Tech

ElcomSoft Tool Helps Analyse Location Data from iOS Devices

June 06, 2018 – ElcomSoft Co Ltd updates Elcomsoft Phone Viewer, the company’s companion tool for analyzing information extracted with other ElcomSoft tools. Version 3.70 adds support for aggregated location data, combining location information obtained from multiple sources such as system logs and EXIF data into a single timeline. In addition, it adds the ability to process and view TAR files produced in the course of physical acquisition with Elcomsoft iOS Forensic Toolkit.

Background

Since the introduction of the iPhone 5s, forensic experts approached physical acquisition via file system dumps. File system imaging is the only physical acquisition technique available for the devices with Apple’s 64-bit processors. The imaging occurs on the device in order to bypass full-disk encryption. Since the imaging is performed by the device itself, the result of these efforts is always a TAR archive containing the file system image. The format doesn’t change regardless of the tool performing physical acquisition. Elcomsoft iOS Forensic Toolkit as well as third-party solutions such as GrayKey produce TAR files in the same format and containing identical data.

The resulting file system image may contain critical evidence that cannot be accessed via any other means (logical or cloud extraction). For example, the list of locations revealing estimated coordinates of the device at any given time. Combining location data with other bits and pieces can lead to important discoveries, such as the user’s location during a given phone call, or pinning a picture or video to a point on the map.

Until now, the tools for analysing information inside these TAR images were offered as integral parts of fully-featured forensic toolkits. Experts would be limited to either time-consuming and labour-intensive manual analysis requiring a high level of expertise, or a complex forensic suite, with nothing in between. Elcomsoft Phone Viewer 3.70 (https://www.elcomsoft.com/epv.html) offers a perfect lightweight alternative to both the manual analysis and the use of sophisticated forensic packages, providing a tool that is easy to master without day-long training sessions.

Aggregated Location Data

Elcomsoft Phone Viewer 3.70 brings location analysis to a whole new level, adding a new aggregated view to help experts analyse the user’s location history based on evidence extracted from multiple sources. It extracts and aggregates location information from the system (frequently visited places, GSM and WI-Fi connections), several built-in and third-party applications (Google Maps, Uber) and geotags in media files. By accessing location data gathered from such a wide range of sources, experts are no longer limited to evidence collected from just the location logs. Some sources are only available with physical extraction (TAR files), and some data may be limited when analyzing backups. The number of supported sources of location data will be growing in future releases.

Leave a Reply

Your email address will not be published. Required fields are marked *