Elcomsoft Phone Viewer

Product Type	Password Recovery

Analyze information extracted with ElcomSoft and third-party acquisition tools with a fast, lightweight viewer. Decrypt and view iOS backups and synced data, browse iOS file system images, analyze iCloud Photo Library and access synchronized data with ease.

Lightweight forensic viewer requiring no learning curve
Analyze data extracted by ElcomSoft acquisition tools
Export evidence to continue analysis in third-party tools
View information unavailable in other forensic tools

Supports: local iOS backups (iTunes), iCloud backups, iOS synced data (call logs, browsing history and so on).

New features

Analyze iOS 14 Backups and Cloud Data

Elcomsoft Phone Viewer supports all versions of iOS up to and including the latest iOS, iPadOS and tvOS 14 releases. The tool can display the content of iTunes and iCloud backups and synchronized data produced by devices running the new OS. Elcomsoft Phone Viewer supports all generations of iPhone and iPad devices including the iPhone 11 range and the new A14-based iPad Air (2020). The tool can also display information acquired from companion devices such as Apple TV HD and Apple TV 4K.

Analyze Windows Timeline

The tool can now help analyze the user’s activities by displaying Windows 10 Timeline data downloaded from the user’s Microsoft account with Elcomsoft Phone Breaker. The data enables experts’ access to timestamped information about the app usage, searches and opened Web pages.

Explore the content of local and cloud backups produced by all versions of iOS and review synchronized data available in Apple iCloud and Microsoft Accounts! Elcomsoft Phone Viewer is a small, lightweight tool enabling read-only access to contacts, messages, call logs, notes and calendar data located in mobile backups. In addition, the tool displays essential information about the device such as model name, serial number, date of last backup etc. Finally, the tool implements access to deleted SMS and iMessages stored in iOS backups.

A Perfect Viewing Companion

Yet another “me too” forensic viewer? We looked hard for a tool we could recommend to our customers for viewing data decrypted or downloaded with Elcomsoft Phone Breaker. No single tool on the market meets our stringent requirements on speed, compatibility and ease of use. That’s why we introduced a viewing tool of our own.

Elcomsoft Phone Viewer is the ideal viewing companion for Elcomsoft Phone Breaker, enabling full support for all data formats produced by this tool. Regularly maintained and timely updated, Elcomsoft Phone Viewer is the first to receive support for the latest mobile backup formats extracted, downloaded or decrypted with other ElcomSoft tools. Using our mobile acquisition tools? Elcomsoft Phone Viewer is a perfect companion!

Note that Elcomsoft Phone Viewer can only open unencrypted backups as well as iTunes backups with a known password. Should you have a backup file encrypted with an unknown password, use Elcomsoft Phone Breaker to recover the password.

Analyzes Online Activities

Elcomsoft Phone Viewer displays the user’s online activities including Web browsing history and search queries, browser bookmarks and opened tabs including page snapshots. Information about recent search queries and last visited Web sites already helped solve multiple cases, and will undoubtedly help investigating crime.

Access to Synced Data, Passwords and Messages

Information such as call logs, contacts, notes, calendars as well as Web browsing activities including Safari history (including deleted items), bookmarks and open tabs can be synced with Apple servers. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with no option for the end user to clear the data or disable the syncing.

Synchronized records can be obtained for extended periods of time; much longer than available in iOS devices and device backups. Existing and deleted records are obtained, and filter can be applied to only display deleted records.

Elcomsoft Phone Viewer is ElcomSoft’s stock tool for viewing synced data extracted from Apple iCloud with Elcomsoft Phone Breaker. The following types of synced data can be viewed:

Messages in iCloud: complete with attached media files and documents
Safari (browsing history, bookmarks, tabs opened on user’s devices)
Voice Memos
Calendars, notes and contacts
Call logs (information about calls made and received)
Apple Maps (routes, places, searches)
Wi-Fi (wireless access points, MAC addresses, date and device added)
Wallet (everything except payment data)
Account info (comprehensive information about the user and devices registered on the Apple ID account)

Multimedia Gallery

Elcomsoft Phone Viewer can display pictures and videos captured with the phone or saved by one of the many apps. But don’t you worry, there won’t be a big mess of thousands of images appearing in a single thumbnail gallery. The files will be automatically split into a number of categories, making it easy to discover which pictures were captured with the phone’s camera, or received as messages or attachments. A separate category filters out system and application images such as buttons, logos and splash screens. Album view is available to allow you better navigate through thousands of images.

Aggregated Locations

Multiple sources of location data may be available in a given backup or image. Location data may be found in calendar events, iMessage attachments, map caches and system logs. Geolocation is one of the most important EXIF tags available. Elcomsoft Phone Viewer will automatically extract location data from multiple sources, and map the locations with OpenStreetMap. The ability to map GPS coordinates extracted from multiple sources can become extremely handy during investigations.

Analyze Apple Health Data

Health data can serve as essential evidence during investigations. At very least, the data includes step count, running and walking distances with exact timestamps the user was walking or running. Significantly more evidence is available if the user wears a HealthKit compliant device such as the Apple Watch or a third-party fitness tracker. A multitude of third-party apps may contribute to Health data significantly.

Elcomsoft Phone Viewer can display Health data stored in password-protected iTunes backups and file system images obtained from iOS devices in TAR/ZIP format with Elcomsoft iOS Forensic Toolkit or GrayKey during physical extraction.

TAR Images: The iOS File System

Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, physical acquisition is exclusively available via file system imaging. The imaging is performed on the device itself in order to bypass full-disk encryption. Regardless of the tool performing physical acquisition, the result of these efforts is always a TAR archive containing an image of the device’s file system. Elcomsoft iOS Forensic Toolkit produces TAR files as the result of the “F” (File System) command.

Up until now, most tools available for analyzing information inside these TAR images were integral parts of fully-featured forensic toolkits. The expert’s choice would be limited to either time-consuming and labour-intensive manual analysis requiring a high level of expertise, or a highly sophisticated and complex forensic suite, with nothing in between. Elcomsoft Phone Viewer offers the lightweight and convenient third option, enabling fast and easy analysis of evidence found in the results of physical acquisition.

Elcomsoft Phone Viewer: Telegram

Elcomsoft Phone Viewer: Aggregated locations

Elcomsoft Phone Viewer: Apple Health

Elcomsoft Phone Viewer: Messages

Elcomsoft Phone Viewer: Notes

Data select window

Elcomsoft Phone Viewer: Contacts

Elcomsoft Phone Viewer: Calls

All Features and Benefits

Installed Applications

The Applications view allows viewing information about the apps installed on the iOS device being analyzed. The expert can access the list of all apps installed on the device along with their acquisition date (date of purchase for paid apps or date of first install for the free apps). Additional information includes the app version, category, and Apple ID that was used to make the purchase. Since some of that information is not available in the backup, Elcomsoft Phone Viewer automatically requests additional data via an online connection through iTunes.

By making use of the Applications view, experts can gain insight into which apps the user had, which social networks they use, and which messaging tools they communicate with.

Wi-Fi Networks

The Wi-Fi view enables access to the list of Wi-Fi networks saved in password-protected iOS backups. SSID, MAC address and password for each network is displayed. Additional network parameters include network BSSID and encryption standard. In addition, Elcomsoft Phone Viewer automatically extracts the date and time of first joining and last using the network.

Experts can sort the list by last connection time, thus tracking the user by seeing which networks they joined during a given time period.

iCloud Photo Library

Since version 2.30, Elcomsoft Phone Viewer can display iCloud Photo Library images extracted by Elcomsoft Phone Breaker. Automatic grouping by albums and advanced filtering are supported.
Access to iOS Notifications

Elcomsoft Phone Viewer allows viewing iOS notifications extracted from iCloud backups as well as local backups produced with iTunes. The tool can display notifications going several years back, unless they are read or dismissed by the user.

Notifications are an essential part of the system, and may contain large amounts of volatile, highly sensitive information. Nearly all applications that are of forensic significance make use of notifications. Email clients, instant messengers, taxi and travel apps, social networks and many other applications can push notifications. Unless dismissed, these notifications are included into both local and cloud system backups.

EXIF Support

Access EXIF information stored in the images with ease. Elcomsoft Phone Viewer displays when, where and in which lighting conditions the image was captured. Detailed camera info allows determining whether an image was captured on this device or received from another one. Looking for images captured around the time of an incident? Just specify a data range, and Elcomsoft Phone Viewer will automatically display images captured during that period based on the images’ EXIF tags.

Fast Cloud Explorer

Elcomsoft Phone Viewer is the perfect tool for exploring information contained in online backups downloaded from the cloud, while Elcomsoft Phone Breaker is the perfect tool for downloading mobile backups from iCloud (iOS devices), and Windows Live! (devices running Windows Phone 8/8.1 and Windows 10 Mobile).

Use Elcomsoft Phone Breaker to quickly download selective information from Apple iCloud, and review information you acquired in Elcomsoft Phone Viewer. The two tools enable investigators obtain essential information about the suspect such as their calls, messages, address books and location history in a matter of minutes.

Tiny. Fast. Handy.

Elcomsoft Phone Viewer is a perfect tool when time is the ultimate priority. By using Elcomsoft Phone Viewer together with other ElcomSoft tools such as Elcomsoft Phone Breaker, investigators can save time by reviewing essential bits of information in just a few moments. By quick downloading selective information from Apple iCloud with Elcomsoft Phone Breaker and viewing acquired information in Elcomsoft Phone Viewer, investigators can obtain essential information about the suspect such as their calls, messages, address books and location history in a matter of minutes. The ability to view Calls and Messages databases with many thousand entries as well as convenient full-text and category-based searching and filtering make navigating through acquired information a snap.

One-Click Exporting

Export evidence in just a few clicks! You can export digital evidence obtained from iOS devices including local and cloud backups, iCloud synchronized data and file system images received as a result of physical acquisition. In addition, location data is exported into the industry-standard KML format. Elcomsoft Phone Viewer exports data in Microsoft Excel format, enabling experts to continue the investigation in their forensic product of choice. The ability to export data collected from the many supported sources allows easy interoperability with most commonly used forensic and analytic toolkits.

Convenient Searching and Filtering

Search through thousands of records in a snap! Elcomsoft Phone Viewer offers real-time filtering and full-text searching, allowing examiners locate records of interest in a matter of seconds. Search through Contacts, Calls, Notes and Messages, look up contact by names, numbers and other available fields, and locate messages with full-text search.

With real-time filtering, you can opt to only display favorite contacts or only display contacts from one or more accounts (Exchange, iCloud, Google, Facebook, or any combination). For messages, you can specify date range, type of message (SMS, MMS, iMessage) and whether to display incoming, outgoing or all messages.

Screen Time and Restrictions Passwords

In iOS 12 and 13, the Screen Time password is used to secure Content & Privacy Restrictions. With Screen Time password enabled and restrictions configured, experts cannot access many features of the iPhone. Elcomsoft Phone Viewer can display iOS Screen Time passwords if they are present. In iOS 12, Screen Time passwords can be obtained from password-protected iTunes backups; the backup password must be known. Cloud extraction is the only way to obtain Screen Time passwords for devices running iOS 13.

Viewing Mobile Backups

Elcomsoft Phone Viewer is a fast, compact tool that requires no learning curve. Using Elcomsoft Phone Viewer is just as easy as viewing an Excel spreadsheet. Designed to simplify the entry into mobile forensics, Elcomsoft Phone Viewer offers more than enough features for many IT security departments, offices and one-off investigations.

Analyze Keychain Records

Elcomsoft Phone Breaker is the only tool on the market to access, extract and decrypt iCloud Keychain, Apple’s cloud-based system for storing and syncing passwords, credit card data and other highly sensitive information across devices. Elcomsoft Phone Viewer can display keychain records obtained with Elcomsoft Phone Breaker from Apple iCloud. Not limited to iCloud Keychain, the tool can display keychain records obtained from password-protected local backups and extracted with Elcomsoft iOS Forensic Toolkit from jailbroken devices or using the acquisition agent.

Decrypt and Analyze Signal Conversations and Telegram Secret Chats

Elcomsoft Phone Viewer can decrypt Signal conversation databases extracted from the iPhone via physical acquisition. Experts using Elcomsoft iOS Forensic Toolkit will open the file system image in Elcomsoft Phone Viewer and use the extracted keychain file to decrypt the Signal database. Elcomsoft Phone Viewer will then decrypt the database and display its content in a blink of an eye.

Telegram supports secure chats. According to Telegram developers, all messages in secret chats use end-to-end encryption. Secret chats are device specific. They are not part of the Telegram cloud, and they cannot be extracted with cloud acquisition. Elcomsoft Phone Viewer can display Telegram conversations and secret chats obtained from TAR images extracted with Elcomsoft iOS Forensic Toolkit.