Note: this version of FAQ is slightly outdated and describes an older version of EIFT (1.15). An update has been published as a separate document, avaialble here. But please start reading from this version as it provides basic information on the product.
Sep 06, 2019 If your device is 64-bit, running iOS 10 and have Meridian jailbreak installed – enter 2222 (and ENTER). For all other iOS versions and jailbreaks (btw, we recommend using doubleH3lix for iOS 10), then also use default 22. To acquire data from jailbroken devices, we establish the connection first. Welcome to Penn Elcom Online. The Flight Case & 19 Inch Racking Superstore. Our customers love us. We have a 9.5 rating on Trip Advisor and are the No.1 Audio Cable & 19 Inch Racking Company in Europe. Location and Hours. Main Office; Touch Screens, Inc. 1660 West Circle; Saint George, UT 84770, USA; North Carolina Office; 6540 US Hwy 19; Marble, NC 28905, USA.
The USB-CAN adapter is a device for an easy dynamic debugging of CAN applications and for the transparent diagnostic of a CAN bus. The adapter is controlled by USB bus from USB-CAN application or your own application created by modification of CAN-Start application in Delphi development environment.
Q. What is this product all about?
A. Physical acquisition. The tool performs a real-time, complete forensic acquisition of user data stored in iPhone/iPad/iPod devices running any version of iOS. It captures bit-to-bit images of devices’ file systems, extracting device secrets (passcodes, passwords, and encryption keys) and decrypting the file system image. It can also recover device passcodes (some limitations apply). A major feature of iOS Forensic Toolkit is its super-fast operation: data is acquired and decrypted in real time; the entire content of a 16 GB device can be captured in under 20 minutes with no “ifs” and “buts”.
Q. Do you limit usage of this product to law enforcement agencies only?
A. We used to, but not anymore.
Q. What are the product's system requirements?
A. iOS Forensic Toolkit for Mac OS X requires an Intel-based Mac computer running Mac OS X 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion) with iTunes v. 10.2 or later installed. The Toolkit for Microsoft Windows requires a computer running Windows XP, Vista or Windows 7 with iTunes 10.2 or later installed.
Q. Is the Mac version better than the Windows one?
A. Yes. First, Macs have more reliable USB ports. Second, when you connect an iOS-based device in DFU mode to a Windows system, the system must install the drivers, which may take a long time and is not always safe for the system.
Q. What iOS devices are supported?
A. Here is the full list:
- iPhone 3G
- iPhone 3GS
- iPhone 4 (GSM and CDMA models)
- iPhone 4S*
- iPod Touch (up to 4th gen incl.)
- iPad (1st generation only)
- iPad 2 *
- The new iPad *
*Note: support for iPhone 4S, iPad 2 and the new iPad is limited to jailbroken devices (that are not locked) running iOS 5.x.
Update (07/17/2013): newer devices such as iPhone 5 are supported now, as well as iPhone 4S and iPad 2+ running iOS 6. Please refer to the second part of FAQ.
Q. What iOS versions are supported?
A. For non-jailbroken devices (up to and including iPhone 4), all systems from iOS 1.0 to the latest iOS 6.x are supported. For iPhone 4S, iPad 2 and the new iPad only jailbroken iOS 5.x is supported.
Update (07/17/2013): all devices running iOS 6 are supported now; please refer to the second part of FAQ.
Q. How do I identify my device model?
A. The following articles on Apple web site should help:
Q. What about iPhone 5, 4th gen iPad, iPad Mini, and latest iPod?
A. Sorry, they are not supported. We are working on adding support for jailbroken devices in the same way as It was made for iPhone 4S etc.
Update (07/17/2013): we did it. Please refer to the second part of FAQ.
Q. Do you provide a jailbreak (for the devices such as iPhone 4S)?
A. No, we don’t jailbreak devices. You are supposed take care of that yourself.
Q. What if the device is locked (i.e. after 10 unsuccessful attempts to enter the passcode)?
A. No problem! You can still use the Toolkit with it.
Q. What's the difference between EIFT and EPPB (Elcomsoft Phone Password Breaker)?
A. Speaking of iOS (EPPB supports iOS and BlackBerry devices), EIFT performs physical acquisition and requires you to have access to the device itself. On the other hand, Elcomsoft Phone Password Breakerworks only with iTunes and iCloud backups.
Q. What is the benefit of physical acquisition?
A. It works faster than backup analysis, and you can acquire much more information. Some of the files stored on iOS devices are not accessible in user mode, and so cannot be read using logical (backup) acquisition. Sometimes, certain data can be extracted but cannot be decrypted. In contrast, physical acquisition allows you to get everything, i.e. create an exact bit-by-bit image of the device in real time.
Q. When should I use the logical acquisition?
A. Generally, logical acquisition works faster with small amounts of information. Use logical acquisition if you are in a rush. Logical acquisition works at the 'file level'. Also, logical acquisition comes handy if you don't have access to third-party forensic tools that work with disk images.
Q. I get a lot of error messages during logical acquisition - many files cannot be copied. What should I do?
A. This is by design. In this mode (at user/file level), certain files remain inaccessible. The only way around this problem is using physical acquisition.
Q. How to analyze and browse information extracted by EIFT?
A. You can mount images created by EIFT into your system. If you’re using a Mac, you can simply double-click an image. In Windows, you will need some third-party software that supports HFS+ file system. After the image is mounted, you can browse through the files using Finder (Mac OS X), Explorer (Windows), or whatever else. However, we would recommend you to use a special third-party tool such as Oxygen Forensic Suite.
Q. Is it possible to perform data carving through unallocated space, or restore deleted files?
A. We’re planning to add this feature to EIFT (currently, there is no other software that can do that for iOS4+ file system). Only deleted messages (SMS/iMessage) can be restored under certain circumstances.
Q. Do you have a similar product for Android?
A. No. At this time, we have no plans to develop such a product.
Q. What about BlackBerry?
A. If a BlackBerry device is locked with an unknown password, it is not possible to perform a physical acquisition at all. If a password is known or not set, the acquisition is possible, at least in theory, but would require a special loader specific to each particular device. However, it is sometimes possible to recover BlackBerry device passcodes using Elcomsoft Phone Password Breaker (and btw, it can also recover passwords to BlackBerry Wallet and Password Keeper applications).
Q. How long does the acquisition of iOS device take?
A. It depending on the type of the device and its memory size. In a ballpark, physical acquisition may take from 15 minutes to about an hour.
Q. How easy is it to break the passcode?
A. In iOS version up to 3.x, passcodes can be recovered instantly. With iOS 4 and later, there are three types of passcodes. Simple passcodes are 4 digits only. Simple passcodes have a guaranteed recovery time of 30 minutes or less. Passcodes of the second type also only contain digits, but are not limited to 4 digits. Breaking these passcodes is much more lengthy, considering that the recovery speed is about 5 passcodes per second. In the worst case, a passcode may contain all printable characters, and may have any length. This situation is very rare simply because the user would have to enter the passcode every time when unlocking the device. The good news is that the type of a passcode is stored in the system, and EIFT can detect it, so you can easily figure out what kind of an attack should be used.
Q. Is it possible to run an offline passcode attack, e.g. on faster hardware?
Drivers Elcom S.r.o Port Devices Usb
A. Unfortunately, no. Apple devices are intentionally designed so that passcode verification can be only performed on the device.
Q. Can I do anything if the passcode has not been recovered?
A. Yes. You can still image system and user partitions, and decrypt the user partition. The only information that won’t be decrypted is mail and some of the keychain data.
Q. Does EIFT leave any traces on the device?
Drivers Elcom S.r.o Port Devices Inc
A. For old devices (up to iPhone 4 and first-gen iPad), the product has true 'zero-footprint' operation, whatever you do. For jailbroken devices (iPhone 4S etc), the jailbreak itself is the main modification, as well as OpenSSH (if it has not been installed already), plus a couple of our utilities intended for recovery of the passcode and extracting the encryption keys from the system.
Q. Is it possible to extract anything from the device that has been reset?
A. Nothing useful. Once the device is reset, the encryption keys are securely wiped. While you can still extract raw data, decrypting the data will not be possible, so anything obtained from the device will be completely useless for an investigation.
Q. What is the difference between Guided and Manual modes?
A. The Guided mode is designed to automate the acquisition process as much as possible. In this mode, you get a text-based menu listing the operations you can perform. Via this menu, you can load ramdisk, break the passcode, extract and decrypt the keychain, and make an image of device partition(s). Manual mode offers more flexibility via allowing command-line operations. The main functional difference comes in cracking the passcode: the Guided mode only allows cracking simple passcodes (4-digit passcodes). The Manual mode also allows cracking complex passcodes that are longer than 4 characters or contain alphanumerical characters using brute-force and dictionary attacks.
Q. What problems are common when using EIFT and how to deal with them?
A. The trickiest part is entering the device into DFU mode. We have not seen anyone being able to do that from the first try. Please follow the instructions carefully. YouTube has lots of video guides on how to perform the procedure. Once you got it, everything else should run smoothly. Some problems that may occur can be halted passcode recovery or incomplete device imaging. Things you should try are:
- Try using a different USB port;
- Try using a different USB cable;
- Use a Mac version of the Toolkit on a Mac instead of Windows PC.
Q. Do you have plans to make a GUI version?
A. This is one thing we are still considering.
Q. How can I try a product before purchasing?
A. You can order a trial kit. The trial kit is fully functional, but only works for 15 days after the first run. The trial kit is not free, but its price just barely covers the cost of the mandatory USB dongle and express delivery to your door.
Q. If I decide to purchase the full one-year license for EIFT, will I get another dongle?
A. You can continue using the dongle you get for the trial. We will provide you will the utility that upgrades your license and the dongle. Same for renewal of the existing full license.
Q. Are there other types of license for EIFT covering other periods beside the two-week trial and the one-year full license?
A. At this time, those two are the only licensed offered.
Q. I've got a problem when my problem goes to sleep during Toolkit operation. Is there anything I can do?
A. Yes, the Toolkit loose the connection to iOS device when the system awakes. As a workaround, you can use the built-in utility caffeinate (availabvle in MacOS X 10.8 and later) that prevents the system from sleeping. To do that, just replace the command in Toolkit.command & Toolkit-JB.command scripts:
/bin/bash “$BINDIR/Toolkit.sh” 2>&1 | tee –a “$LOGFILE”
with the following one:
caffeinate –i /bin/bash “$BINDIR/Toolkit.sh” 2>&1 | tee –a “$LOGFILE”
Flash06srv
All DAD detectors have numerous self-test functions, such as error messages, which allow an easy problem identification and testing. The test SW used in production releases a valid production report only for units which met all requirements. The test report contains stored setting parameters, lamp working hours, lamp starting voltage and current, wavelength adjusting accuracy, lamp intensity and a lot of other information. For service purpose there is service SW available which allows comfortable units testing and diagnostics, enabling sending a diagnostic report to service center easily, helping to simplify and speed up communication with them.
ECOM VCP Instrument Driver
New ECOM devices (e.g. ECDA2000, ECCM2112, TOY14DAD, ...) offer USB interface. Such interface can behave as a Virtual COM Port (VCP) and it removes the need of external USB/RS232 converter. The following driver is signed to support this feature on these OS: Win7 (x32, x64), Win8 (x32, x64) and Win8.1 (x32, x64). Win10 supports this feature natively and the driver is not needed.
ECCMConf
The utility is used to configure IP settings for converter unit ECCM2112 or devices using this or similar unit (TOY14DAD, BABY18DAD, TOY18DAD, ECDA2800, SPIDER*, ECP2000*) through LAN. The unit ECCM behaves like converter between Serial and Ethernet/ USB interface. The USB behaves like VCP (see above driver) and the Ethernet interface can be used directly.
Ecomac
TheECOMACis windows application is used for controlling of chromatographic process, communication with chromatographic devices and storing data for next evaluation. The application supports variant devices for liquid chromatography such as pumps, detectors, column ovens etc., especially those produced by the company.
Main aspects of application are:
- Simple usage
- Support ECOM's with communication interface
- General interpretation of devices and measured properties
- Supporting variant export formats
- Low hardware requirements for application itself
- Runnable on WinXP, Vista (32, 64), Win7 (32, 64), Win8.x (32, 64), Win10 (32, 64)
- Application is built for 32bits supporting unicode
- Languages: English, Czech, Simplified Chinese
Application is written in C under GPL v2. It is also hosted on server sourceforge.net.
NOTE: The ECOMAC registration license was changed from version 0.260. The license code is attached to serial number of any connected device now. If you have problem with license in new version, please contact vendor.
Clarity modules for ECOM's devices
The ECOM company develops its own Clarity modules for control and data acquisition from ECOM's devices. These modules are used to direct communication between Clarity and devices via RS232/USB/Ethernet buses (they are not used for A/D boards INT/UPAD ...).
These modules will become a part of std. Clarity installation. Than the RECOMMENDED way for their installation is Clarity update to the latest version! This integration has some technological delay and we offer latest version of our modules here. This latest version may serve for modules testing, meet the documentation and so on. If you install modules from this page then installation qualification may not be valid. This is reported in IQ protocol and on stations screen by Unauthorized modules warning.
Important: Below drivers will work within Trial or Distributor licence only from Clarity v8.2!
Installation steps:
- Download ZIP archive.
- Extract ZIP archive.
- Copy all files to C:ClarityBin.
- Versions before 7.2 needs: Execute reg_ecom_modules.bat (as administrator) under C:ClarityBindirectory.
Notes: If you want explore modules documentation then execute file *.chm, where * is module name (e.g. CswECP2000.chm).