Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS, Windows Phone and BlackBerry 10 backups. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.
Elcomsoft Phone Viewer
Analyze information extracted with ElcomSoft and third-party acquisition tools with a fast, lightweight viewer. Decrypt and view iOS backups and synced data, analyze iCloud Photo Library, BlackBerry 10 backups and Windows Phone/Windows 10 Mobile data and access synchronized data with ease.
- Lightweight forensic viewer requiring no learning curve
- Analyze data extracted by ElcomSoft acquisition tools
- Access iOS notifications and deleted data such as Safari history records
- View information unavailable in other forensic tools
Supports: local iOS backups (iTunes), iCloud backups, iOS synced data (call logs, browsing history and so on), Windows Phone and Windows 10 Mobile backups, BlackBerry 10 backups.
- More Location Data
Location analysis is brought to a whole new level with the new aggregated view. The aggregated location analysis helps experts review the user’s location history based on evidence extracted from multiple sources. The current release extracts and aggregates location information from the system (frequently visited places, GSM and WI-Fi connections), as well as from several built-in and third-party applications (from Google Maps to Uber) and geotags in media files.
- TAR Analysis
Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, a physical acquisition is exclusively available via file system imaging. Regardless of the tool performing physical acquisition (Elcomsoft iOS Forensic or third-party tools), the result of these efforts is always a TAR archive containing an image of the device’s file system. Elcomsoft Phone Viewer is a lightweight and convenient tool to quickly analyze evidence found in the results of physical acquisition.
- Apple Pay and Wallet
Elcomsoft Phone Viewer can parse Apple Pay data including information about associated cards and comprehensive transaction data. The Apple Pay database is only available in TAR files produced during physical acquisition (passcode must not be removed in order to preserve Apple Pay data).
The tool will also parse Wallet data extracted from TAR files or local backups. Wallet data may include boarding passes, tickets, reservations and other transactions.
- Messages in iCloud
iOS 11.4 brought message sync via iCloud. Messages (including iMessages) can be downloaded with Elcomsoft Phone Breaker providing one has access to the user’s Apple ID and password, a passcode or password from one of their enrolled devices, and a one-time code delivered by Two-Factor Authentication. Elcomsoft Phone Viewer enables viewing and analyzing of the messages obtained from iCloud.
Explore the content of local and cloud backups produced by iOS, BlackBerry 10, Windows Phone 8 and Windows 10 Mobile devices! Elcomsoft Phone Viewer is a small, lightweight tool enabling read-only access to contacts, messages, call logs, notes and calendar data located in mobile backups. In addition, the tool displays essential information about the device such as model name, serial number, date of last backup etc. Finally, the tool implements access to deleted SMS and iMessages stored in iOS backups.
Access to Deleted Messages
The tool automatically processes message databases to recover deleted messages from iOS 11/12 backups, often allowing experts to access messages that have been deleted a long time ago.
A Perfect Viewing Companion
Yet another “me too” forensic viewer? We looked hard for a tool we could recommend to our customers for viewing data decrypted or downloaded with Elcomsoft Phone Breaker. No single tool on the market meets our stringent requirements on speed, compatibility and ease of use. That’s why we introduced a viewing tool of our own.
Elcomsoft Phone Viewer is the ideal viewing companion for Elcomsoft Phone Breaker, enabling full support for all data formats produced by this tool. Regularly maintained and timely updated, Elcomsoft Phone Viewer is the first to receive support for the latest mobile backup formats extracted, downloaded or decrypted with other ElcomSoft tools. Using our mobile acquisition tools? Elcomsoft Phone Viewer is a perfect companion!
Note that Elcomsoft Phone Viewer can only open unencrypted backups as well as iTunes backups with a known password. Should you have a backup file encrypted with an unknown password, use Elcomsoft Phone Breaker to recover the password.
Analyzes Online Activities
Elcomsoft Phone Viewer displays the user’s online activities including Web browsing history and search queries, browser bookmarks and opened tabs including page snapshots. Information about recent search queries and last visited Web sites already helped solve multiple cases, and will undoubtedly help to investigate a crime.
Access to Synced Data and Messages
Information such as call logs, contacts, notes, calendars as well as Web browsing activities including Safari history (including deleted items), bookmarks and open tabs can be synced with Apple servers. Unlike iCloud backups that may or may not be created on daily basis, synced information is pushed to Apple servers just minutes after the corresponding activity has taken place. Once uploaded, synced data can be retained for months with is no option for the end user to clear the data or disable the syncing.
Synchronized records can be obtained for extended periods of time; much longer than available in iOS devices and device backups. Existing and deleted records are obtained, and filter can be applied to only display deleted records.
Elcomsoft Phone Viewer is ElcomSoft’s stock tool for viewing synced data extracted from Apple iCloud with Elcomsoft Phone Breaker. Еhe following types of synced data can be viewed:
- Messages in iCloud
- Safari (browsing history, bookmarks, tabs opened on user’s devices)
- Calendars, notes, contacts
- Call logs (information about calls made and received)
- Apple Maps (routes, places, searches)
- Wi-Fi (wireless access points, MAC addresses, date and device added)
- Wallet (everything except payment data)
- Account info (comprehensive information about the user and devices registered on the Apple ID account)
Elcomsoft Phone Viewer can display pictures and videos captured with the phone or saved by one of the many apps. But don’t you worry, there won’t be a big mess of thousands of images appearing in a single thumbnail gallery. The files will be automatically split into a number of categories, making it easy to discover which pictures were captured with the phone’s camera, or received as messages or attachments. A separate category filters out system and application images such as buttons, logos and splash screens. Album view is available to allow you better navigate through thousands of images.
A powerful feature of Elcomsoft Phone Viewer is the ability to group media files by origin, allowing investigators to access photos and videos created in a particular app. This, in particular, allows to keep out the thousands of garbage graphics such as the icons, cached and temporary files produced by certain applications.
Multiple sources of location data may be available in a given backup or image. Location data may be found in calendar events, map caches and system logs. Geolocation is one of the most important EXIF tags available. Elcomsoft Phone Viewer will automatically extract location data from multiple sources, and map the locations with Google Maps. The ability to map GPS coordinates extracted from multiple sources can become extremely handy during investigations.
TAR Images: The iOS File System
Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, the physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, a physical acquisition is exclusively available via file system imaging. The imaging is performed on the device itself in order to bypass full-disk encryption. Regardless of the tool performing physical acquisition, the result of these efforts is always a TAR archive containing an image of the device’s file system. Elcomsoft iOS Forensic Toolkit produces TAR files as the result of the “F” (File System) command.
Up until now, most tools available for analyzing information inside these TAR images were integral parts of fully-featured forensic toolkits. The expert’s choice would be limited to either time-consuming and labor-intensive manual analysis requiring a high level of expertise, or a highly sophisticated and complex forensic suite, with nothing in between. Elcomsoft Phone Viewer offers the lightweight and convenient third option, enabling fast and easy analysis of evidence found in the results of physical acquisition.
- Windows XP
- Windows Vista
- Windows Server 2003/2008
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2012
Apple OS X
- OS X 10.11
- OS X 10.12
- OS X 10.1