Using Elcomsoft iOS Toolkit with an iPhone

We have been tasked with testing Elcomsoft’s iOS Toolkit for the Burlington Police Department. We are going to be testing the software on an iPhone 3GS, iPhone 4, and iPhone 5. iOS Forensic Toolkit is a tool that performs an acquisition of user and/or file system data store in iPhone, iPads, and iPod devices running almost any version iOS, iOS 6.x is not yet supported. We are currently working with an iPhone 3GS, which, when provided to us, had iOS 6.1.2 from a previous project the LCDI used it for. Our first task was trying to downgrade to iOS 3.1.3. There are dozens of tutorials online about how to downgrade your iPhone to an earlier version, but none of them were helpful to us.

The 3GS we working with had the “oldbootrom” which was supposed to make it easier to downgrade. This was not the case. The bootrom is the first important code that executes on the device. We spent several days working with: redsn0w, iREB, sn0wbreeze, tiny umbrella, RecBoot, the Windows host file, various versions of iOS .ipsw files, older versions of iTunes, forums, apple error codes help page, co-workers, and Google; trying any combination of these tools/resources and files to get the 3GS to downgrade to iOS 3.×. No dice. Redsn0w and sn0wbreeze are jail breaking software. iREB, tinyumbrella, and RecBoot are programs that help the device enter pwned DFU mode. The windows host file is a file contained within windows that maps host names to IP Addresses Rather than downgrade to iOS3.1.3; We decided to try to restore the iPhone back to iOS5.×. A few tutorials helped me achieve this. We used sn0wbreeze to make a “cracked” version of the iOS 5.1.1 .ipsw file. We put the 3GS into pwned DFU mode using iREB-r7, and using iTunes 10.6, We restored the 3GS to iOS 5.1.1. This gave me a 1601 error which We had come to the conclusion means there is an issue connecting to the Apple update server. We checked the windows host file and the IP address for; it didn’t match the IP address We got when We pinged After fixing the host file, We started over again and the 3GS finally was able to downgrade to iOS 5.1.1. Rather than testing my luck and trying to downgrade to iOS 4.x or 3.1.3, We backed the phone up through iTunes and retrieved a Physical Extraction of the 3GS using Cellebrite.The next step We took was to generate data. The following steps were done to generate data on the phone, not in any particular order (some data listed below has been changed to protect personal identifiable information):Model: iPhone 3GS with iOS 5.1.1

  1. Set a passcode – 1234
  2. Made calendar events – June 8th 2013 – my birthday; May 27 2013 – C’s birthday
  3. Set reminders – June 7th 10:00 2013 – work on Elcomsoft project; July 3rd 2013 – work on cell phone lab
  4. Sent emails – email sent to – subject: “Hi”, message: “What’s up Sent from my iPhone”; email sent to – subject: “Hello”, message: “Spaghettios Sent from my iPhone”; received emails from Facebook, twitter, LinkedIn, TextMe
  5. Set alarms – 8:00 every Thursday: “That thing’, 8:30 every Thursday: “That other thing”6.
  6. Add photos, music, videos – took two pictures of: polar seltzer can and Cheetos bag – added three pictures from computer: kitten, puppies, cheese; took video of J and C – added two videos from YouTube: chocolate rain, all your base are belong to us; added two song downloaded from SoundCloud.
  7. Downloaded apps – chrome, find my iPhone, TextMe 2, Facebook, twitter, Instagram, SnapChat, LinkedIn
  8. Made Calls (through TextMe 2) – made call to 555-555-1234; received call from 555-555-1234
  9. Sent Texts (through TextMe 2) – sent text to 555-555-1234 – “hello — sent by xxxx via”; received text from 555-555-1234 – “Test”
  10. Sent MMS (through TextMe 2) – sent picture message to 555-555-1234 – picture of a keyboard; sent mms message from 555-555-1234– did not receive
  11. Generated internet Activity (connected to WiFi – “test”)
    • Safari –;;;;;;
    • Chrome –;;;;; – searched “computer forensics”;
  12. Used Apps –
    • YouTube app: iGun rampage, Harlem Shake
    • ​​Find my iPhone: logged in using apple id, location seems accurate
    • Facebook – took picture of keyboard for profile picture; made status “hello world”
    • SnapChat – made a video sent to myself
    • twitter – sent tweet “hello world”
    • Instagram – shared picture of keyboard, shared on Facebook and twitter
    • LinkedIn – Made profile
    • TextMe – see above in send text/mms section
  13. ​Turned location services on – twitter, Instagram, camera, weather, maps

After We did this We made another Physical Extraction of the 3GS using Cellebrite.

The next step was trying to get the phone to downgrade to iOS3. After careful consideration we decided to scrap that idea and just concentrate on downgrading to iOS4. This task proved to be just as difficult as it was to downgrade from iOS6 to iOS3. After several dozen attempts at downgrading to iOS4, using the above tools/resources, We failed again. After a whole slew of the same error codes and new error codes We decided to scrap this idea as well. A quick Google search showed that most people are at least at iOS5 or above so for the purposed of this project, iOS5 and 6 will have to work.

The next step is updating to the newest iOS6. We uninstalled iTunes 10.6 and updated to the newest version ( Simply updating the 3GS turned into a nightmare. After messing around with it for a while we decided to check the host file, again; Low and behold the IP address for was different, again. We changed it to what it was supposed to be and tried updating again and it worked. We backup up the phone in iTunes and captured a Physical Extraction of the 3GS again. Then we generated more data on the 3GS. I followed the above steps to generate data. After we generated all of the data we backed up and captured a Physical Extraction of the 3GS a final time. Now we just need the software to start testing it out.

-Nick Murray

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team