Elcomsoft System Recovery UEFI Support

June 16th, 2016 by Oleg Afonin

As you may already know, we’ve released an update to Elcomsoft System Recovery, a tool allowing to reset or recover Windows and Microsoft Account passwords by booting from an external USB drive. The new build allows creating bootable USB drives for devices exclusively relying on UEFI bootloaders. Why was this change needed? Read below for an answer!

UEFI Boot Support

If you need access to Windows protected files (and files containing password hashes are always protected), you will either require administrative privileges or must boot a separate copy of Windows from a separate boot media. Elcomsoft System Recovery has always come with the ability to create such bootable media.

As computers evolved, industry moved to 64-bit computations. During the last decade, CPU manufacturers migrated completely to 64-bit architecture. Some years later, it became obvious that legacy BIOS was no longer relevant in the new age. BIOS was superseded with UEFI.

To maintain compatibility with legacy operating systems, most systems of that time period came with support for legacy boot mode (BIOS emulation, “compatibility mode”) enabled out of the box. As operating systems evolved, manufacturers started gradually phasing out legacy support. Today we have reached the point where many new devices (2013 and newer) come without any sort of BIOS emulation at all.

Elcomsoft System Recovery comes with a customized bootable Windows PE environment. By booting from this media, customers can gain access to existing Windows installations even if they don’t know the correct password. For a long time, Elcomsoft System Recovery was relying on legacy compatibility mode to boot. This is no longer an option. The increased share of devices shipping without BIOS emulation or legacy boot support required us to adapt.

Read the rest of this entry »

Breaking BitLocker Encryption: Brute Forcing the Backdoor (Part I)

June 8th, 2016 by Vladimir Katalov

Investigators start seeing BitLocker encrypted volumes more and more often, yet computer users themselves may be genuinely unaware of the fact they’ve been encrypting their disk all along. How can you break into BitLocker encryption? Do you have to brute-force the password, or is there a quick hack to exploit?

We did our research, and are ready to share our findings. Due to the sheer amount of information, we had to break this publication into two parts. In today’s Part I, we’ll discuss the possibility of using a backdoor to hack our way into BitLocker. This publication will be followed by Part II, in which we’ll discuss brute-force possibilities if access to encrypted information through the backdoor is not available. Read the rest of this entry »

Fingerprint Unlock Security: iOS vs. Google Android (Part I)

June 6th, 2016 by Oleg Afonin

Biometric approach to unlocking portable electronics has been on the rise since late 2013 when Apple released iPhone 5S. Ever since, manufacturers started adding fingerprint scanners to their devices. In the world of Android, this was frequently done without paying much (if any) attention to actual security. So how do these systems compare?

Apple iOS: Individually Matched Touch ID, Secure Enclave at Work

Apple invented Touch ID to increase the average user security. The idea behind fingerprint unlock is for users who had no passcode at all to use Touch ID. Fingerprint data is stored on the Secure Enclave, and is never transferred to Apple servers or iCloud.

Read the rest of this entry »

Dealing with a Locked iPhone

April 15th, 2016 by Oleg Afonin

So you’ve got an iPhone, and it’s locked, and you don’t know the passcode. This situation is so common, and the market has so many solutions and “solutions” that we felt a short walkthrough is necessary.

What exactly can be done to the device depends on the following factors:

Hardware Generation

iphone2

From the point of view of mobile forensics, there are three distinct generations:

  1. iPhone 4 and older (acquisition is trivial)
  2. iPhone 4S, 5 and 5C (32-bit devices, no Secure Enclave, jailbreak required, must be able to unlock the device)
  3. iPhone 5S, 6/6S, 6/6S Plus and newer (64-bit devices, Secure Enclave, jailbreak required, passcode must be known and removed in Settings)

Read the rest of this entry »

Apple Two-Factor Authentication vs. Two-Step Verification

April 1st, 2016 by Oleg Afonin

Two-step verification and two-factor authentication both aim to help users secure their Apple ID, adding a secondary authentication factor to strengthen security. While Apple ID and password are “something you know”, two-step verification (and two-factor authentication) are both based on “something you have”.

However, Apple doesn’t make it easy. Instead of using a single two-factor authentication solution (like Google), the company went for two different processes with similar usability and slightly different names. What are the differences between the two verification processes, and how do they affect mobile forensics? Let’s try to find out.
Read the rest of this entry »

Smartphone Encryption: Why Only 10 Per Cent of Android Smartphones Are Encrypted

March 21st, 2016 by Oleg Afonin

“Had San Bernardino shooter Syed Rizwan Farook used an Android phone, investigators would have had a better chance at accessing the data”, says Jack Nicas in his article in The Wall Street Journal. Indeed, the stats suggest that only 10 per cent of the world’s 1.4 billion Android phones are encrypted, compared with 95 per cent of Apple’s iPhones. Of those encrypted, a major number are using Nexus smartphones that have encryption enforced by default.

What is the reason behind this low encryption adoption rate among Android users? Let’s first have a look at how encryption is enforced by two major mobile OS manufacturers, then look at how it’s implemented by either company. Read the rest of this entry »

Apple vs. the Government: Follow-up

February 22nd, 2016 by Oleg Afonin

We are closely following the case of Apple battling the US government on unlocking the iPhone of San Bernardino mass murderer Farook who killed 14 in December 2015. In our previous post we looked at what the FBI was asking, and why Apple opposes the motion.

On February 19th, a new document shows up. The “GOVERNMENT’S MOTION TO COMPEL APPLE INC. TO COMPLY WITH THIS COURT’S FEBRUARY 16, 2016 ORDER COMPELLING ASSISTANCE IN SEARCH; EXHIBIT”. In this document (which is a highly recommended reading by the way), government attorneys summarize several important points and reply to the many Apple’s and public concerns raised after the original court order. So what do we know today about this case that we didn’t know last week?

The Passcode Is Numeric

The government states that the iPhone 5C in question is protected with a numeric password (see the above motion, p.5/13). This, in turn, means that all possible combinations can be enumerated in about 30 minutes (if the passcode consists of 4 digits) or several days (if there were 6 digits).

In other words, Apple could disable the artificial delay that increases the time between unsuccessful entries, as well disable as the provision that may wipe the phone’s data after 10 unsuccessful attempts. The company could then run an attack on the passcode (using either an in-house tool or one of the many existing forensic solutions such as Elcomsoft iOS Forensic Toolkit), and unlock the device in almost no time.
Read the rest of this entry »

RSS for posts
RSS for comments
Subscribe
ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter
    follow me on Twitter