2020 in Review: What Was New in Desktop and Mobile Forensics

December 28th, 2020 by Oleg Afonin
Category: «Elcomsoft News», «General»

This year is different from many before. The Corona pandemic, the lack of travel and canceled events had changed the business landscape for many forensic companies. Yet, even this year, we made a number of achievements we’d love to share.

iOS Acquisition

Our major achievement this year is about the iPhone extraction. For the first time, we’ve been able to achieve a jailbreak-free extraction of a 64-bit iPhone. We started slow, only supporting devices running iOS iOS 11-13.3. Throughout the year, we continued adding support for all the other versions of iOS. Fast forward today, we support jailbreak-free iOS Extraction for iOS 9 through iOS 13.7 on all devices that can run these versions of iOS (up to and including the iPhone 11 Pro Max).

Jailbreak-free file system extraction and keychain decryption

How did we do the extraction without the need to jailbreak the phone? We developed an app that you have to sideload onto the phone or tablet being extracted. When launched, the app automatically detects the presence of known vulnerabilities in iOS, runs the exploit and obtains root-level access. Once this is done, the app establishes a communication channel with the computer that has iOS Forensic Toolkit running.

With root privileges, the app can access the file system in the low level, enabling iOS Forensic Toolkit to image the full content of the device. In addition, the app extracts the encryption keys protecting keychain records, and decrypts the entire content of the keychain including records protected with the highest protection class.

Since the extraction app does not have to do things that users expect of a jailbreak (such as running unsigned apps or featuring a third-party app store), the app is extremely small and unobtrusive. It does not remount the file system or modifies the system partition and uninstalls cleanly. The only traces left on the device after using the extraction agent are a few log entries in the system log files.

Last but not least, we made it possible for macOS users to sideload the extraction agent without using a developer’s Apple ID account.

iPhone 5 and 5c passcode unlock

Back in 2016, the FBI paid more than $1.3 million to an unnamed contractor for unlocking the iPhone 5c that was used by the terrorist after the shooting in San Bernardino in December 2015. In August 2020, we released a tool to help experts with iPhone 5 and 5c unlocks at a fraction of the cost.

iOS Forensic Toolkit runs a brute-force attack against the screen lock password, trying 13.6 passcodes per second on the device. With this speed, it only takes 12 minutes to try all possible combinations of 4-digit PINs. The enumeration of all 6-digit PINs, however, will take up to 21 hours. We have several tricks to cut this time; read the original article to learn more: iPhone 5 and 5c Passcode Unlock with iOS Forensic Toolkit.

iCloud Acquisition

Our logical and cloud acquisition tool, Elcomsoft Phone Breaker, also received its share of updates, gaining iOS 14 support for local and cloud backups as well as iCloud synced data. Elcomsoft Phone Breaker remains the only tool on the market that can deal with Apple’s point-to-point encryption protecting the user’s passwords in iCloud Keychain and encrypting Health, Messages, Safari history and similarly sensitive data.

Elcomsoft Phone Viewer can now display Telegram secret chats.

The tools mentioned above are parts of Elcomsoft Mobile Forensic Bundle, which remains our top selling product for extracting and analyzing data from a wide range of mobile devices and cloud services. Integrating everything we make in the area of mobile forensics, Mobile Forensic Bundle offers a hefty discount compared to the purchase of individual tools. If you still haven’t, check out the Bundle and see if you can save by upgrading your individual licenses to the bundle deal.

Breaking Passwords

ElcomSoft breaks passwords. While password recovery news is not the most exciting reading, we are still proud of our achievements. GPU acceleration, asynchronous and hybrid hardware acceleration, distributed and cloud computing are just a few technologies pioneered by our company.

Thirteen years ago, we were the first to accelerate password attacks with consumer-grade video cards. “PESKY RUSSIANS have come up with a novel way of using Nvidia’s graphics hardware – cracking passwords”, wrote The Inquirer at the time. The GPU-based hardware acceleration technology had matured over the years. In 2020, we’ve added support for the newest and fastest graphic processing units based on the latest NVIDIA Ampere architecture. The RTX 3000 series boards deliver unprecedented performance, which nearly doubles the speed of password attacks compared to the previous generation of NVIDIA boards.

This year also brought Hancom Office and iWork 2020 v10 support, the ability to break LUKS encryption, and constructor-style support for John the Ripper syntax. John the Ripper interactive rule syntax allows  making extremely flexible attacks that can combine words from up to two dictionaries with numerous modifications to any parts of the password. These rules can be used to design attacks based on existing passwords retrieved from the user’s computer or cloud service.

The most exciting part, however, was the discovery of flawed data protection in Tally ERP 9 Vault and the ability to break encryption in VMWare, Parallels, and VirtualBox virtual machines. We learned that the three vendors, all advertising industry-standard AES encryption, are worlds apart when it comes to the real security of encrypted information. The recovery speed of some 19 million passwords per second we achieved when attacking Parallels VMs is unprecedented and unheard of in 2020. The speed of 15 passwords per second sounds much better and offers, literally, a million times greater protection if you go with VirtualBox instead.

Cold System Analysis Streamlined

During the year, we worked hard to streamline cold system analysis. In cold system analysis, one can boot the target computer from a USB flash drive, and do things that can save many hours of work. What kind of things? Extract encryption metadata from various encrypted disks. Find encrypted virtual machines and extract encryption metadata to run a subsequent attack. Create forensic disk images without taking the disks out. Reset SYSKEY passwords. Or simply reset Windows account passwords to gain access to the system and continue with live system analysis.

Elcomsoft Distributed Password Recovery, Elcomsoft System Recovery, Advanced Office Password Recovery and many other tools are included in Elcomsoft Desktop Forensic Bundle. The Bundle delivers all password recovery tools in a single value pack, allowing to unlock documents, decrypt archives, break into encrypted containers, perform forensically sound cold system analysis and access Windows accounts by booting with a flash drive.

Our Research

We are active researchers. Our publications range from walkthroughs and guides to research articles discussing the vulnerabilities in data protection we’ve discovered. We wrote a guide  on protecting iMessage communications and another article about iPhone anti-forensics. We discovered vulnerabilities in Synology NAS systems and Tally ERP Vault. We wrote many more articles in our blog, contributing to the forensic society and educating consumers about the best practices in IT security and personal data protection.