Decrypt physical image (iOS)

The amount of information that iPhone backups (made with iTunes) contain is reasonably limited. Having the actual iPhone device on hand can provide, or at least could provide forensic access to much more data. But with iOS 4, all user data stored in selected devices (iPhone 3GS and 4, iPad, iPod Touch 3rd gen and later) is encrypted. What you need to get the complete decrypted image of an iOS device is:

Elcomsoft iOS Forensic Toolkit (referred hereafter as Toolkit; available to select government entries such as law enforcement and forensic organizations and intelligence agencies, and subject to special license agreement) allows both imaging the device and extracting the keys; if you already have an image made with any 3rd party software, you only need to get the keys.

Once the keys are obtained (please refer to Toolkit documentation), select [File] | [Apple] | [Decrypt physical image] in EPPB, browse for device image and the file containing all the keys, and the path/name for output file that will contain decrypted image; then, click Start. During decryption, the progress will be shown (please be patient).

For further analysis, decrypted image can be mounted into any system that works with HFS+ file system, or loaded directly into forensic software such as Guidance EnCase.