We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.
Archive for the ‘Software’ Category
Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute ForceWednesday, December 17th, 2014
In light of recent security outbreaks, Apple introduced a number of changes to its security policies. As one of the leading security companies and a major supplier of forensic software for iOS devices, ElcomSoft is being constantly approached by IT security specialists, journalists and forensic experts. The most common question is: how will the new security measures affect iOS forensics? (more…)
Two years ago, ElcomSoft analyzed some 17 password management applications for mobile platforms only to discover that no single app was able to deliver the claimed level of protection. The majority of the apps relied upon proprietary encryption models rather than utilizing iOS exemplary security model. As a result, most applications were either plain insecure or provided insufficient security levels, allowing a competent intruder to break into the encrypted data in a matter of hours, if not minutes. Full report (PDF) is available here.
Today, we need stronger security more than ever. Was the urge for stronger security recognized by software makers, or are they still using the same inefficient techniques? In order to find out, we decided to re-test some of the previously analyzed products. Keeper® Password Manager & Digital Vault will the first subject for dissection.
Back in 2012, we weren’t much impressed by security in any of the apps we analyzed. Two years later, Keeper developers claimed they’ve successfully implemented the suggestions we made during the last analysis. The developers claim to have used 256-bit AES encryption, PBKDF2 key generation, BCrypt, and SHA-1 among other things. Let’s see if these improvements lead to stronger security.
With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups. (more…)
Phone Password Breaker with all-new UI, BlackBerry 10 support, and downloading Windows Phone 8 data from the cloudThursday, May 8th, 2014
This time, we are updating our bread-and-butter mobile forensic tool, Elcomsoft Phone Password Breaker, to version 3.0 (beta). This new version has many things that are new or have changed. Let’s see what’s new, and why. (more…)
Do you think you know everything about creating and using backups of Apple iOS devices? Probably not. Our colleague and friend Vladimir Bezmaly (MVP Consumer security, Microsoft Security Trusted Advisor) shares some thoughts, tips and tricks on iTunes and iCloud backups.
Mobile phones are everywhere. They are getting increasingly more complex and increasingly more powerful, producing, consuming and storing more information than ever. Today’s smart mobile devices are much more than just phones intended to make and receive calls. Let’s take Apple iPhone. The iPhone handles our mail, plans our appointments, connects us to other people via social networks, takes and shares pictures, and serves as a gaming console, eBook reader, barcode scanner, Web browser, flashlight, pedometer and whatnot. As a result, your typical iPhone handles tons of essential information, keeping the data somewhere in the device. But what if something happens to the iPhone? Or what if nothing happens, but you simply want a newer-and-better model? Restoring the data from a backup would be the simplest way of initializing a new device. But wait… what backup?
Users in general are reluctant to make any sort of backup. They could make a backup copy once after reading an article urging them to back up their data… but that would be it. Apple knows its users, and decided to explore the path yet unbeaten, making backups completely automatic and requiring no user intervention. Two options are available: local backups via iTunes and cloud backups via Apple iCloud.
This is the second part of Elcomsoft Phone Password Breaker Enhances iCloud Forensics and Speeds Up Investigations article.
Extracting the content of an iPhone is only half the job. Recovering meaningful information from raw data is yet another matter. The good news is there are plenty of powerful tools providing iOS analytics. The bad news? You’re about to spend a lot of time analyzing the files and documenting the findings. Depending on the purpose of your investigation, your budget and your level of expertise using forensic tools, you may want using one tool or the other. Let’s see what’s available.
It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.
The new version of Elcomsoft Phone Password Breaker is released! While you can read an official press-release to get an idea of what’s new and updated, you may as well keep reading this blog post to learn not only what is updated, but also why we did it.
Dedicated to iCloud Forensics
This new release is more or less completely dedicated to enhancing support for remote recovery of iOS devices via iCloud. Why do it this way?
Because iCloud analysis remains one of the most convenient ways to acquire iOS devices. You can read more about iCloud analysis in a previous post here. Let’s see what else is available.
Some time ago, I wrote a blog post on hacked Yahoo!, Dropbox and Battle.net accounts, and how this can start a chain reaction. Companies seem to begin recognizing the threat, and are starting to protect their customers with today’s cutting edge security: two-factor authentication.
A word on two-factor authentication. In Europe, banks and financial institutions have been doing this for decades. Clients needed to enter an extra piece of information from a trusted media in addition to their account credentials in order to authorize a transaction such as transferring money out of their account. For many years, bank used printed lists of numbered passcodes serving as Transaction Authentication Numbers (TAN). When attempting to transfer money out of your bank account, you would be asked to enter a passcode number X. If you did not come up with the right code, the transfer would not execute. There are alternatives to printed TAN’s such as single-use passwords sent via a text message to a trusted mobile number or interactive TANs generated with a trusted crypto token or a software app installed onto a trusted phone.
Online services such as Microsoft or Google implement two-factor authentication in a different manner, asking their customers to come up with a second piece of an ID when attempting to access their services from a new device. This is supposed to prevent anyone stealing your login and password information from gaining access to your account from devices other than your own, verified PC, phone or tablet.
The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage. Passwords are way too easy to compromise. Social engineering, keyloggers, trojans, password re-use and other factors contribute to the number of accounts compromised every month. An extra step in the authorization process involving a trusted device makes hackers lives extremely tough.
At this very moment, two-step authentication is being implemented by major online service companies. Facebook, Google and Microsoft already have it. Twitter is ‘rolling out two-factor authentication too.
A recent story about a journalist’s Google, Twitter and Apple accounts compromised and abused seems to have Apple started on pushing its own implementation of two-factor authentication.
Two-Factor Authentication: The Apple Way
Apple’s way of doing things is… different. Let’s look at their implementation of two-factor authentication.
BitLocker, PGP and TrueCrypt set industry standard in the area of whole-disk and partition encryption. All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto.
Normally, information stored in any of these containers is impossible to retrieve without knowing the original plain-text password protecting the encrypted volume. The very nature of these crypto containers suggests that their target audience is likely to select long, complex passwords that won’t be easy to guess or brute-force. And this is exactly the weakness we’ve targeted in our new product: Elcomsoft Forensic Disk Decryptor.
The Weakness of Crypto Containers
The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool. Such as Elcomsoft Forensic Disk Decryptor.
Retrieving Decryption Keys
In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack. If the computer is off, Elcomsoft Forensic Disk Decryptor can retrieve decryption keys from a hibernation file. It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.
“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”
It is essential to note that Elcomsoft Forensic Disk Decryptor extracts all the keys from a memory dump at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.
Using forensic software for taking snapshots of computers’ memory is nothing new. The FireWire attack method existed for many years, but for some reason it’s not widely known. This method is described in detail in many sources such as http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf or http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links. One can take direct control of a PC or laptop operating memory (RAM) by connecting through a FireWire. After that, grabbing a full memory dump takes only a few minutes. What made it possible is a feature of the original FireWide/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external FireWire devices. Direct Memory Access (DMA) is used to provide that access. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or even logged on. There’s no way to protect a PC against this threat except explicitly disabling FireWire drivers. The vulnerability exists for as long as the system is running. There are many free tools available to carry on this attack, so Elcomsoft Forensic Disk Decryptor does not include a module to perform one.
If the computer is turned off, there are still chances that the decryption keys can be retrieved from the computer’s hibernation file. Elcomsoft Forensic Disk Decryptor comes with a module analyzing hibernation files and retrieving decryption keys to protected volumes.
Complete Decryption and On-the-Fly Access
With decryption keys handy, Elcomsoft Forensic Disk Decryptor can go ahead and unlock the protected disks. There are two different modes available. In complete decryption mode, the product will decrypt everything stored in the container, including any hidden volumes. This mode is useful for collecting the most evidence, time permitting.
In real-time access mode, Elcomsoft Forensic Disk Decryptor mounts encrypted containers as drive letters, enabling quick random access to encrypted data. In this mode files are decrypted on-the-fly at the time they are read from the disk. Real-time access comes handy when investigators are short on time (which is almost always the case).
We are also adding True Crypt and Bitlocker To Go plugins to Elcomsoft Distributed Password Recovery, enabling the product to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
The unique feature of Elcomsoft Forensic Disk Decryptor is the ability to mount encrypted disks as a drive letter, using any and all forensic tools to quickly access the data. This may not seem secure, and may not be allowed by some policies, but sometimes the speed and convenience is everything. When you don’t have the time to spend hours decrypting the entire crypto container, simply mount the disk and run your analysis tools for quick results!
More information about Elcomsoft Forensic Disk Decryptor is available on the official product page at http://www.elcomsoft.com/efdd.html