Archive for the ‘Elcom-News’ Category

Why Do We Need Physical Acquisition?

Thursday, June 25th, 2015

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

  1. Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source: https://www.apple.com/privacy/government-information-requests/)
  2. In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
  3. Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
  4. Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
  5. With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
  6. Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.

At this time, Elcomsoft iOS Forensic Toolkit remains the only third-party forensic tool to perform physical acquisition of iPhone 4S, 5 and 5C.

Limitations of Physical Acquisition

Apple makes their platform increasingly secure with each generation of hardware and every version of iOS. Apple devices equipped with 64-bit hardware are not susceptible to physical acquisition. Since the overwhelming majority of iOS devices sold in the US through retail channels are already equipped with 64-bit hardware, the number of handsets equipped with 32-bit chips is rapidly declining. The opposite is true for many developing markets where old-generation devices oversell latest hardware.

When it comes to iOS 8, physical acquisition is only available to jailbroken devices. At this time, jailbreak is available for all current versions of iOS 8 up to and including iOS 8.3.

eift128_ios83

As a result, physical acquisition has the following limitations:

  1. Only 32-bit hardware is supported *
  2. iOS 8 devices must be jailbroken in order to perform physical acquisition.
  3. Jailbreaking is not as reliable and straightforward as we’d like it to be.
  4. You can’t jailbreak a locked device if you don’t know the passcode.
  5. Find My Phone must be disabled before installing jailbreak. If Find My Phone is on, you must enter the user’s Apple ID password to turn it off.
  6. In order to perform physical acquisition of a jailbroken device, you’ll need to manually install OpenSSH from Cydia.
  7. At this time, only TaiG jailbreak is supported for the purpose of physical acquisition (http://www.taig.com/en/)

* 64-bit devices are still not supported regardless of iOS version or jailbreak status. For the purpose of physical acquisition, the following compatibility matrix applies.

Supported:

  • iPhone 4S, 5, 5C
  • iPod Touch (5th gen)
  • iPad 2 through 4
  • iPad mini (original)

NOT supported:

  • iPhone 5S, 6, 6 Plus
  • iPad Air
  • iPad mini Retina, iPad mini 3

Conclusion

Even with all limitations of physical acquisition, the method still remains viable in many situations. Some countries still see more 32-bit Apple devices than 64-bit ones, with Apple refurbished devices (trade-ins from the US) pushed by the company as a cheap entry into the ecosystem. Since Apple no longer serves government information requests for devices running iOS 8, physical acquisition remains the only method to extract the full file system from the device, returning more information than any other acquisition method.

Elcomsoft Phone Viewer: Faster and Easier

Tuesday, May 19th, 2015

ElcomsoftPhoneViewer_SnapshotAs you may already know, we have just updated our recently released forensic tool, Elcomsoft Phone Viewer. The update received a major performance boost and numerous usability enhancements.

So what’s the point of having a “yet another” mobile forensic tool? Aren’t there enough already? In fact, we considered making this tool for a long time, and were hesitant to make the move exactly because there are so many great forensic packages already. However, our customers kept asking for a lighter, smaller, faster and easier alternative to complement our existing tools. They cited how bulky those all-in-one forensic packages were, and mentioned training courses they had to take just to begin using those tools. Call it minimalism, but we made a tool that doesn’t require training sessions to use, and employs the same familiar user interface as other ElcomSoft tools. (more…)

Spring Vaccination From Boredom!

Wednesday, April 1st, 2015

Spring vaccination

As everyone knows, the high-speed, extremely powerful and increasingly popular ElcomSoft tools have already become industry standard in IT-security, risk management and computer forensics industries. After achieving these targets, our team got a little… bored.

That’s why we’re happy to announce a refreshing turn in the history of our code-breaking business by making an injection of several completely different but entertaining activities. Instead of boring number-crunching code, we will now focus on making t-shirts, mugs, pins, smartphone cases, mobile games, and entertaining commercials, simply for the fact we’re always doing The Right Thing no matter what :)

Think it’s an April Fool’s joke? Just visit our new Web store or download our new game for Android and iOS to see how serious we are!

Discover our new business activities:
★ A new online shop with funny tees, pants, pins, mugs and phone cases
★ A new mobile game ElcomSafe for enriching your IT security vocabulary
★ And an amusing commercial to make you smile and kiss your dearest one

Have a wonderful day and a happy spring!

Supporting Apple iCloud Drive and Decrypting Keychains from iCloud

Thursday, March 12th, 2015

As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!

Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)

Distributed Password Recovery: Faster, Smarter and Cost-Effective

Tuesday, February 3rd, 2015

We have just released a long-awaited update to one of our flagship products, Elcomsoft Distributed Password Recovery. While you can learn more about what’s been added and changed from our official announcement, in this post we’d like to share some insight about the path we took to design this update. (more…)

Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute Force

Wednesday, December 17th, 2014

We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.

(more…)

Breaking Into iCloud: No Password Required

Tuesday, June 17th, 2014

With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups. (more…)

Phone Password Breaker with all-new UI, BlackBerry 10 support, and downloading Windows Phone 8 data from the cloud

Thursday, May 8th, 2014

This time, we are updating our bread-and-butter mobile forensic tool, Elcomsoft Phone Password Breaker, to version 3.0 (beta). This new version has many things that are new or have changed. Let’s see what’s new, and why. (more…)

Welcome Holidays With ElcomSoft

Thursday, December 12th, 2013

Seasonal Offer

With most waited winter holidays just around the corner, now is the best time to take care of your easy after-holidays start at work with less headache, more pleasure, and all your passwords in place.

We give you 35% discount for our product releases of 2013 starting from today and available till 16th December, 2013. This offer is valid for direct online purchases only, with help of your special coupon code NY2014-OFF35 (enter the code while placing your order) for the following products:

Elcomsoft Password Recovery Bundle includes all our software (except for Elcomsoft iOS Forensic Toolkit) and embraces all updates of the year.

Elcomsoft Distributed Password Recovery, a high-end solution for big networked workstations added hardware acceleration for a number of file formats(see www.elcomsoft.com/edpr.html) on AMD Radeon HD cards (including 7000 series) and support for Tesla K20.

Elcomsoft iOS Forensic Toolkit, an all-in-one solution for bit-precise physical acquisition of iOS devices got more flexibility on cracking the passcode in ‘Guided’ mode allowing you to detect the passcode type or perform the brute-force or dictionary attack with selected options. The toolkit also supports iPhone 5S and iPad 4 (jailbroken without passcode, non-jailbroken with passcode) for complete forensic analysis of devices’ contents.

Elcomsoft Phone Password Breaker, an ideal solution for investigation of Apple and BlackBerry mobile devices added support for iOS 7 iTunes and iCloud backups, including keychain decryption and flexible iCloud downloading and quick downloading of iCloud backup data by selected categories.

Advanced Office Password Recovery, an irreplaceable utility for home and corporate usage was speeded up in password recovery for MS Office 2007/2010 and 2013 with AMD OpenCL, NVIDIA CUDA, and NVIDIA Tesla K20.

Elcomsoft Wireless Security Auditor, a unique tool to recover the original WPA/WPA2-PSK text passwords also added support for latest AMD Radeon R2xx cards, NVIDIA graphic cards, and NVIDIA Tesla K20.

 Asantall our team wishes you a lot of new successful opportunities and greatest accomplishments in 2014! 

Our Autumn Events Digest

Wednesday, November 6th, 2013

This fall has been quite rich in IT security events for ElcomSoft. We managed to visit a number of conferences and trade shows in order to, as we say in Russia, see the others and be seen :)

it-sa in Nuremberg welcomed us with a few warm sunny days and a lot of IT-security experts at the event. Being a regular exhibitor at the trade show we were happy to yet again satisfy visitor’s curiosity about our products and represent our recent achievements in password recovery at our booth and technical forum.

Recently Updated-001

Hack In The Box in Malaysia was a new event to us, as we’ve never been there before, but the first impression was nonetheless very positive. Vladimir Katalov pointed out super interesting talks and excellent organization of the event and also expressed his strong will to come to the event once again, next time in Amsterdam. Vlad’s talk titled “Cracking and Analyzing Apple’s iCloud Protocols” had genuine interest of both security professionals and media representatives. Violet Blue from ZDNet covered our talk in her glittering article “Apple’s iCloud cracked: Lack of two-factor authentication allows remote data download”.

Vladimir Katalov's talk at HITB (Image from Violet Blue/ZDNet)

Vladimir Katalov’s talk at HITB (Image from Violet Blue/ZDNet)

The e-Crime’s e-Discovery and e-Investigations Forum in London went as always very smoothly with “well over 400 senior end users from the Private Sector” as noted by the organizers “creating easily the largest gathering of senior infosec and risk executives in the UK.  The conference was full to capacity.”

e-Crime 2013

e-Crime 2013

Ruxcon in Melbourne extended a warm welcome to us not only by wonderful weather but also by undivided attention to Vladimir Katalov’s presentation on modern smartphone forensics, as the room was totally packed, to which SC Magazine has its own evidence.  Slides of the talk can be found at the conference page http://ruxcon.org.au/slides/

Ruxcon 2013

Ruxcon 2013

More events are to follow, so please have a look at our calendar of events at http://www.elcomsoft.com/events.html and come along with us!