
Up until now, most tools available for analyzing information inside these TAR images were integral parts of fully-featured forensic toolkits. The expert's choice would be limited to either time-consuming and labour-intensive manual analysis requiring a high level of expertise, or a highly sophisticated and complex forensic suite, with nothing in between. Elcomsoft Phone Viewer offers the lightweight and convenient third option, enabling fast and easy analysis of evidence found in the results of physical acquisition.