Extract and Decrypt WhatsApp Backups from iCloud

July 20th, 2017 by Oleg Afonin

Facebook-owned WhatsApp is the most popular instant messaging tool worldwide. Due to its point-to-point encryption, WhatsApp is an extremely tough target to extract.

As we already wrote in yesterday’s article, WhatsApp decryption is essential for the law enforcement since due to its popularity and extremely tough security it is a common choice among the criminals. However, the need for WhatsApp decryption is not limited to law enforcement. Us mere mortals may need access to our own communications when re-installing WhatsApp, changing devices or extracting conversations occurred on a device we no longer possess. Since WhatsApp data is not always available in iOS system backups, using WhatsApp’ own stand-alone cloud backup system is the more reliable choice compared to pretty much everything else.

Elcomsoft Explorer for WhatsApp can now access iPhone users’ encrypted WhatsApp communication histories stored in Apple iCloud Drive. If you have access to the user’s SIM card with a verified phone number, you can now use Elcomsoft Explorer for WhatsApp to circumvent the encryption and gain access to iCloud-stored encrypted messages. In this article, we’ll tell you how it works, and provide a step-by-step guide to extracting and decrypting WhatsApp backups from iCloud Drive.

Read the rest of this entry »

WhatsApp: The Bad Guys’ Secret Weapon

July 19th, 2017 by Vladimir Katalov

WhatsApp is one of the most secure messengers with full end-to-end encryption. Messages exchanged between WhatsApp users are using an encrypted point-to-point communication protocol rendering man-in-the-middle attacks useless. WhatsApp communications are never stored or backed up on WhatsApp servers. All this makes government snooping on WhatsApp users increasingly difficult.

WhatsApp has more than a billion users. WhatsApp makes use of the Open Whisper Signal communication protocol to secure communications with end-to-end encryption. WhatsApp users rely on that security to freely exchange messages, discuss sensitive things and, with limited success, avoid religious and political oppression in certain countries. Today, some governments attempt to criminalize WhatsApp protection measures, ban end-to-end encryption and do everything in their power to undermining trust in secure communication tools. What is it all about, and how to find the right balance between public safety and security is the topic of this article.

Read the rest of this entry »

Physical Acquisition Is…

July 13th, 2017 by Vladimir Katalov

…dead? Not really, not completely, and not for every device. We’ve just updated iOS Forensic Toolkit to add physical support for some previously unsupported combinations of hardware (32-bit devices) and software (iOS 9.1 through 9.3.4). The intent was helping our law enforcement and forensic customers clear some of the backlog, finally taking care of evidence kept on dusty shelves in the back room. In order to do the extraction, you’ll need to install the “Home Depot” jailbreak from http://wall.supplies and, obviously, Elcomsoft iOS Forensic Toolkit 2.30.

Read the rest of this entry »

iCloud Outage, New Token Expiration Rules and Fixes for Authentication Issues

July 11th, 2017 by Oleg Afonin

In early July, 2017, Apple has once again revised security measures safeguarding iCloud backups. This time around, the company has altered the lifespan of iCloud authentication tokens, making them just as short-lived as they used to be immediately after celebgate attacks. How this affects your ability to access iCloud data, which rules apply to iCloud tokens, for how long you can still use the tokens and how this affected regular users will be the topic of this article.

Read the rest of this entry »

Fetching Call Logs, Browsing History and Location Data from Microsoft Accounts

June 16th, 2017 by Oleg Afonin

In other blog post, we discussed the updated Elcomsoft Phone Breaker that allows extracting search and browsing history, location data and call logs from users’ Microsoft Accounts. Now let’s talk about the origins of this data and how to enable its collection on different devices – even if they don’t run Microsoft Windows.

Read the rest of this entry »

The New Google Authentication Engine in Elcomsoft Cloud Explorer 1.31

June 15th, 2017 by Oleg Afonin

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

Read the rest of this entry »

Android Encryption Demystified

May 23rd, 2017 by Oleg Afonin

How many Android handsets are encrypted, and how much protection does Android encryption actually provide? With Android Nougat accounting for roughly 7% of the market, the chance of not being adequately protected is still high for an average Android user.

Android Central published an article titled More Android phones are using encryption and lock screen security than ever before. The author, Andrew Martonik, says: “For devices running Android Nougat, roughly 80% of users are running them fully encrypted. At the same time, about 70% of Nougat devices are using a secure lock screen of some form.”

This information is available directly from Google who shared some security metrics at Google I/O 2017.

“That 80% encryption number isn’t amazingly surprising when you remember that Nougat has full-device encryption turned on by default”, continues Andrew Martonik, “but that number also includes devices that were upgraded from Marshmallow, which didn’t have default encryption. Devices running on Marshmallow have a device encryption rate of just 25%, though, so this is a massive improvement. And the best part about Google’s insistence on default encryption is that eventually older devices will be replaced by those running Nougat or later out of the box, meaning this encryption rate could get very close to 100%.”

So how many Android handsets out there are actually encrypted? Assuming that 0.25 (25%) of Android 6 handsets use encryption, and 0.8 (80%) of Android 7 phones are encrypted, it will be possible to calculate the number of encrypted handsets out of the total number of Android devices.

Let’s have a look at the current Android version distribution chart:

  • Android 5.1.1 and earlier versions: ~62% market share
  • Android 6: 31 (31% market share) * 0.25 = 0.078
  • Android 7: 0.07 (7% market share) * 0.80 = 0.056

Read the rest of this entry »

We Did It Again: Deleted Notes Extracted from iCloud

May 19th, 2017 by Oleg Afonin

As we already know, Apple syncs many types of data across devices that share the same Apple ID. Calls logs, contacts, Safari tabs and browsing history, favorites and notes can be synced. The syncing mechanism supposedly synchronizes newly created, edited and deleted items. These synchronizations work near instantly with little or no delay.

Apple is also known for keeping some items that users want to be deleted. As a reminder, this is a brief history of our findings:

What’s It All About?

Apple has a great note taking app that comes pre-installed on phones, tablets and computers. The Notes app offers the ability to take notes and sync them with the cloud to other devices using the same Apple ID. We discovered that Apple apparently retains in the cloud copies of the users’ notes that were deleted by the user. Granted, deleted notes can be accessed on iCloud.com for some 30 days through the “Recently Deleted” folder; this is not it. We discovered that deleted notes are actually left in the cloud way past the 30-day period, even if they no longer appear in the “Recently Deleted” folder.

For accessing those notes, we updated Elcomsoft Phone Breaker to version 6.50. Read the rest of this entry »

RSS for posts
RSS for comments
Subscribe
ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter