Chennai Safe City
Cyber Forensics Lab- Handouts
The Elcomsoft Mobile bundle consist of four tools:
1. Elcomsoft Phone Breaker
2. Elcomsoft Phone Viewer
3. Elcomsoft Cloud eXplorer
4. Elcomsoft eXplorer for WhatsApp
1.Elcomsoft Phone Breaker
Elcomsoft Phone Breaker (EPB) enables forensic access to iTunes, iCloud and BlackBerry backups and
synchronized Microsoft Account data. The Windows edition features the patented GPU acceleration
technology to deliver the fastest password recovery speeds on a single PC. The tool can attack the
original plain-text password that protects encrypted backups containing address books, call logs, SMS
archives, calendars, camera snapshots, voice mail and email account settings, applications, Web
browsing history and cache.
Use cases:
• Decrypt iOS backups (with known password).
• Download and decrypt iOS backups from iCloud (with valid authentication credentials).
• Download iCloud synchronized data (with valid authentication credentials).
• Decrypt and display Keychain data extracted with Elcomsoft iOS Forensic Toolkit or stored in
password-protected iTunes backups (password must be known)
• Download iCloud Keychain and other point-to-point encrypted data from Apple accounts
(authentication credentials and password/passcode of a trusted device required).
• Decrypt classic BlackBerry backups (known password).
• Decrypt BlackBerry 10 backups (up to BBOS 10.3.2.2876) created with BlackBerry
Link(BlackBerry ID password must be known).
• Download data from Microsoft accounts including text messages, call logs, contacts,
notes,locations, browsing history, search history etc.
2.Elcomsoft Phone Viewer:
Elcomsoft Phone Viewer is a lightweight tool for analyzing information contained in mobile backups,
synchronized data and file system images obtained with Elcomsoft's other tools.Analyze information
stored in offline and cloud backups and synchronized data extracted with Elcomsoft Phone Breaker
and Elcomsoft iOS Forensic Toolkit. Explore the iOS file system images extracted with Elcomsoft iOS
Forensic Toolkit and select third-party tools in both .tar and .zip formats.Elcomsoft Phone Viewer (EPV)
enables access to contacts, messages, call logs, notes, media, and calendar data located in mobile
backups and file system images, and displays essential information about the device such as model
name, serial number, date of last backup etc.
In addition to iOS, Elcomsoft Phone Viewer allows viewing BlackBerry 10 backups produced with
BlackBerry Link, as well as Microsoft Account data downloaded with Elcomsoft Phone Breaker.
Page 1 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
Elcomsoft Phone Viewer supports encrypted and unencrypted iOS backups. A valid password is
required for accessing encrypted backups.
3. Elcomsoft Cloud eXplorer
Elcomsoft Cloud eXplorer (ECX) is an all-in-one tool for downloading, viewing and analysing
information stored in the user's Google Account. The tool pulls information from the many available.
Sources scattered throughout the Google Account, automatically parses the data and displays
information in human-readable form.
Google collects massive amounts of information from registered customers. Contacts and Hangouts
messages, Google Keep notes, search history with click-through data, synced Google Chrome data
including passwords and forms, bookmarks, page transitions and browsing history, location history,
calendars and images are just a few pieces of data to mention. The different types of data are scattered
around different Google servers and stored in diverse formats. Elcomsoft Cloud Explorer not only
downloads more data than provided by Google itself but also offers the ability to view and analyse
information without leaving the tool.
With valid authentication credentials, ECX becomes the perfect tool for investigating users’
online activities. The integrated viewer displays downloaded data in human-readable form, making it
easy to analyse users’ communication circles, search and browsing activities. The viewer includes
instant filtering and quick search functionality. Finding a certain contact, message or Web site
authentication credentials is easy: you just need to type part of the word you are looking for into the
search box.
4. Elcomsoft eXplorer for WhatsApp
Elcomsoft eXplorer for WhatsApp (EXWA) provides the ability to obtain and explore WhatsApp data
stored in iTunes and iCloud backups, Android WhatsApp and WhatsApp Business data.
Use cases:
Download and decrypt WhatsApp for iOS data from iCloud backups.
Download WhatsApp files synchronized with iCloud.
Access WhatsApp contacts, messages, call history, and media located in iTunes backups.
Download and decrypt WhatsApp data from Google Drive.
Access WhatsApp and WhatsApp Business contacts, messages, call history, and media located in
Android backups.
Load WhatsApp and WhatsApp Business contacts, messages, call history, and media from an Android
device.
Page 2 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
1. Elcomsoft Phone Breaker.
The Elcomsoft Phone Breaker user interface consists of the following
elements:
1.Menu bar: Provides access to the main functionality. The menu bar consists of several tabs:
o Password Recovery Wizard: Allows launching an attack on passwords protecting iOS
and Blackberry backups.
Tools: Allows decrypting backups for iPhone and BlackBerry devices. iOS: iCloud downloads, FileVault
decryption, Keychain explorer, and authentication token extraction.
Microsoft Accounts: downloads text messages, Calls, Contacts, Notes, Locations, Web Browsing
History and Web Search History.
BlackBerry: Password Keeper decryption.
2. Data View pane: Allows managing data in EPB, depending on which tab on the Menu bar is
selected.
3. Settings pane: Access to the following tabs:
• Journal: Access logged events.
• Settings: Configure Hardware, Network, iCloud, and Templates settings.
• Help: Access Help, check for updates (macOS), send feedback, purchase or enter
Page 3 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
• About: version number and registration information.
Downloading Microsoft account data
To download synced Microsoft account data, do the following:
1. In the Tools menu, select the Microsoft tab, and click Download data from the Microsoft
Account.
2. Enter the user name and password for the Microsoft account.
Click the View button to display the password as characters or in asterisks (*)
3. If your account is protected with two-factor authentication, you need to enter the secure code. The
following authorization types are supported:
·E-mail
·SMS
Authenticator: EPB supports 8-character codes generated in the standard Microsoft authenticator and
6-character codes generated in third-party apps. Choose the Authorization type, enter the secure
code, and click Continue
Page 4 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
4. Select the data categories you want to download and click Continue.
If your account is protected with two-factor authentication, your download starts immediately.
If your account is not protected with two-factor authentication, you can see the categories which you
can download only after you sign in with two-factor authentication. Such categories are marked
orange. In the current version of EPB, there are three such categories, Calls, Web, and Locations
Page 5 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
If your account is not protected with two-factor authentication and you want to download the Calls,
Web, or Locations category, choose how you want to receive your secure code:
· Trusted e-mail address
· SMS
Complete the trusted e-mail or trusted phone number information and click Send code. You will
receive a secure code to this email address or phone number. Enter the received secure code in the
Secure code field and click Continue.
5. Select location for saving data downloaded from the Microsoft account. You can change the
Microsoft user whose synced data you want to download by clicking Change user. Click Download to
start downloading synced Microsoft account data.
6. Data downloading begins. You can view the number of processed files and the number of errors
received during the download.
7. When downloading is finished, you can view the downloaded data in the location on the local
computer to which it was saved by clicking the View button. If you have Elcomsoft Phone Viewer
installed on your computer, you can explore the backup content by clicking the Open in EPV link. To
view detailed information about downloaded files and errors that occurred during the download, click
Details.
8. Click Finish to close the Download data from the Microsoft account page.
Page 6 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
2. Elcomsoft Phone Viewer:
Working with iOS backups
To add the iOS backup to EPV, do the following:
1. On the main screen, click iTunes backup or iCloud backup, select the necessary backup in the File >
Open menu, or drag and drop the backup file to the program window.
2. Browse for the Manifest.plist file in the folder where your iOS device backup is located.
Page 7 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
3. Select data types for parsing when opening the backup file (you can change this later in
Settings)
Select if you want EPV to search for and display Camera Roll media only or all media files (you
can change this later in Settings).
Once the backup is loaded, its name and device type is shown under a generic image, as well as the
following information (some of it may not be available for iCloud backups, so only for local iTunes
backups this information is complete):
• iOS version
• Serial Number
• GUID
• IMEI
• Target Identifier
• Unique Identifier (usually the same as above)
• Phone number
• Last backup date
Page 8 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
NOTE: Restriction password is available for encrypted, not encrypted, and decrypted iOS 11 and
lower backups. Screen Time password is available for encrypted and decrypted iOS 12 backups
Exporting Data from Plugins
1. Click Export.
2. Select the plugins data from which you want to export or click Check all.
3. Optionally, enable filtering to export data for a certain time period. To do so, switch the On/Off
toggle,
and then select the dates in the calendar fields.
4. Click Export.
5. In the opened window, select the location in which the file with exported data will be saved and
enter
the file name.
6. Click Save.
7. The <file name>.xlsx file is saved in the selected location.
Page 9 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
3. ELCOMSOFT CLOUD EXPLORER
ECX Program interface
The Elcomsoft Cloud eXplorer interface consists of the following elements:
Main menu: Provides access to the main functionality of ECX:
File: Allows downloading Google backups and removing them from the backup list. View:
Allows viewing records of all actions performed with data in ECX in the form of a Journal,
defining ECX settings, and viewing the device info once the Google account data is loaded. It
also provides access to all available plugins.
Help: Allows viewing the ECX version number, checking if the program is registered or not,
reading ECX help file, checking for program updates, sending the feedback to program
developers, purchasing a program, or entering a registration code in case you have already
purchased a program online.
Data View pane: Allows managing data.
Google Accounts pane: Allows viewing Google backups account and Google Drive backups added to
ECX.
Backup Management pane: Allows downloading Google account and Google Drive backups and
removing them from the backup list.
Page 10 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
Google account Backups:
To download information from the Google account, do the following:
1. In the main menu, click File, and then click Add Google Snapshot; or click the button in the bottom-
left corner of the ECX screen.
2. On the Download snapshot page, define the authentication type:
Password: Select this option to use the Google account credentials (Google ID (in the
account@google.com format) and password).
Token: Select this option to use the authentication token extracted from the Google Chrome browser
using Google Token Extractor (GTEX). For more information about extracting the token, see the
Extracting authentication token topic.
3. Click Sign in.
4. Select the data categories you wish to download.
Signing in:
To download a Google account backup using ECX, you are required to sign in first. The authentication
process may vary depending on the Google account security settings.
To sign in, on the Download snapshot page, define the authentication type:
Password: Select this option to use the Google account credentials.
Token: Select this option to use the Authentication token extracted from the Google Chrome browser
using Google Token Extractor (GTEX).
Signing In Using Credentials
If you sign in using the Password option, enter the Google account ID (in the account@gmail.com
format) and the password.
Signing In Using Authentication Token:
If you sign in using the Token option, select the previously saved token from the list or specify the path
to a new token .xml file extracted from the Google Chrome browser via Google Token Extractor (GTEX).
Page 11 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
By default, the token file is saved to the folder where the Google Token Extractor is located
Page 12 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
After signed into the respective account selected the required information and click download. All the
data will be downloaded.
Page 13 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
4. Elcomsoft eXplorer for WhatsApp
Working with data from Android devices:
EXWA allows you to analyze the WhatsApp and WhatsApp Business data from your rooted Android
devices previously backed up to your computer. Loading WhatsApp data from Android devices is
available for both rooted and unrooted devices. Loading WhatsApp Business data from Android
devices is available only for rooted devices.
Adding Android data from local storage
To start working with local Android backups:
1. In the Backups Library pane, click the Acquire data for Android device icon .
2. In the opened menu, click the Load from local storage icon .
3. In the opened window, specify the path to the com.whatsapp_preferences.xml (for WhatsApp) or
com.whatsapp.w4b_preferences.xml (for WhatsApp Business) file in the Path to data files field.
Click Load data.
5. Once the backup is loaded, the following device information is displayed:
Phone number
Product type (Android version)
Page 14 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
The lower part of the window displays the userpic, phone number, and the backup date (according to
the time zone and date format defined on the local PC) as well as the following WhatsApp information
(some of it may not be available):
· Phone number
· Display name
· Status
· Google account
· Android version
· WhatsApp version
Viewing data
When you select the target WhatsApp backup in the Backups Library to the left, the lower part of the
window shows all plugins available (some of them might be disabled if there is no appropriate
information in backup)
Page 15 of 16
� Chennai Safe City
Cyber Forensics Lab- Handouts
Exporting data
EXWA allows you to export data from a backup to your PC. Data is exported to an XLSX file, and all
attachments/files are saved to a folder in the same location as the XLSX file.
Please note that data export is only available in the registered version of the program.
To export data, do the following:
1. In the Data View pane, click Export data.
2. Select the data categories to export.
3. Define the time interval for which you want to export data as follows: enable filters by switching
the
On/Off toggle and then select the dates in the From and Until fields.
4. Click Export.
5. The window will open in which you can select the location for exported data.
6. Once you select the location, click Save.
7. Data export will start.
8. To open exported data, click the icon next to the Data has been exported message highlighted in
yellow or open it from the location to which it was saved.
Page 16 of 16
