Cloud Forensics: the New Reality

September 23rd, 2021 by Oleg Afonin

The majority of mobile devices today are encrypted throughout, making extractions difficult or even impossible for major platforms. Traditional attack vectors are becoming a thing of the past with encryption being moved into dedicated security chips, and encryption keys generated on first unlock based on the user’s screen lock passwords. Cloud forensics is a great alternative, often returning as much or even more data compared to what is stored on the device itself.

Read the rest of this entry »

How to Put an iOS Device with Broken Buttons in DFU Mode

September 20th, 2021 by Elcomsoft R&D

Switching the iPhone into DFU mode is frequently required during the investigation, especially for older devices that are susceptible to checkm8 exploit. However, switching to DFU requires a sequence of key presses on the device with precise timings. If the device is damaged and one or more keys are not working correctly, entering DFU may be difficult or impossible. In this guide, we offer an alternative.

Read the rest of this entry »

Forensic Implications of Sleep, Hybrid Sleep, Hibernation, and Fast Startup in Windows 10

September 17th, 2021 by Oleg Afonin

When analyzing connected computers, one may be tempted to pull the plug and bring the PC to the lab for in-depth research. This strategy carries risks that may overweigh the benefits. In this article we’ll discuss what exactly you may be losing when pulling the plug.

Read the rest of this entry »

The iPhone Upgrade: How to Back Up and Restore iOS Devices Without Losing Data

August 27th, 2021 by Vladimir Katalov

In just a few weeks, the new iPhone range will be released. Millions of users all over the world will upgrade, migrating their data from old devices. While Apple has an ingenious backup system in place, it has quite a few things behind the scenes that can make the migration not go as smooth as planned. How do you do the migration properly not to lose anything?

Read the rest of this entry »

Instant Messengers: Authentication Methods and Instant Password Extraction

August 24th, 2021 by Oleg Afonin

iMessage, Hangouts, Skype, Telegram, Signal, WhatsApp are familiar, while PalTalk, Pigin, Psi Jabber client, Gadu-Gadu, Gajim, Trillian, BigAnt or Brosix are relatively little known. The tools from the first group are not only more popular but infinitely more secure compared to the tools from the second group. In this publication we’ll review the authentication methods used by the various instant messengers, and attempt to extract a password to the user’s account.

Read the rest of this entry »

iOS 15 Forensic Implications: Temporary iCloud Backups

August 23rd, 2021 by Oleg Afonin

One of the main problems of iCloud forensics (unknown account passwords aside) is the sporadic nature of cloud backups. Experts often find out that a given user either does not have device backups in their iCloud account at all, or only has a very old backup. This happens primarily because of Apple’s policy of only granting 5GB of storage to the users of the free tier. While users can purchase additional storage for mere 99 cents a months, very few do so. iCloud Photos, downloads and other data quickly fill up the allotted storage space, leaving no space for a fresh cloud backup.

Read the rest of this entry »

NAS Forensics: TrueNAS Encryption Overview

August 20th, 2021 by Oleg Afonin

Established NAS manufacturers often offer some kind of encryption to their users. While anyone can use “military-grade AES-256 encryption”, the implementation details vary greatly. Synology, Asustor, and TerraMaster implement folder-based encryption, while QNAP, Thecus, and Asustor (MyAcrhive) employ full-disk encryption; the full comparison is available here. In this article, we’ll have a look at encryption methods used in TrueNAS, a system commonly used by computer enthusiasts for building custom NAS servers.

Read the rest of this entry »

Apple Watch Forensics: The Adapters

August 18th, 2021 by Vladimir Katalov

How do you extract an Apple Watch? While several extraction methods are available, you need an adapter if you want to get the data directly from the device. There are several different options available on the market, some of them costing north of $200. We tested a large number of such adapters. How do they stand to the marketing claims? In this article, I will share my experience with these adapters.

Read the rest of this entry »

iOS Privacy Protection Tools: Encrypted DNS, iOS 15 Private Relay, Proxy, VPN and TOR

July 28th, 2021 by Oleg Afonin

Protecting one’s online privacy is becoming increasingly more important. With ISPs selling their customers’ usage data left and right, and various apps, mail and Web trackers contributing to the pool of “anonymized” data, de-anonimyzation becomes possible with big data analysis. This was clearly demonstrated with the recent event highlighted in Catholic priest quits after “anonymized” data revealed alleged use of Grindr.

Read the rest of this entry »

Updated Elcomsoft iOS Forensic Toolkit Simplifies macOS Installs, Fixes Corrupted File System Extraction

July 15th, 2021 by Vladimir Katalov

While we are still working on the new version of Elcomsoft iOS Forensic Toolkit featuring forensically sound and nearly 100% compatible checkm8 extraction, an intermediate update is available with two minor yet important improvements. The update makes it easier to install the tool on macOS computers, and introduces a new agent extraction option.

Read the rest of this entry »