If you follow industry news, you already know about the release of iOS 9. You may also know that iOS 9 is the toughest one to break, with no jailbreak available now or in foreseeable future. With no jailbreak and no physical acquisition available for newer devices, what methods can you still use to obtain evidence from passcode-locked devices? Our answer to this is Elcomsoft Phone Breaker 5.0 that adds over-the-air acquisition support for iOS 9.
Archive for the ‘Did you know that…?’ Category
Although we’ve already embraced the EFS-encryption/decryption in some of our white papers and case studies, now we’d like to share a video tutorial because seeing once is better than hearing reading twice. So, in this video you will see how to decrypt EFS-encrypted data with help of Advanced EFS Data Recovery and how to recover Windows user account password with Proactive System Password Recovery (because it’s still obligatory for this type of encryption).
Advanced EFS Data Recovery (AEFSDR) is wholly dedicated to decryption of Windows EFS-encrypted files, however in order to decrypt the data the program still requires the user account password. Yeah, you might think at first that anyone can decrypt the data having user account password at hand, but no. You can’t. EFS encryption uses more than just logon password, nonetheless it’s the core ingredient in data decryption and so it must be provided.
If you forgot the logon password or didn’t know it at all Proactive System Password Recovery (PSPR) in its turn can help you acquire all system passwords once you can log into the system with administrator privileges. Exactly this example has been illustrated in our video (provide by Sethioz), here it is:
With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?
Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.
- In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
- Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
- Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
- With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
- Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.
Quite often our new customers ask us for advice about what they should start with in order to use the program effectively. In fact, there are various situations when the tool can come in handy by decrypting data securely protected with TrueCrypt, BitLocker (To-Go), or PGP and we’d need a super long video to describe all the cases. But we’d love to demonstrate one typical situation when disk is protected with TrueCrypt when entire system drive encryption option is on.
In this video, kindly provided by Sethioz, we suggest you to decrypt TrueCrypt whole system drive encryption using our Elcomsoft Forensic Disk Decryptor thoroughly going through all the stages starting from the very first one when you just got the encrypted hard drive on hands.
With encrypted hard drive in one hand and its memory dump in the other one (taken when encrypted disk was still mounted) we plug HDD into our “invesgitator’s” computer, start Elcomsoft Forensic Disk Decryptor and easily, in one slow motion, extract the encryption keys from the memory dump file and decrypt the protected HDD, either by mounting it into the “investigator’s” system (to be able to work with it on-the-fly) or by decoding the contents into a specified folder.
We hope you’ll enjoy this video and next time you have the necessity to decrypt something encrypted you’ll feel more confident about it. We also invite you to take a moment and share your experience here in comments or leave your question if you still have any after this pretty detailed video. 🙂
I know most computer gurus and pros never read through program manuals or help files and prefer to learn everything using proverbial method of trial and error. Does this sound like you? Of course. Exceptions are very seldom. So, here’s something nice that will save your time and help your experience with Elcomsoft Wireless Security Auditor (EWSA).
In order to provide a quick but sufficient understanding how to effectively work with EWSA, our friend Sethios has prepared a nice 20-minute video tutorial that includes all steps of work with the program starting with acquiring handshakes and moving on through all following steps.
This video is packed with useful information, so go ahead and watch it now:
Was it helpful for your work? You are the judge. But we are always happy to hear from you. Your feedback is the reason we work harder on our software!
As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!
Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)
If you care about password cracking, hardware acceleration or Wi-Fi protection this interview with our friend Sethioz is certainly for you. Being currently a freelance security tester Sethioz kindly shared his experience in cracking passwords using video cards, which in its turn derived from his gaming interest in cards. His personal experience may be very helpful to those whose concern about password cracking is not trivial.
How did it all start or what was the reason to try to find a Wi-Fi password?
There is no short answer to this, if there would be, I guess it would be “curiosity”. I think I got my first computer somewhere in 2002-2003 (my own PC) and ever since I’ve been interested in everything that is not “normal”, such as reverse engineering, debugging, hacking games, cracking password etc. (more…)
A Practical Guide for the Rest of Us
How many passwords does an average Joe or Jane has to remember? Obviously, it’s not just one or two. Security requirements vary among online services, accounts and applications, allowing (or disallowing) certain passwords. Seven years ago, Microsoft determined in a study that an average user had 6.5 Web passwords, each of which is shared across about four different websites. They’ve also determined that, back then, each user had about 25 accounts that required passwords, and typed an average of 8 passwords per day.
It didn’t change much in 2012. Another study determined that an average person has 26 online accounts, but uses only five passwords to keep them secure, typing about 10 passwords per day. CSID has a decent report on password usage among American consumers, discovering that as many as 54% consumers have five or less passwords, while another 28% reported using 6 to 10 passwords. Only 18% had more than 10 passwords. 61% of all questioned happily reuse their passwords over and over.
This obviously indicates a huge risk, making all these people susceptible to attacks on their passwords. Why do we have this situation, and what should one do to keep one’s life secure against hacker attacks? Let’s try to find out.
Passwords: Plagued with Problems
Passwords are the most common way of securing the many aspects of our lives. However, password-based protection is plagued with problems. Let’s have a look at why passwords are less than perfect when it comes to security. (more…)
Everyone must comply with government requests to disclose information. How far should one go when disclosing such information? This is up to the company. In a recent trend, several big IT companies including Apple, Facebook, Google and Microsoft among others teamed up to propose a change in US legislatures concerning governments spying on its citizens. The reform would make government surveillance “consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.