Posts Tagged ‘Apple’

Why Do We Need Physical Acquisition?

Thursday, June 25th, 2015

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

  1. Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source: https://www.apple.com/privacy/government-information-requests/)
  2. In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
  3. Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
  4. Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
  5. With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
  6. Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.

(more…)

Apple’s Take on Government Surveillance: On Its Customers’ Side

Tuesday, January 27th, 2015

Everyone must comply with government requests to disclose information. How far should one go when disclosing such information? This is up to the company. In a recent trend, several big IT companies including Apple, Facebook, Google and Microsoft among others teamed up to propose a change in US legislatures concerning governments spying on its citizens. The reform would make government surveillance “consistent with established global norms of free expression and privacy and with the goals of ensuring that government law enforcement and intelligence efforts are rule-bound, narrowly tailored, transparent, and subject to oversight”.

(more…)

Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask

Monday, March 31st, 2014

Do you think you know everything about creating and using backups of Apple iOS devices? Probably not. Our colleague and friend Vladimir Bezmaly (MVP Consumer security, Microsoft Security Trusted Advisor) shares some thoughts, tips and tricks on iTunes and iCloud backups.

iPhone Backups

Mobile phones are everywhere. They are getting increasingly more complex and increasingly more powerful, producing, consuming and storing more information than ever. Today’s smart mobile devices are much more than just phones intended to make and receive calls. Let’s take Apple iPhone. The iPhone handles our mail, plans our appointments, connects us to other people via social networks, takes and shares pictures, and serves as a gaming console, eBook reader, barcode scanner, Web browser, flashlight, pedometer and whatnot. As a result, your typical iPhone handles tons of essential information, keeping the data somewhere in the device. But what if something happens to the iPhone? Or what if nothing happens, but you simply want a newer-and-better model? Restoring the data from a backup would be the simplest way of initializing a new device. But wait… what backup?

Users in general are reluctant to make any sort of backup. They could make a backup copy once after reading an article urging them to back up their data… but that would be it. Apple knows its users, and decided to explore the path yet unbeaten, making backups completely automatic and requiring no user intervention. Two options are available: local backups via iTunes and cloud backups via Apple iCloud.

(more…)

Elcomsoft Phone Password Breaker Enhances iCloud Forensics and Speeds Up Investigations

Thursday, August 22nd, 2013

It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.

The new version of Elcomsoft Phone Password Breaker is released! While you can read an official press-release to get an idea of what’s new and updated, you may as well keep reading this blog post to learn not only what is updated, but also why we did it.

Dedicated to iCloud Forensics

This new release is more or less completely dedicated to enhancing support for remote recovery of iOS devices via iCloud. Why do it this way?

Because iCloud analysis remains one of the most convenient ways to acquire iOS devices. You can read more about iCloud analysis in a previous post here. Let’s see what else is available.

(more…)

Apple Two-Factor Authentication and the iCloud

Thursday, May 30th, 2013

Some time ago, I wrote a blog post on hacked Yahoo!, Dropbox and Battle.net accounts, and how this can start a chain reaction. Companies seem to begin recognizing the threat, and are starting to protect their customers with today’s cutting edge security: two-factor authentication.

A word on two-factor authentication. In Europe, banks and financial institutions have been doing this for decades. Clients needed to enter an extra piece of information from a trusted media in addition to their account credentials in order to authorize a transaction such as transferring money out of their account. For many years, bank used printed lists of numbered passcodes serving as Transaction Authentication Numbers (TAN). When attempting to transfer money out of your bank account, you would be asked to enter a passcode number X. If you did not come up with the right code, the transfer would not execute. There are alternatives to printed TAN’s such as single-use passwords sent via a text message to a trusted mobile number or interactive TANs generated with a trusted crypto token or a software app installed onto a trusted phone.

Online services such as Microsoft or Google implement two-factor authentication in a different manner, asking their customers to come up with a second piece of an ID when attempting to access their services from a new device. This is supposed to prevent anyone stealing your login and password information from gaining access to your account from devices other than your own, verified PC, phone or tablet.

The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage. Passwords are way too easy to compromise. Social engineering, keyloggers, trojans, password re-use and other factors contribute to the number of accounts compromised every month. An extra step in the authorization process involving a trusted device makes hackers lives extremely tough.

At this very moment, two-step authentication is being implemented by major online service companies. Facebook, Google and Microsoft already have it. Twitter is ‘rolling out two-factor authentication too.

A recent story about a journalist’s Google, Twitter and Apple accounts compromised and abused seems to have Apple started on pushing its own implementation of two-factor authentication.

Two-Factor Authentication: The Apple Way

Apple’s way of doing things is… different. Let’s look at their implementation of two-factor authentication.

(more…)

iCloud backups inside out

Monday, February 25th, 2013

It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.

Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time. (more…)

iCloud: Making Users Spy on Themselves

Thursday, February 21st, 2013

Apple iCloud is a popular service providing Apple users the much needed backup storage space. Using the iCloud is so simple and unobtrusive that more than 190 million customers (as of November, 2012) are using the service on regular basis.

Little do they know. The service opens governments a back door for spying on iOS users without them even knowing. ElcomSoft researchers discovered that information stored in the iCloud can be retrieved by anyone without having access to a physical device, provided that the original Apple ID and password are known. The company even built the technology for accessing this information in one of its mobile forensic products, Elcomsoft Phone Password Breaker, allowing investigators accessing backup copies of the phone’s content via iCloud services.

(more…)

New Hardware Key for iPad 3 Passcode Verification or Is It Just Masking?

Friday, June 8th, 2012

Few days ago we have updated our iOS Forensic Toolkit to version 1.15 which includes some bugfixes and improvements and, most notably, supports passcode recovery on the new iPad (also known as iPad 3). There are no significant changes from the practical point of view (i.e. the process of passcode recovery is still exactly the same), but there is something new under the hood. So if you’re interested in iOS security and how stuff works, please read on.

(more…)

Explaining that new iCloud feature

Tuesday, May 29th, 2012

It’s been almost two weeks since we have released updated version of Elcomsoft Phone Password Breaker that is capable of downloading backups from the iCloud and we have seen very diverse feedback ever since. Reading through some articles or forum threads it became quite evident that many just do not understand what we have actually done and what are the implications. So I am taking another try to clarify things.

(more…)

ElcomSoft Helps Investigate Crime Providing Yet Another Way to Break into iOS with iCloud Attack

Tuesday, May 15th, 2012

 

Elcomsoft Phone Password Breaker and Elcomsoft iOS Forensic Toolkit have been around for a while, acquiring user information from physical iPhone/iPad devices or recovering data from user-created offline backups. Both tools required the investigator to have access to the device itself, or at least accessing a PC with which the iOS device was synced at least once. This limited the tools’ applications to solving the already committed crime, but did little to prevent crime that’s just being planned.

The new addition to the family of iOS acquisition tools turns things upside down. Meet updated Elcomsoft Phone Password Breaker – a tool that can now retrieve information from suspects’ phones without them even noticing. The newly introduced attack does not need investigators to have access to the phone itself. It doesn’t even require access to offline backups produced by that phone. Instead, the new attack targets an online, remote storage provided by Apple. By attacking a remote storage, the updated tool makes it possible watching suspects’ iPhone activities with little delay and without alerting the suspects. In fact, the tool can retrieve information from the online storage without iPhone users even knowing, or having a chance to learn about the unusual activity on their account. (more…)