ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for January, 2019

Identifying SSD Controller and NAND Configuration

Thursday, January 31st, 2019

In our previous article Why SSDs Die a Sudden Death (and How to Deal with It) we talked about SSD endurance and how it’s not the only thing affecting real life reliability. In that article, we assumed that manufacturers’ specifications of certain SSD models remain similar for a given SSD model. In fact, this is not the case. Quite a few manufacturers play tricks with consumers, releasing a certain SSD model with top notch specifications only to downgrade them at some point during the production cycle (but certainly after receiving its share of glowing reviews). While some OEMs do note the change at least in the revision number, the rest will just quote the small print allowing them to “change specifications at any time without prior notice”. We’ve seen well known SSD manufacturers switching from reliable MLC NAND to planar TLC trash within the same model (and zero notice to potential buyers). How can you tell which NAND configuration your particular SSD drive employs and whether or not it lives up to your expectations? Read along to find out.

(more…)

Securing and Extracting Health Data: Apple Health vs. Google Fit

Wednesday, January 30th, 2019

Today’s smartphones and wearable devices collect overwhelming amounts of data about the user’s health. Health information including the user’s daily activities, workouts, medical conditions, body measurements and many other types of information is undoubtedly one of the most sensitive types of data. Yet, smartphone users are lenient to trust this highly sensitive information to other parties. In this research, we’ll figure out how Apple and Google as two major mobile OS manufacturers collect, store, process and secure health data. We’ll analyze Apple Health and Google Fit, research what information they store in the cloud, learn how to extract the data. We’ll also analyze how both companies secure health information and how much of that data is available to third parties.

Apple Health: the All-in-One Health App

The Apple Health app made its appearance in 2014 with the release of iOS 8. Since then, Apple Health is pre-installed on all iPhones.

Apple Health keeps working in background, collecting information about the user’s activities using the phone’s low-energy sensors.

In addition to low-energy sensors built into modern iPhone devices, Apple offers a range of companion devices that can collect additional information about the user’s health and activities. This information may include heart rate measurements, frequent and precise samples of location information (GPS), as well as specific data (fall detection, ECG). (more…)

Apple iTunes: Standalone vs. Microsoft Store Edition

Wednesday, January 23rd, 2019

Since April 2018, Apple made iTunes available to Windows 10 users through the Microsoft Store. While the stand-alone download remains available from Apple’s Web site, it is no longer offered by default to Windows 10 users. Instead, visitors are directed to Microsoft Store, which will handle the installation and updates of the iTunes app.

(more…)

Why SSDs Die a Sudden Death (and How to Deal with It)

Friday, January 18th, 2019

Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.

In our previous article Life after Trim: Using Factory Access Mode for Imaging SSD Drives we only mentioned reliability of SSD drives briefly. As you may know, NAND flash memory can sustain a limited number of write operations. Manufacturers of today’s consumer SSD drives usually guarantee about 150 to 1200 write cycles before the warranty runs out. This can lead to the conclusion that a NAND flash cell can sustain up to 1200 write cycles, and that an SSD drive can actually survive more than a thousand complete rewrites regardless of other conditions. This, however, is not fully correct. Certain usage conditions and certain types of load can wear SSD drives significantly faster compared to their declared endurance. In this article, we’ll look why a perfectly healthy SSD drive with 98-99% remaining life can die a sudden death. We’ll also give recommendations on tools and approaches that can get the data back even if the SSD drive is corrupted or does not appear in the system. (more…)

Life after Trim: Using Factory Access Mode for Imaging SSD Drives

Wednesday, January 16th, 2019

Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.

SSDs are weird. They are weird in the way they write data, and even weirder in the way they delete information. In the good old days of striped magnetic recording, one could delete a file and rest assured its content was still there until overwritten at some (hopefully distant) moment in the future; not so on an SSD.

SSDs are different. They are different in handling deleted data, wiping evidence irreversibly in the background like they were criminals’ best friends. Just power on the SSD, and it’ll start background garbage collection, erasing trimmed blocks even if you connected it through a write blocker. Image the SSD, and you won’t find anything in the “empty” areas – even if the actual data was still there at the time of the imaging. One more thing: your SSD has more storage capacity than it says on the box. 5 to 15% of the physical storage capacity is dedicated for a non-addressable pool; any data one deletes from the SSD that is subsequently trimmed by the OS can go straight into that pool, without any chance of accessing or even addressing the blocks.

Until very recently your only way of accessing deleted evidence on an SSD would be taking the chips off and performing a labour-intensive, time-consuming (let alone extremely expensive) chip-off analysis. We asked our partners from a forensic data recovery lab, and they told us they can do a four-chip SSD in a matter of two weeks. They also said they’d rather steer clear of the recent ten-chip SSDs, and they won’t do anything about encryption.

Did I say encryption? It could be easier than you think. A recent discovery points out that Windows built-in BitLocker protection tends to delegate the job of encrypting data to the SSD controller (as opposed to doing the encryption on the computer using the CPU). As found in the research, many consumer-grade SSDs take it easy, keeping the encryption key unprotected in the storage chips on the SSD.

In this article, we’ll talk about a recent development in SSD forensics allowing to prevent background trimming of evidence and providing access to the entire storage capacity of the disk including non-addressable areas. This method employs a so-called factory access mode. However, before we talk about factory access mode, let us first have a look at how SSDs store information and why it is so easy to destroy evidence and so insanely difficult to recover it. (more…)