Archive for the ‘Did you know that…?’ Category

Why Do We Need Physical Acquisition?

Thursday, June 25th, 2015

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

  1. Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source: https://www.apple.com/privacy/government-information-requests/)
  2. In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
  3. Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
  4. Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
  5. With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
  6. Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.

At this time, Elcomsoft iOS Forensic Toolkit remains the only third-party forensic tool to perform physical acquisition of iPhone 4S, 5 and 5C.

Limitations of Physical Acquisition

Apple makes their platform increasingly secure with each generation of hardware and every version of iOS. Apple devices equipped with 64-bit hardware are not susceptible to physical acquisition. Since the overwhelming majority of iOS devices sold in the US through retail channels are already equipped with 64-bit hardware, the number of handsets equipped with 32-bit chips is rapidly declining. The opposite is true for many developing markets where old-generation devices oversell latest hardware.

When it comes to iOS 8, physical acquisition is only available to jailbroken devices. At this time, jailbreak is available for all current versions of iOS 8 up to and including iOS 8.3.

eift128_ios83

As a result, physical acquisition has the following limitations:

  1. Only 32-bit hardware is supported *
  2. iOS 8 devices must be jailbroken in order to perform physical acquisition.
  3. Jailbreaking is not as reliable and straightforward as we’d like it to be.
  4. You can’t jailbreak a locked device if you don’t know the passcode.
  5. Find My Phone must be disabled before installing jailbreak. If Find My Phone is on, you must enter the user’s Apple ID password to turn it off.
  6. In order to perform physical acquisition of a jailbroken device, you’ll need to manually install OpenSSH from Cydia.
  7. At this time, only TaiG jailbreak is supported for the purpose of physical acquisition (http://www.taig.com/en/)

* 64-bit devices are still not supported regardless of iOS version or jailbreak status. For the purpose of physical acquisition, the following compatibility matrix applies.

Supported:

  • iPhone 4S, 5, 5C
  • iPod Touch (5th gen)
  • iPad 2 through 4
  • iPad mini (original)

NOT supported:

  • iPhone 5S, 6, 6 Plus
  • iPad Air
  • iPad mini Retina, iPad mini 3

Conclusion

Even with all limitations of physical acquisition, the method still remains viable in many situations. Some countries still see more 32-bit Apple devices than 64-bit ones, with Apple refurbished devices (trade-ins from the US) pushed by the company as a cheap entry into the ecosystem. Since Apple no longer serves government information requests for devices running iOS 8, physical acquisition remains the only method to extract the full file system from the device, returning more information than any other acquisition method.

Elcomsoft Forensic Disk Decryptor Video Tutorial

Monday, June 8th, 2015

Quite often our new customers ask us for advice about what they should start with in order to use the program effectively. In fact, there are various situations when the tool can come in handy by decrypting data securely protected with TrueCrypt, BitLocker (To-Go), or PGP and we’d need a super long video to describe all the cases. But we’d love to demonstrate one typical situation when disk is protected with TrueCrypt when entire system drive encryption option is on.

In this video, kindly provided by Sethioz, we suggest you to decrypt TrueCrypt whole system drive encryption using our Elcomsoft Forensic Disk Decryptor thoroughly going through all the stages starting from the very first one when you just got the encrypted hard drive on hands.

With encrypted hard drive in one hand and its memory dump in the other one (taken when encrypted disk was still mounted) we plug HDD into our “invesgitator’s” computer, start Elcomsoft Forensic Disk Decryptor and easily, in one slow motion, extract the encryption keys from the memory dump file and decrypt the protected HDD, either by mounting it into the “investigator’s” system (to be able to work with it on-the-fly) or by decoding the contents into a specified folder.

We hope you’ll enjoy this video and next time you have the necessity to decrypt something encrypted you’ll feel more confident about it. We also invite you to take a moment and share your experience here in comments or leave your question if you still have any after this pretty detailed video. :)

Elcomsoft Wireless Security Auditor Video Tutorial

Thursday, April 30th, 2015

I know most computer gurus and pros never read through program manuals or help files and prefer to learn everything using proverbial method of trial and error. Does this sound like you? Of course. Exceptions are very seldom. So, here’s something nice that will save your time and help your experience with Elcomsoft Wireless Security Auditor (EWSA).

In order to provide a quick but sufficient understanding how to effectively work with EWSA, our friend Sethios has prepared a nice 20-minute video tutorial that includes all steps of work with the program starting with acquiring handshakes and moving on through all following steps.

This video is packed with useful information, so go ahead and watch it now:

Was it helpful for your work? You are the judge. But we are always happy to hear from you. Your feedback is the reason we work harder on our software!

Acquiring and Utilizing Apple ID Passwords, Mitigating the Risks and Protecting Personal Information

Friday, March 27th, 2015

Legal Disclaimer

The information provided in this article is strictly for educational purposes. Therefore, you confirm that you are not going to use it to break into someone else’s Apple account. If you wish to apply ideas described in this article, you are taking full responsibility for your actions.

Non-Legal Disclaimer

Just relax. It’s not like we’re giving away tips on how to download celebrities’ photos or hack the prime minister’s iPhone.

(more…)

Supporting Apple iCloud Drive and Decrypting Keychains from iCloud

Thursday, March 12th, 2015

As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!

Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)

Cracking Wi-Fi Passwords with Sethioz

Wednesday, February 18th, 2015

If you care about password cracking, hardware acceleration or Wi-Fi protection this interview with our friend Sethioz is certainly for you. Being currently a freelance security tester Sethioz kindly shared his experience in cracking passwords using video cards, which in its turn derived from his gaming interest in cards. His personal experience may be very helpful to those whose concern about password cracking is not trivial.

How did it all start or what was the reason to try to find a Wi-Fi password?

There is no short answer to this, if there would be, I guess it would be “curiosity”. I think I got my first computer somewhere in 2002-2003 (my own PC) and ever since I’ve been interested in everything that is not “normal”, such as reverse engineering, debugging, hacking games, cracking password etc. (more…)

How Secure Is Your Password? A Friendly Advice from a Company That Breaks Passwords

Sunday, February 1st, 2015

A Practical Guide for the Rest of Us

How many passwords does an average Joe or Jane has to remember? Obviously, it’s not just one or two. Security requirements vary among online services, accounts and applications, allowing (or disallowing) certain passwords. Seven years ago, Microsoft determined in a study that an average user  had 6.5 Web passwords, each of which is shared across about four different websites. They’ve also determined that, back then, each user had about 25 accounts that required passwords, and typed an average of 8 passwords per day.

If i got a penny every time i forgot my pwd, I'd be a millionaire

It didn’t change much in 2012. Another study determined that an average person has 26 online accounts, but uses only five passwords to keep them secure, typing about 10 passwords per day. CSID has a decent report on password usage among American consumers, discovering that as many as 54% consumers have five or less passwords, while another 28% reported using 6 to 10 passwords. Only 18% had more than 10 passwords. 61% of all questioned happily reuse their passwords over and over.

This obviously indicates a huge risk, making all these people susceptible to attacks on their passwords. Why do we have this situation, and what should one do to keep one’s life secure against hacker attacks? Let’s try to find out.

Passwords: Plagued with Problems

Passwords are the most common way of securing the many aspects of our lives. However, password-based protection is plagued with problems. Let’s have a look at why passwords are less than perfect when it comes to security. (more…)

Apple’s Take on Government Surveillance: On Its Customers’ Side

Tuesday, January 27th, 2015

Everyone must comply with government requests to disclose information. How far should one go when disclosing such information? This is up to the company. In a recent trend, several big IT companies including Apple, Facebook, Google and Microsoft among others teamed up to propose a change in US legislatures concerning governments spying on its citizens. The reform would make government surveillance “consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.

(more…)

Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute Force

Wednesday, December 17th, 2014

We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.

(more…)

Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask

Monday, March 31st, 2014

Do you think you know everything about creating and using backups of Apple iOS devices? Probably not. Our colleague and friend Vladimir Bezmaly (MVP Consumer security, Microsoft Security Trusted Advisor) shares some thoughts, tips and tricks on iTunes and iCloud backups.

iPhone Backups

Mobile phones are everywhere. They are getting increasingly more complex and increasingly more powerful, producing, consuming and storing more information than ever. Today’s smart mobile devices are much more than just phones intended to make and receive calls. Let’s take Apple iPhone. The iPhone handles our mail, plans our appointments, connects us to other people via social networks, takes and shares pictures, and serves as a gaming console, eBook reader, barcode scanner, Web browser, flashlight, pedometer and whatnot. As a result, your typical iPhone handles tons of essential information, keeping the data somewhere in the device. But what if something happens to the iPhone? Or what if nothing happens, but you simply want a newer-and-better model? Restoring the data from a backup would be the simplest way of initializing a new device. But wait… what backup?

Users in general are reluctant to make any sort of backup. They could make a backup copy once after reading an article urging them to back up their data… but that would be it. Apple knows its users, and decided to explore the path yet unbeaten, making backups completely automatic and requiring no user intervention. Two options are available: local backups via iTunes and cloud backups via Apple iCloud.

(more…)