ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Everything You Wanted to Know about Activation Lock and iCloud Lock

October 4th, 2018 by Oleg Afonin

Working in a mobile forensic company developing tools for iCloud forensics, logical and physical extraction of iPhone devices, we don’t live another day without being asked if (or “how”) we can help remove iCloud lock from a given iPhone. Without throwing a definite “yes” or “no” (or “just buy this tool”), we’ve decided to gather everything we know about bypassing, resetting and disabling iCloud activation lock on recent Apple devices.

What Is Activation Lock (iCloud Lock)?

Activation Lock, or iCloud Lock, is a feature of Find My iPhone, Apple’s proprietary implementation of a much wider protection system generally referred as Factory Reset Protection (FRP). Factory Reset Protection, or “kill switch”, is regulated in the US via the Smartphone Theft Prevention Act of 2015. The Act requires device manufacturers to feature a so-called “kill switch” allowing legitimate users to remotely wipe and lock devices. The purpose of the kill switch was to discourage smartphone theft by dramatically reducing resale value of stolen devices.

According to Apple, “Activation Lock is a feature that’s designed to prevent anyone else from using your iPhone, iPad, iPod touch, or Apple Watch if it’s ever lost or stolen. Activation Lock is enabled automatically when you turn on Find My iPhone. … Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.” Read the rest of this entry »

iOS Forensics Training in Vienna: 17-19 Oct 2018

October 1st, 2018 by Oleg Afonin

There’s still time to register for the upcoming ElcomSoft training program in Vienna! Held in partnership with T3K-Forensics, this three-day training program will cover everything about iOS forensics. Law enforcement and forensic specialists are welcome to sign up! We’ll cover all the bases from seizing and transporting mobile devices to iOS extraction and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience obtaining evidence from iOS devices, pulling data from locked iPhones and accessing iCloud for even more evidence.

In this training:

  • Mobile acquisition workflow
  • Seizing, storing and transporting wireless capable mobile devices
  • The challenge of USB Restricted Mode in iOS 11 and iOS 12
  • Full-disk encryption, passcode and biometric authentication
  • Logical acquisition: extracting encrypted and unencrypted backups; shared files; photos and videos; crash logs; accessing stored passwords
  • Logical acquisition of locked devices: locating, extracting and using lockdown records
  • Physical acquisition: jailbreaking, imaging the file system, extracting passwords and decrypting the keychain
  • Cloud acquisition: synced data; backups; messages; iCloud Keychain (Safari passwords)

Where: Vienna, Austria
Language: English
Dates: 17-19 Oct, 2018

Sign Up!

Read the rest of this entry »

iOS 12 Enhances USB Restricted Mode

September 20th, 2018 by Oleg Afonin

The release of iOS 11.4.1 back in July 2018 introduced USB Restricted Mode, a feature designed to defer passcode cracking tools such as those developed by Cellerbrite and Grayshift. As a reminder, iOS 11.4.1 automatically switches off data connectivity of the Lightning port after one hour since the device was last unlocked, or one hour since the device has been disconnected from a USB accessory or computer. In addition, users could manually disable the USB port by following the S.O.S. mode routine.

iOS 12 takes USB restrictions one step further. According to the new iOS Security guide published by Apple after the release of iOS 12, USB connections are disabled immediately after the device locks if more than three days have passed since the last USB connection, or if the device is in a state when it requires a passcode.

“In addition, on iOS 12 if it’s been more than three days since a USB connection has been established, the device will disallow new USB connections immediately after it locks. This is to increase protection for users that don’t often make use of such connections. USB connections are also disabled whenever the device is in a state where it requires a passcode to re-enable biometric authentication.”

Source: Apple iOS Security, September 2018 Read the rest of this entry »

Cloud Forensics: Why, What and How to Extract Evidence

September 6th, 2018 by Oleg Afonin

Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.

Accessing cloud evidence requires proper authentication credentials, be it the login and password or credentials cached in the form of a binary authentication token. Without authentication credentials, one cannot access the data. However, contrary to popular belief, even if proper authentication credentials are available, access to evidence stored in the cloud is not a given. In this article we’ll tell you how to access information stored in Apple iCloud with and without using forensic tools. Read the rest of this entry »

Analysing Apple Pay Transactions

August 30th, 2018 by Oleg Afonin

With more than 127 million users in multiple countries, Apple Pay is one of the more popular contactless payment systems. Unlike some competing payment technologies, Apple Pay is not only tightly integrated into Apple’s ecosystem but is exclusive to Apple devices.

Apple Pay serves as a digital wallet, digitizing user’s payment cards and completely replacing traditional swipe-and-sign and chip-and-PIN transactions at compatible terminals. However, unlike traditional wallets, Apple Pay also keeps detailed information about the user’s point of sale transactions. Due to the sheer amount of highly sensitive information processed by the system, Apple Pay is among the most securely protected vaults in compatible devices. In this article we’ll show you where and how this information is stored in the file system, how to extract it from the iPhone and how to analyse the data. Read the rest of this entry »

Using Intel Built-in Graphic Cores to Accelerate Password Recovery

August 14th, 2018 by Oleg Afonin

GPU acceleration is the thing when you need to break a password. Whether you use brute force, a dictionary of common words or a highly customized dictionary comprised of the user’s existed passwords pulled from their Web browser, extracted from their smartphone or downloaded from the cloud, sheer performance is what you need to make the job done in reasonable time.

Making use of the GPU cores of today’s high-performance video cards is not something one can ignore. A single video card such as an NVIDIA GTX 1080 offers 50 to 400 times the performance of a high-end, multi-core Intel CPU on some specific tasks – which include calculations of cryptographic operations required to break encryption and brute-force passwords. The benefits are very real:

But what if you don’t have immediate access to a computer with a dedicated high-end video card? What if you are working in the field and using a laptop with its video output handled by Intel’s built-in graphic chip?

We have good news for you: you can use that built-in Intel chip to speed up password attacks. Granted, a power-sipping Intel chip won’t give you as much performance as a dedicated board dissipating 200W of heat, but that extra performance will literally cost you nothing. Besides, many ElcomSoft tools such as Elcomsoft Distributed Password Recovery will simply add that extra GPU chip to the list of available hardware resources, effectively squeezing the last bit of performance from your PC. Read the rest of this entry »

Android Pie Lockdown Option: a Match for iOS SOS Mode?

August 8th, 2018 by Oleg Afonin

We have already covered the emergency SOS mode introduced in iOS 11. When entering this mode, the phone disables Touch ID and Face ID, requiring the passcode to unlock the phone. It appears that Google is taking cues from Apple, adding a new Lockdown Option to the newly released Android 9 Pie. Let us see what is similar and what is different between iOS SOS mode and Android 9.0 Pie Lockdown Option.

Read the rest of this entry »

iOS 12 Beta 5: One Step Forward, Two Steps Back

July 31st, 2018 by Vladimir Katalov

The release of iOS 11.4.1 marked the introduction of USB restricted mode, a then-new protection scheme disabling USB data pins after one hour. The USB restricted mode was not invincible; in fact, one could circumvent protection by connecting the device to a $39 accessory. While a great improvement on itself, the new mode did not provide sufficient protection. We wished Apple maintained a list of “trusted” or previously connected accessories on the device, allowing only such devices to reset the timer. In this new iOS 12 beta, Apple makes attempts to further “improve” USB restricted mode, yet the quotes about “improving” the system are there on purpose.

We recently covered the whole story starting from iOS 11.3 and up to the then-current iOS 12 beta, but it looks the story is far from the end. I think Apple monitors media coverage including our blog, and takes a note on some of the readers’ comments in an attempt to find the right balance between security and convenience. We even suggested how they could possibly improve the new mode’s implementation, and… iOS 12 Beta 5 (just released) brings another surprise.

Read the rest of this entry »

USB Restricted Mode Inside Out

July 12th, 2018 by Vladimir Katalov

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

To make a long story short: apparently, Apple was unable to identify and patch vulnerabilities allowing to break passcodes. Instead, they got this idea to block USB data connection after a period of time, so no data transfer can even occur after a certain “inactivity” period (keep reading about the definition of “inactivity”). It is somehow similar to how Touch ID/Face ID expire from time to time, so you can only use the passcode if you did not unlock the device for a period of time. Same for USB now.

Read the rest of this entry »

Accessing Lockdown Files on macOS

July 12th, 2018 by Oleg Afonin

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

What Are Lockdown Records, Technically?

A down to the Earth explanation of a lockdown records is it’s simply a file stored on the user’s computer. More technically, lockdown files keep cryptographic keys that are used to allow iOS devices communicate with computers they are paired to. Such pairing records are created the first time the user connects their iOS device to a Mac or PC that has iTunes installed. Lockdown records help the iPhone talk to the computer even if the iPhone in question is locked, so that the user does not have to unlock the device every time it’s connected to the PC. This means that experts may be able to perform logical acquisition of locked iOS devices if they can obtain a valid, non-expired lockdown record. There are some “ifs and buts” though. Namely, lockdown records expire after a while. And you can only use lockdown records if the iPhone in question was unlocked (with its passcode) at least once after it was powered on or rebooted. Otherwise, the data partition remains encrypted, and you can access very little information (yet you can still get some info about the device).

macOS Protects Access to Lockdown Files

In macOS, lockdown records are stored at /private/var/db/lockdown. Starting with macOS High Sierra, Apple restricts access to this folder. If you are analyzing a live system, you’ll need to manually grant access rights to this folder. This is how.

Read the rest of this entry »