Archive for the ‘General’ Category

Building a Distributed Network in the Cloud: Using Amazon EC2 to Break Passwords

Thursday, July 28th, 2016

Not all passwords provide equal protection. Some formats are more resistant to brute-force attacks than others. As an example, Microsoft Office 2013 and 2016 employ a smart encryption scheme that is very slow to decrypt. Even the fastest available GPU units found in NVIDIA’s latest GeForce GTX 1080 will only allow trying some 7100 passwords per second.

image001

One solution is employing a custom dictionary, possibly containing the user’s passwords that were easier to break. Observing the common pattern in those other passwords may allow creating a custom mask that could greatly reduce the number of possible combinations.

(more…)

Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part II)

Wednesday, July 27th, 2016

statistics_color6

How often do you think forensic specialists have to deal with encrypted containers? Compared with office documents and archives that are relatively infrequent, every second case involves an encrypted container. It may vary, but these evaluations are based on a real survey conducted by our company.

It is hard to overestimate the importance of the topic. In the first part of our story we discussed the way of getting access to encrypted volumes using an encryption key. Now, let’s see which other ways can be used.

Unlike Elcomsoft Forensic Disk Decryptor, Elcomsoft Distributed Password Recovery does not search for existing decryption keys. Instead, it tries to unlock password-protected disks by attacking the password. The tool applies an impressive variety of techniques for attacking the password. In this case, the whole disk encryption scheme is only as strong as its password. Fortunately, the tool can execute a wide range of attacks including wordlist attack, combination attacks, mask attacks, smart attacks and so on and so forth, with advanced GPU acceleration and distributed processing on top of that. The whole sophisticated arsenal comes in particularly handy if we speak about more or less secure passwords.

(more…)

Mac OS Forensics: Attacking FileVault 2

Wednesday, July 27th, 2016

In the world of Windows dominance, Apple’s Mac OS X enjoys a healthy market share of 9.5% among desktop operating systems. The adoption of Apple’s desktop OS (macOS seems to be the new name) is steadily growing. This is why we are targeting Mac OS with our tools.

This time, let’s talk about Mac OS X user account passwords. Not only will a user password allow accessing their Mac, but it will also allow decrypting FileVault 2 volumes that are otherwise securely encrypted with virtually unbreakable XTS-AES.

Attacking FileVault 2

FileVault 2 is Apple’s take on whole-disk encryption. Protecting the entire startup partition, FileVault 2 volumes can be unlocked with either of the following:

  • 256-bit XTS-AES key
  • Recovery Key
  • User password from any account with “unlock” privileges

There is also an additional unlock method available called Institutional Recovery Key. These recovery keys are created when system administrators enable FileVault 2 encryption with FileVaultMaster.keychain. This method requires additional steps to activate, and is typically used in organizations with centralized keychain management.

(more…)

NVIDIA Pascal: a Great Password Cracking Tool

Tuesday, July 26th, 2016

During the last several years, progress on the CPU performance front has seemingly stopped. Granted, last-generation CPUs are cool, silent and power-efficient. Anecdotal evidence: my new laptop (a brand new Macbook) is about as fast as the Dell ultrabook it replaced. The problem? I bought the Dell laptop some five years ago. Granted, the Dell was thicker and noisier. It’s battery never lasted longer than a few hours. But it was about as fast as the new Macbook.

Computer games have evolved a lot during the last years. Demanding faster and faster video cards, today’s games are relatively lax on CPU requirements. Manufacturers followed the trend, continuing the performance race. GPUs have picked up where CPUs have left.

NVIDIA has recently released a reference design for GTX 1080 boards based on the new Pascal architecture. Elcomsoft Distributed Password Recovery 3.20 adds support for the new architecture. What does it mean for us?

(more…)

Fingerprint Unlock Security: iOS vs. Google Android (Part II)

Monday, June 20th, 2016

Fingerprint Unlock Security: Google Android and Microsoft Hello

Using one’s fingerprint to unlock a mobile device with a touch is fast and convenient. But does it provide sufficient security? More importantly, does biometric unlock provide a level of security comparable to that of the more traditional PIN or passcode? As we found in the first article, Apple has managed to develop a comprehensive fingerprint unlock system that provides just enough security while offering a much greater convenience compared to traditional unlock methods. What’s up with that in the other camp?

01finger

Google Android 4.x through 5.1.1: No Fingerprint API

There is no lack of Android smartphones (but no tablets) that come with integrated fingerprint scanners. Samsung Galaxy S5, S6, S7, Motorola Moto Z, SONY Xperia Z5, LG G5, Huawei Ascend Mate 7 and newer flagships, Meizu Pro 5 and a plethora of other devices are using fingerprint scanners without proper support on the native API level.

(more…)

Fingerprint Unlock Security: iOS vs. Google Android (Part I)

Monday, June 6th, 2016

Biometric approach to unlocking portable electronics has been on the rise since late 2013 when Apple released iPhone 5S. Ever since, manufacturers started adding fingerprint scanners to their devices. In the world of Android, this was frequently done without paying much (if any) attention to actual security. So how do these systems compare?

Apple iOS: Individually Matched Touch ID, Secure Enclave at Work

Apple invented Touch ID to increase the average user security. The idea behind fingerprint unlock is for users who had no passcode at all to use Touch ID. Fingerprint data is stored on the Secure Enclave, and is never transferred to Apple servers or iCloud.

(more…)

Dealing with a Locked iPhone

Friday, April 15th, 2016

So you’ve got an iPhone, and it’s locked, and you don’t know the passcode. This situation is so common, and the market has so many solutions and “solutions” that we felt a short walkthrough is necessary.

What exactly can be done to the device depends on the following factors:

Hardware Generation

iphone2

From the point of view of mobile forensics, there are three distinct generations:

  1. iPhone 4 and older (acquisition is trivial)
  2. iPhone 4S, 5 and 5C (32-bit devices, no Secure Enclave, jailbreak required, must be able to unlock the device)
  3. iPhone 5S, 6/6S, 6/6S Plus and newer (64-bit devices, Secure Enclave, jailbreak required, passcode must be known and removed in Settings)

(more…)

Smartphone Encryption: Why Only 10 Per Cent of Android Smartphones Are Encrypted

Monday, March 21st, 2016

“Had San Bernardino shooter Syed Rizwan Farook used an Android phone, investigators would have had a better chance at accessing the data”, says Jack Nicas in his article in The Wall Street Journal. Indeed, the stats suggest that only 10 per cent of the world’s 1.4 billion Android phones are encrypted, compared with 95 per cent of Apple’s iPhones. Of those encrypted, a major number are using Nexus smartphones that have encryption enforced by default.

What is the reason behind this low encryption adoption rate among Android users? Let’s first have a look at how encryption is enforced by two major mobile OS manufacturers, then look at how it’s implemented by either company. (more…)

Apple vs. the Government: Follow-up

Monday, February 22nd, 2016

We are closely following the case of Apple battling the US government on unlocking the iPhone of San Bernardino mass murderer Farook who killed 14 in December 2015. In our previous post we looked at what the FBI was asking, and why Apple opposes the motion.

On February 19th, a new document shows up. The “GOVERNMENT’S MOTION TO COMPEL APPLE INC. TO COMPLY WITH THIS COURT’S FEBRUARY 16, 2016 ORDER COMPELLING ASSISTANCE IN SEARCH; EXHIBIT”. In this document (which is a highly recommended reading by the way), government attorneys summarize several important points and reply to the many Apple’s and public concerns raised after the original court order. So what do we know today about this case that we didn’t know last week?

The Passcode Is Numeric

The government states that the iPhone 5C in question is protected with a numeric password (see the above motion, p.5/13). This, in turn, means that all possible combinations can be enumerated in about 30 minutes (if the passcode consists of 4 digits) or several days (if there were 6 digits).

In other words, Apple could disable the artificial delay that increases the time between unsuccessful entries, as well disable as the provision that may wipe the phone’s data after 10 unsuccessful attempts. The company could then run an attack on the passcode (using either an in-house tool or one of the many existing forensic solutions such as Elcomsoft iOS Forensic Toolkit), and unlock the device in almost no time.
(more…)