Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.

With over 1.3 billion monthly users, WhatsApp is the most popular instant messaging tool worldwide, and Android is the most popular mobile operating system by far. This makes WhatsApp acquisition from Android devices essential for the law enforcement. Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories stored in Google Drive. If you have access to the user’s trusted phone number or their physical SIM card (to receive a verification code from WhatsApp), you can now use Elcomsoft Explorer for WhatsApp to download, decrypt and display WhatsApp communication histories backed up into the user’s Google Account. Surprisingly, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Thanks to its presence on Windows and Mac computers, iPhones and Android smartphones (on which it enjoys the default browser status), Google Chrome is the world’s most popular Web browser. In this article you’ll find a comprehensive guide on how to extract Google Chrome passwords from local computers and Google Account. We’ll also cover some common and some little known scenarios helping examiners put extracted passwords to good use – such as decrypting external NAS storage, unlocking BitLocker drives and attacking strong passwords. Let’s find out how to obtain Google Chrome passwords from multiple local and cloud sources such as the user’s Mac or Windows computer and their Google account.

Media files (Camera Roll, pictures and videos, books etc.) are an important part of the content of mobile devices. The ability to quickly extract media files can be essential for an investigation, especially with geotags (location data) saved in EXIF metadata. Pulling pictures and videos from an Android smartphone can be easier than obtaining the rest of the data. At the same time, media extraction from iOS devices, while not impossible, is not the easiest nor the most obvious process. Let’s have a look at tools and techniques you can use to extract media files from unlocked and locked iOS devices.

In our previous blog post, we wrote everything we know about authentication tokens and Anisette data, which might allow you to bypass the “login, password and two-factor authentication” sequence. Let us have a look at how you can actually extract those tokens from a trusted computer and use them on a different computer to access a user’s iCloud account. Read Part 1 and Part 2 of the series.

iCloud authentication tokens in particular are difficult to grasp. What are they, what tools are they created with, where they are stored, and how and when they can be used are questions that we’re being asked a lot. Let’s try to put things together. Read Part 1 of the series.

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.

Two-factor authentication is essential to secure one’s access to online accounts. We studied multiple implementations of two-factor authentication including those offered by Apple, Google and Microsoft. While Google’s implementation offers the largest number of options, we feel that Apple has the most balanced implementation. The closed ecosystem and the resulting deep integration with the core OS makes it easy for Apple to control exactly how it works and on which devices.