Archive for the ‘Elcom-News’ Category

Digging Mac OS Keychains

Wednesday, September 16th, 2015

We have just released a brand new tool, and this time it’s not about mobile forensics. Or is it?

Elcomsoft Password Digger is designed for decrypting the content of Mac OS protected storage, the keychain. For one, it’s a Windows tool, so you’ll need to pull keychain files from the Mac OS system along with any decryption metadata (such as the key file for the system keychain or user’s password for decrypting the user keychain). After decrypting the keychain, we’ll export everything into an XML, and create a filtered plain-text file that only contains passwords (to be used as a pluggable dictionary in various password recovery tools).

So what is this all about?


BlackBerry Password Keeper Escrow Key: Have We Just Found a Hidden Backdoor?

Tuesday, August 11th, 2015

As you may already know from the official press release, we’ve recently updated Elcomsoft Phone Breaker to version 4.10. From that release, you could learn that the updated version of the tool targets passwords managers, adding the ability to instantly decrypt passwords stored in BlackBerry Password Keeper for BlackBerry 10 and attack 1Password containers.

If you read along the lines though it’s a different story.

Essentially, we’ve discovered a backdoor hidden in recent versions of BlackBerry Password Keeper allowing us to decrypt the content of that app instantly without brute-forcing the master password. For our customers, this means instant access to passwords and other sensitive information maintained by BlackBerry Password Keeper. No lengthy waits and no fruitless attacks, just pure convenience. But is this convenience intentional? Did BlackBerry leave a backdoor for government access, or is this an unintentional vulnerability left by the company renowned for its exemplary security model? Let’s try to find out.


Why Do We Need Physical Acquisition?

Thursday, June 25th, 2015

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

  1. Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source:
  2. In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
  3. Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
  4. Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
  5. With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
  6. Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.


Elcomsoft Phone Viewer: Faster and Easier

Tuesday, May 19th, 2015

ElcomsoftPhoneViewer_SnapshotAs you may already know, we have just updated our recently released forensic tool, Elcomsoft Phone Viewer. The update received a major performance boost and numerous usability enhancements.

So what’s the point of having a “yet another” mobile forensic tool? Aren’t there enough already? In fact, we considered making this tool for a long time, and were hesitant to make the move exactly because there are so many great forensic packages already. However, our customers kept asking for a lighter, smaller, faster and easier alternative to complement our existing tools. They cited how bulky those all-in-one forensic packages were, and mentioned training courses they had to take just to begin using those tools. Call it minimalism, but we made a tool that doesn’t require training sessions to use, and employs the same familiar user interface as other ElcomSoft tools. (more…)

Spring Vaccination From Boredom!

Wednesday, April 1st, 2015

Spring vaccination

As everyone knows, the high-speed, extremely powerful and increasingly popular ElcomSoft tools have already become industry standard in IT-security, risk management and computer forensics industries. After achieving these targets, our team got a little… bored.

That’s why we’re happy to announce a refreshing turn in the history of our code-breaking business by making an injection of several completely different but entertaining activities. Instead of boring number-crunching code, we will now focus on making t-shirts, mugs, pins, smartphone cases, mobile games, and entertaining commercials, simply for the fact we’re always doing The Right Thing no matter what :)

Think it’s an April Fool’s joke? Just visit our new Web store or download our new game for Android and iOS to see how serious we are!

Discover our new business activities:
★ A new online shop with funny tees, pants, pins, mugs and phone cases
★ A new mobile game ElcomSafe for enriching your IT security vocabulary
★ And an amusing commercial to make you smile and kiss your dearest one

Have a wonderful day and a happy spring!

Supporting Apple iCloud Drive and Decrypting Keychains from iCloud

Thursday, March 12th, 2015

As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!

Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)

Distributed Password Recovery: Faster, Smarter and Cost-Effective

Tuesday, February 3rd, 2015

We have just released a long-awaited update to one of our flagship products, Elcomsoft Distributed Password Recovery. While you can learn more about what’s been added and changed from our official announcement, in this post we’d like to share some insight about the path we took to design this update. (more…)

Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute Force

Wednesday, December 17th, 2014

We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.


Breaking Into iCloud: No Password Required

Tuesday, June 17th, 2014

With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups. (more…)

Phone Password Breaker with all-new UI, BlackBerry 10 support, and downloading Windows Phone 8 data from the cloud

Thursday, May 8th, 2014

This time, we are updating our bread-and-butter mobile forensic tool, Elcomsoft Phone Password Breaker, to version 3.0 (beta). This new version has many things that are new or have changed. Let’s see what’s new, and why. (more…)