Archive for the ‘Clouds’ category

Modern applications use highly secure and thus deliberately slow algorithms for verifying passwords. For this reason, the password recovery process may take a lot of time and require extreme computational resources. You can build your own powerful cluster to accelerate brute-force attacks, but if you only need to recover a password every once in a while, maintaining your own cluster may not be the best investment. Cloud services can help do a one-off job faster. For a long time, Elcomsoft Distributed Password Recovery had supported Amazon cloud services with automatic deployment on Amazon’s powerful GPU-accelerated servers. The latest update brings support for Microsoft Azure, adding the ability to automatically deploy Password Recovery Agents to virtual machines created in Microsoft Azure. In this article I will describe the deployment steps.

(more…)

Every other day, Apple makes the work of forensic specialists harder. Speaking of iCloud, we partially covered this topic in Apple vs. Law Enforcement: Cloud Forensics and Apple vs Law Enforcement: Cloudy Times, but there is more to it today. The recent iOS (13.4) and macOS (10.15.4) releases brought some nasty surprises. Let’s talk about them.

iOS 13

It is difficult to say when it actually happened, but iOS stopped syncing call logs, and does not sync them for the time being. We covered call log sync some three years ago:

We even tried to bring the matter to Apple, but the only response was we take privacy very seriously (I am not surprised). Anyway; call logs are no longer synchronized (com’on, Apple, did you forget about Continuity? 😊)

But there is more. Do you use Apple Maps? Its data, surprisingly, has been moved to an encrypted container, similar to other protected data such as the iCloud keychain, iCloud Messages, Health and Screen Time data. It’s a strange move, as Maps data is not all that sensitive compared to other bits stored in secured containers. While we can still obtain that data from the cloud, the procedure now relies on the process for extracting other end-to-end encrypted data, which means you have to use the password/passcode of one of the user’s devices.

Just in case: if you are curious about Screen Time, we are currently able to extract only part of the data from iCloud. This includes the passcode, family information, restrictions etc. The most interesting data such as app usage statistics seems to sync directly across devices, but it is not stored in the way that would allow us to extract it from the cloud. If you have more than one device and use the Share across devices option, just compare the statistics you see on the device it’s been collected from and how it appears on other devices on the account. The results are different. Moreover, some stats are not available at all, while there is some mysterious data from devices that have been disconnected from the account a long time ago. A lot of iPhone users reported similar problems:

This can mean that such ‘direct’ syncing simply does not work correctly. It is difficult to say whether it is an iOS 12/13 or iCloud bug, but we decided not to waste our time trying to obtain this data from iCloud. And btw, in iOS 13 the data related to Screen Time is also protected better than most of other data — it is not enough just to have root privileges to access it.

Oh by the way, iOS 13.4.5 beta (what a strange version number after 13.4) is out yesterday, we are going to have a look at it soon.

macOS

Lockdown (pairing) records had always allowed to access passcode-protected devices. However, with the latest update, lockdown records are no longer accessible.

Starting with maCOS 10.12, you had to to run the following command:

sudo chmod 755 /private/var/db/lockdown

With macOS 10.15.4, it does not work anymore:Is there a workaround? Yes. Just disable SIP (System Integrity Protection) by booting into Recovery mode (+R on system startup), then start Terminal and run the following command:

csrutil disable

Then reboot, and access lockdown folder as you did before, e.g. to perform advanced logical acquisition of a locked iPhone using iOS Forensic Toolkit.

iCloud

iCloud authentication has changed again. Looks like Apple have a dedicated team of software engineers that do nothing but make meaningless changes to authentication protocols just to block our software. This does not really improve the security and privacy but makes Apple’s top management happy.

I am not going to describe all the changes in details, but give you some tips on how this affects the usage of authentication tokens in Elcomsoft Phone Breaker. You can start reading from Accessing iCloud With and Without a Password in 2019; and here is how it works now.

On Windows systems, tokens extracted from iCloud  for Windows version 7.0 and later work only for accounts without two-factor authentication. With these tokens, you won’t be able to access the entire set of iCloud data. The following categories are still accessible: iCloud Photos and certain synced categories (including contacts, calendars, notes, Safari browsing history etc. except end-to-end encrypted data such as the Keychain, iCloud Messages or Health data). As for iCloud backups, you can only retrieve ones created by iOS versions older than iOS 11.2.

On macOS, the situation is slightly better. On macOS from 10.13 to 10.15, we can get the token for non-2FA accounts only; and for ones that have 2FA enabled, the token is, well, ‘tethered’ to the device it is obtained from, so you can authenticate with this token in Elcomsoft Phone Breaker only on the same Mac. The scope of the data that can be downlooaded from the iCloud (regardless the account and token type) is the same as above: limited number of categories of synced data (without end-to-end encryption), and iCloud backups of devices with iOS up to 11.2. Fully ‘untethered’ tokens for 2FA accounts are only available in macOS 10.12 and older. In fact we recently used a kind of vulnerability in iCloud protocol that allowed us to get such tokens even for 2FA accounts, but not anymore, sorry.

Sounds confusing? I know. Here it is once again:

  • We can always get a token for non-2FA accounts
  • For 2FA accounts, tokens from most (modern) Windows systems are completely useless, while tokens from modern macOS versions can be used on the same system only
  • Tokens can be used to access only a limited amount of data from iCloud

One more thing: some changes have been made even for accounts without 2FA. Due to these changes, Apple can now lock accounts after a single incorrect password attempt.

Conclusion

To obtain all the data from the user’s iCloud account, you will need the Apple ID, the password, the second authentication factor, and the device passcode. If you have all of those, you can obtain virtually everything, including some of the data that is not available on the device itself. Do not underestimate this method, and remember that Elcomsoft Phone Breaker is the only product on the market that extracts all the data from iCloud including end-to-end encrypted categories.

We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Fit support. Google Fit is a relatively little known Google service aimed at tracking the user’s health and physical activities. In line with pretty much every other Google service, Google Fit synchronizes massive amounts of data with the user’s Google Account, storing activity-related information collected by all of the user’s devices in a single place. When extracting these data, we discovered massive amounts of location points stored alongside with information related to the user’s physical activities. Learn what is stored in Google Fit and how to extract it from the cloud!

What’s it all about

Google Fit extraction is about the massive amounts of data related to the user’s health and physical activities stored in the Google’s cloud. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can be truly invaluable during an investigation.

Google Fit is not the only type of information collected by Google. The search giant collects massive amounts of information. The types of data range from many years worth of the user’s location history to all of the user’s password saved in the Chrome browser or used with Android apps. Google Photos, Gmail, contacts and calendars, search requests and Web history, voice snippets, call logs and text messages and a lot more can make for some invaluable evidence. While Google readily returns most of that data when serving legal requests, Elcomsoft Cloud Explorer offers a much easier and near-instant extraction solution that requires far less paperwork. Considering the number of fully encrypted Android smartphones that may or may not be physically unlocked, Elcomsoft Cloud Explorer becomes truly irreplaceable, discovering more evidence than ever by revealing the hidden data one would never imagine existed, browsing deep inside into the user’s online activities going many years back. Elcomsoft Cloud Explorer does what Google itself does not do, offering a single point for downloading, discovering and analyzing evidence collected by Google.

How Google Fit collects information

Google Fit is both an app and a service. The Google Fit app is available for Android and iOS platforms; it can be used on both Android phones and Apple iPhones. The Google Fit service processes and stores information collected from all supported devices where it’s installed in the user’s Google Account.

While many users associate Google Fit with WearOS smartwatches, in reality the app does not require a smartwatch or a fitness tracker. A connected activity tracking device can provide information such as the number of steps walked, the number of stairs climbed, the user’s hear rate or periodic location points obtained from the tracker’s GPS sensor. When used without a compatible fitness tracker, the Google Fit app can source activity data from a smart combination of the phone’s built-in low-energy sensors, frequently obtained location points and a lot of artificial intelligence.

Google Fit data extracted from the user’s Google Account returns massive amounts of precise location points, allowing to pinpoint the user’s location with ultimate precision and granularity. Access to comprehensive location history and other critical real-time evidence can be vital for investigating crime.

Obtaining Google Account credentials

In order to sign in to the user’s Google Account, one requires the full set of Google credentials. The login and password can be often extracted from the user’s computer (with Elcomsoft Internet Password Breaker), from the cloud (with Elcomsoft Phone Breaker) or iOS keychain (with Elcomsoft iOS Forensic Toolkit).

In addition, some data from the Google Account (Google Fit being a notable exception) can be accessed with a token. The token is literally a cookie in Chrome, and can be extracted from the user’s computer. Elcomsoft Cloud Explorer includes a utility that automatically locates and extracts the authentication token from the Chrome browser installed on the user’s Mac or Windows PC. Using the extracted token, Elcomsoft Cloud Explorer authenticates into the user’s Google Account and displays the list of categories available for extraction.

Accessing Google Fit data

In order to extract Google Fit data from the user’s Google Account, you will need Elcomsoft Cloud Explorer 2.30 or newer.

  1. Launch Elcomsoft Cloud Explorer and create a new snapshot. Authenticate with the user’s login and password (Google Account). If required, pass two-factor authentication.
  2. Select the “Google Fit” check box.
  3. The data will be downloaded in several seconds to several minutes.
  4. After the processing, you can access Google Fit data from the main window.

Analyzing Google Fit data

You will be able to sort or group activities. The “Sessions” tab displays activity sessions detected by the Google Fit app. Activity sessions may include sleeping, walking, jogging and other types of activities.

Note that the sessions are detected automatically by the various apps and devices. Have a look at the “Package name” tab to discover which package has detected which session.

“Steps” can be either raw data from the connected smartwatch or fitness tracker, or information generated by the Google Fit app based on a combination of the smartphone’s step counter, the user’s height, and a lot of location data. If no external smartwatch or activity tracker is connected, the Google Fit app uses artificial intelligence to calculate the number of steps based on the abovementioned data. The app only polls the smartphone’s built-in step sensor at large intervals, relying more on location data than on the step counter.

Walking and running activities are automatically detected by the app based on the user’s heart rate, step count and location data.

One of the most interesting reports is “Locations”. By design, Google Fit collects massive amounts or location data. The test account reports 13,788 location points in 9 month. Considering that our test device was used on few rare occasions, the number of location reports is truly excessive. Clicking on a location point opens Google Maps.

Conclusion

Google Fit data may contain detailed information about the user’s location and physical conditions including the number of steps, types of activity, heart rate, elevation, and a lot more. Additional information provided by compatible health tracking devices may include blood pressure, elevation, precise step count, and additional location data collected from the GPS sensor built into the smartwatch or tracker. Analyzing the massive amounts of Google Fit data can become invaluable help when searching for evidence and investigating crime. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can shed light on the user’s activities in a given timeframe.

Just days ago, we have reviewed the data stored in iCloud, and studied its encryption mechanisms. We also discussed the discrepancies between the data that is stored in the cloud and the data that’s provided to the law enforcement. In case you missed it, make sure to check out Apple vs. Law Enforcement: Cloud Forensics. Today, the differences are great; Apple is using point-to-point encryption to protect certain types of data. However, it has not always been that way. Apple security model changed year after year. This article reviews the timeline of Apple security changes over time.

We’ll list the security measures and discuss whether the real purpose of these changes were the customers’ security and privacy, or throwing a monkey wrench into the work of the law enforcement. We will also try to understand where iCloud security stands today, and how safe your data is against hackers and the law enforcement. Are you a forensic professional? I think you’ll find this article handy.

Apple iCloud: the beginning

Apple has introduced iCloud in October 2011, replacing the aging MobileMe service. At that time, Apple iCloud services were based solely on Amazon and Microsoft Azure servers (new platforms have been added a few years later). Using iCloud on the iPhone required installing iOS 5.

Apple iCloud today provides a range of services including synchronization of data across devices connected to the account, iCloud backups for iOS and iPadOS devices, iCloud Drive (just the storage), as well as the Find My service.

iCloud security

While you can always refer to the source in iCloud security overview, I can give you a shorter and simpler description.

First, all iCloud data (including backups) is stored on third-party servers. These servers are owned by Amazon, Google, Microsoft, or the Chinese government in the case of Chinese users. We also witnessed some mysterious AT&T data centers in the past.

Second, all that data is always encrypted.

Third, the encryption keys for most of that data are also retained by Apple. However, the keys are not stored on the same physical servers; instead, Apple keeps them in Apple-owned data centers under the company’s full control. Interestingly, this seems to be the case even for data stored in China (where iCloud data itself is located on Chinese servers only).

Careful readers noticed the “most” part. The “most” part does not mean that the data is not encrypted; it’s rather the opposite. More on that in “end to end encryption” below.

Do the same rules apply to iCloud backups? Yes, they do. A couple years ago, Apple war rumored to have plans to encrypt iCloud backups in a more secure way (potentially with end-to-end encryption). Those plans have been but finally rejected it, probably under FBI pressure, but only Apple knows the actual reasons.

Two-factor authentication: 2SV, 2FA and iCloud backups

Today, it is hard to believe that an online account that holds your personal data may not support two-factor authentication. Online threats and phishing are the main risks, and if you re-use your passwords, the situation is even worse.

In the first two years, iCloud did not have any kind of two-factor authentication. One was only added in 2013, but the half-baked solution only protected access to the account itself, and not to iCloud backups. We wrote about that in Apple Two-Factor Authentication and iCloud.

You probably remember what happened next. Celebgate. Only after that, Apple applied second-factor protection to backups.

It is important to note that Apple’s initial implementation (called Two-Step Verification, 2SV) was not perfect. It was a rushed afterthought. The current implementation of two-factor authentication (2FA) was introduced with iOS 9 in 2015, and it offers good protection.

We covered this subject many times:

It’s all about the tokens

In 2014 (the year when Apple added 2SV to iCloud backups), we got a bright idea. If you set up your computer to access iCloud account*, you won’t be prompted for your password or prompted for a one-time code every time you access the cloud. This means that the authentication token could be saved somewhere. Could we use that token to bypass password-based authentication?

* iCloud access is a built-in feature on a Mac, while “iCloud Control Panel” is required on Windows; its current name is iCloud for WIndows.

It worked; see Breaking Into iCloud: No Password Required. Having the token obtained, we were able to download iCloud backups (and later implemented the same technique to download other/synced data from iCloud).

Did our work introduce a new security risk for iCloud account owners? Probably not (or just a little), as extraction and decryption of the tokens requires physical access to the computer, as well as administrative privileges (and if you have both, there are much more serious risks involved).

However, Apple took it seriously, and since then, implemented additional security measures related to tokens, in particular:

  • Limited lifetime. The token worked perfectly for synced data. When accessing iCloud backups, its lifetime was limited first to 24 hours, and then to just one hour.
  • Limited use. Currently, the token stored on the device is only good for a limited number of categories including iCloud Photo Library and most synced data and excluding end-to-end encrypted data. Tokens cannot be used for accessing iCloud backups.
  • Pin to device. That was the biggest surprise. After some changes Apple did last year, the token could be used (even for accessing a limited set of data) on the same computer only. On macOS, we have recently found a way to obtain an “unpinned” token that can be used on other computers, but there is no way to do that for Windows.

Still, it is theoretically possible to obtain full-featured “unpinned” tokens that allow obtaining almost everything from iCloud from a trusted macOS computer. We are working hard in this direction; watch our blog for updates. Still no access to backups though. Apple did everything to get iCloud backups extremely hard, even if you know the password and have the second authentication factor.

End-to-end encryption (they call it so)

C’mon, Apple, please do not call it “end-to-end”, that term is reserved for the case when some data can be only decrypted at the end point, because it is the only place that holds the decryption key. Yes, trusted iPhones do have the key, but we can get one even from the outside and without access to the device. This isn’t exactly end-to-end, is it?

What does Apple protect with this “end-to-end” encryption? This encryption covers data that belongs to the following categories: iCloud keychain, Health data, messages in iCloud, Home data, and (surprisingly!) some Apple Maps data, even though Apple does not mention that.

All that data is stored in iCloud and synchronized across “trusted devices”. In case if you did not know, the key to decrypt that data is also stored in iCloud (even if Apple wants you – and the law enforcement – to believe otherwise). That key, however, has stronger protection than the general iCloud encryption keys (that could be probably called “snake oil”) and can only be accessed by devices that are part of the “trusted circle”.

Can someone enter into the trusted circle? Of course, but not easily so.

Notifications, account locks, GSA and other changes

There are a couple extra security measures related to iCloud backups we have not mentioned.

First, you probably noticed that once the backup restoration process is completed, the notification is being sent to the account owner (by email).

Second, Apple does its best to detect whether download process is initiated by the actual device or by third-part software like ours.

We did our best to ‘mimic’ the device, but suppress the ‘restore’ notification. Currently, it works, but it looks like Apple has a dedicated team of security specialists working against our software.

On a regular basis, Apple changes everything they can: protocols, encryption, and data storage formats. Some of these changes are reasonable, while the other (solid!) part of these changes is intended only as a countermeasure against forensic tools, while adding little to no extra security to iCloud.

Have I mentioned GSA (Grand Slam Authentication) and “anisette data”? I was not going to dive deep into technical details, but you can search for my presentations on this subject; they are publically available.

The dark side of the cloud

Are you sure that you know all of the following?

  • What information is synced between your device and iCloud (or just uploaded to iCloud)
  • If Apple really deletes your data from iCloud when you delete it from the device
  • What information Apple provides to the law enforcement once they are served with a legal request

Nobody knows, and I have some surprises for you.

First, Apple syncs more data with iCloud than it publically admits. A good example is the call log (the list of incoming and outgoing calls); there is no option on the iPhone that disables syncing.

Second, there is some extra data in iCloud such as iCloud access logs, stored for 28 days. It includes your IP address (it can be used to get physical location) and the time stamp.

Next, it is not clear what really happens when you delete the data. In the past, we found some of the data to remain on Apple’s server past the advertised retention time, including media files (photos and videos), Web history and notes. Moreover, we have found a way to extract it. At this time, our method does not work anymore, but we never know whether it is still saved somewhere, and if it is, whether it is provided to law enforcement agencies (maybe just the select few).

Bonus track: Google and Microsoft

This is definitely outside the scope of this article, but you might be curious how Apple iCloud security compares to Google and Microsoft, the other two major cloud vendors.

Neither of these companies offer detailed descriptions on how they store and encrypt the user’s data. Still, it is not too hard to guess, based on what we know.

Google saves enormous amounts of data. It sources the data from all the devices running their software or using their services, and not just from Android. As opposed to Apple, even though Google provides granular control to what data is stored or synced, it is not easy to disable or enable data syncing from the device(s). The data stored by Google usually includes detailed location history, a comprehensive history of the user’s search queries, all of the user’s purchases (not just with Google), and a lot more.

Microsoft syncs or may sync less data than Apple and Google, but the company still has some. This includes Web history and Bing searches, contacts, Cortana commands, Skype conversations and more, including BitLocker recovery keys. Microsoft does not make it very clear what data is saved in the account.

Cloud acquisition

If you want to get the maximum amount of data from Apple iCloud, you have no choice but use Elcomsoft Phone Breaker. iCloud backups, files from iCloud Drive, iCloud Photos, FileVailt2 recovery token, iCloud keychain and all end-to-end encrypted data such as messages, Health, Screen Time and more, you can obtain all of that. This product can also extract the data from Microsoft accounts, from contacts to Skype conversations.

For Google accounts, use Elcomsoft Cloud eXplorer. The only thing we cannot get is Android device backups as they are securely encrypted (we continue our research).

When it comes to other cloud data, Oxygen Forensic Suite leaves no place for competitors. The number of cloud sources it supports is impressive (close to one hundred), including Telegram, Samsung cloud, Xiaomi Mi Cloud, Huawei Cloud and dozens others, including third-party apps that sync enormous amount of data (and so the evidence). All that stuff is continuously improved and perfectly supported according to the vendors’ changes, contrary to similar products from other vendors, even those that are more expensive and pretend to be “number one”. Seriously, do not waste your time trying the others: you will get a result that is not even close. Do not trust vendors’ claims, but verify yourself.

Protecting your data

Do you want to make your iCloud account secure? Don’t use it this way! Just kidding; the iPhone without iCloud is quite a Samsung.

The very first thing I would recommend is requesting a copy of your data from Apple’s Data & Pricacy Portal and analyzing it carefully. About the same amount of data (plus backups) will be provided to the law enforcement if requested.

A more effective way is using Elcomsoft Phone Breaker to get everything including “end-to-end encrypted data”.

If you decide to keep using iCloud, here is what we can recommend (simple and probably well-known, but still often overlooked):

  • Use a secure iCloud password, long and complex enough.
  • Make sure that password does not look similar to any other passwords you use. Of course, it must not be identical to any other password you have.
  • Don’t cache that password in your Web browser, ever.
  • Don’t ever store that password in your Google Account.
  • Don’t store that password in the keychain (iOS, iPadOS or macOS).
  • Use two-factor authentication (I know some people who don’t).
  • Use strong passcode/password on your iOS device(s) and desktop(s).
  • Physically secure all your devices and never leave them unattended (even locked).
  • Did I mention you should never re-use your passwords and passcodes?
  • Keep all your devices updated to the latest system (iOS/iPadOS/Windows/macOS), and do not forget about your Apple TV and Apple Watch.
  • If you are using an old Android (more than one year old), don’t count on updates to arrive. Just buy the current flagship.
  • For Windows, follow our recommendations listed here; the macOS guide will follow.
  • Be aware of checkm8 exploit if you are using an old device. Make sure you know that some data can be extracted even from locked and disabled devices.
  • Remember how to enable the SOS mode.
  • Know how to use Find My

If you work for law enforcement

Speaking of iCloud, you have several options. First, read our recent Apple vs. Law Enforcement: Cloud Forensics for better understanding what is stored in iCloud, how it is encrypted and protected, and what your options are. In general, you need to analyze all devices the suspect regularly used, and probably even those that’ve been used at least once. You might be able to get lockdown records, leading you to locked device access; or extract passwords saved in the browser. Better yet, attend one of the ElcomSoft trainings to understand how to obtain as much data as possible from every available source. We don’t just tell you how to use our software. Instead, we’re offering the complete workflow, talk about the typical mistakes and share our knowledge and expertise.

Conclusion

So what about iCloud security today? I would say, it is generally OK. More information here:

Still, we have two conflicting thoughts. First, Apple saves a lot of data in iCloud, and we don’t know all the details. The fact that others are (much) worse in this respect doesn’t change much. Second, Apple makes the work of forensic experts unnecessarily more complicated without making any real security improvements, all the time. Apple, it’s hard to wear two hats.

Today’s smartphones collect overwhelming amounts of data about the user’s daily activities. Smartphones track users’ location and record the number of steps they walked, save pictures and videos they take and every message they send or receive. Users trust smartphones with their passwords and login credentials to social networks, e-commerce and other Web sites. It is hard to imagine one’s daily life without calendars and reminders, notes and browser favorites and many other bits and pieces of information we entrust our smartphones. All of those bits and pieces, and much more, are collected from the iPhone and stored in the cloud. While Apple claims secure encryption for all of the cloud data, the company readily provides some information to the law enforcement when presented with a legal request – but refuses to give away some of the most important bits of data. In this article we’ll cover the types of data that Apple does and does not deliver when served with a government request or while processing the user’s privacy request.

What’s Stored in iCloud

Apple uses iCloud as an all-in-one cloud backup, cloud storage and cloud synchronization solution for the user of iOS, iPasOS and macOS devices. iOS 12 and 13 can store the following types of data in the user’s iCloud account:

iCloud backups

iCloud backups contain a lot of data from the iPhone, which includes device settings and home screen icons, the list of installed apps and individual apps’ private data (if allowed by the app developer).

The content of iCloud backups is mostly exclusive. Many types of data that are synchronized with iCloud will be excluded from cloud backups. For example, if the user enables the iCloud Photo Library, pictures and videos will synchronize to iCloud and will not be included in iCloud backups. The same is true for many other categories. Here’s what Apple says in What does iCloud back up?

Your iPhone, iPad, and iPod touch backup only include information and settings stored on your device. It doesn’t include information already stored in iCloud, like Contacts, Calendars, Bookmarks, Mail, Notes, Voice Memos, shared photos, iCloud Photos, Health data, call history, and files you store in iCloud Drive.

In iOS 13, iCloud backups do not include any of the following:

  • Keychain *
  • Health data
  • Home data
  • iCloud Photos **
  • Messages **
  • Call logs
  • Safari history

* While the keychain is still physically included, records marked as ThisDeviceOnly are encrypted with a device-specific key and can only be restored onto the same physical device they were saved from.

** Photos and Messages are not included if (and only if) the iCloud sync of those categories is not enabled in device settings.

Synchronized data

iOS allows synchronizing many types of data with the user’s iCloud account. While users can enable or disable the sync for some of the data categories (as defined in Change your iCloud feature settings), some other types of data (e.g. the call log) are always synchronized unless the user disables the iCloud Drive feature entirely.

The following types of data are synchronized to iCloud:

  • Photos
  • Safari History & Bookmarks
  • Calendars
  • Contacts
  • Find My (Devices & People)
  • Notes
  • Reminders
  • Siri Shortcuts
  • Voice Memos
  • Wallet passes
  • iCloud Mail
  • Maps
  • Clips
  • Data covered by the iCloud Drive category (e.g. Call logs)

Files

There are two distinct data types that fall under the “Files” category.

The first category includes files the user stores in their iCloud Drive (e.g. by using the iOS Files app). These files are user-accessible, and can be downloaded by using the iCloud Drive app on a Mac or Windows PC.

The second category includes files stored by system apps (e.g. downloaded books and documents in the Books app) and third-party apps (e.g. stand-alone WhatsApp backups, game saves etc.) While large amounts of data may accumulate under this category, users have no direct access to these files. For example, any files stored by third-party apps are only displayed as toggles in the iCloud | Apps section. The only control the user has over these files is the ability to disable sync (and remove stored files) for a certain app.

End-to-end encrypted data

Apple uses end-to-end encryption to secure sensitive types of data such as the users’ passwords, Health data or credit card information. The data is secured with an encryption key derived from some device-specific information and the user’s screen lock passcode. Users must enroll their devices into the trusted circle in order to enable the sharing of end-to-end encrypted data.

The following types of data are covered by end-to-end encryption as per iCloud security overview:

  • Home data
  • Health data (iOS 12 or later) *
  • iCloud Keychain (includes saved accounts and passwords)
  • Payment information
  • QuickType Keyboard learned vocabulary (iOS 11 or later)
  • Screen Time password and data
  • Siri information
  • Wi-Fi passwords
  • Messages in iCloud **

* iOS 11 devices synchronize Health data as a regular data category without using end-to-end encryption. According to Apple, “End-to-end encryption for Health data requires iOS 12 or later and two-factor authentication. Otherwise, your data is still encrypted in storage and transmission but is not encrypted end-to-end. After you turn on two-factor authentication and update iOS, your Health data is migrated to end-to-end encryption.”

** According to Apple, “Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices. When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn’t stored by Apple. Since iOS 13, Apple no longer stores Messages in iCloud backups if the user activates Messages in iCloud.

What Apple Provides When Serving Government Requests

Apple discloses certain types of information when serving a valid government request. This data typically includes information that falls into iCloud backups, Synchronized data and Files categories.

When serving government requests, Apple also delivers iCloud backups. End users exercising their rights under the European Data Protection Directive (EDPR) or requesting their personal data via Apple’s Data & Privacy portal do not receive a copy of their iCloud backups.

The following principles apply when Apple serves government requests: https://www.apple.com/privacy/government-information-requests/; of particular interest are the following excerpts:

Apple will notify customers/users when their Apple account information is being sought in response to a valid legal request from government or law enforcement, except where providing notice is explicitly prohibited by the valid legal request, by a court order Apple receives, by applicable law or where Apple, in its sole discretion, believes that providing notice creates a risk of injury or death to an identifiable individual, in situations where the case relates to child endangerment, or where notice is not applicable to the underlying facts of the case, or where Apple reasonably considers that to do so would likely pervert the course of justice or prejudice the administration of justice.

The second category includes files stored by system apps (e.g. downloaded books and documents in the Books app) and third-party apps (e.g. stand-alone WhatsApp backups, game saves etc.) While large amounts of data may accumulate under this category, users have no direct access to these files. For example, any files stored by third-party apps are only displayed as toggles in the iCloud – Apps section. The only control the user has over these files is the ability to disable sync (and remove stored files) for a certain app.

Apple defines information provided to the LE as follows:

iCloud stores content for the services that the subscriber has elected to maintain in the account while the subscriber’s account remains active. Apple does not retain deleted content once it is cleared from Apple’s servers. iCloud content may include email, stored photos, documents, contacts, calendars, bookmarks, Safari browsing history, Maps Search History, Messages and iOS device backups. iOS device backups may include photos and videos in the Camera Roll, device settings, app data, iMessage, Business Chat, SMS, and MMS messages and voicemail. All iCloud content data stored by Apple is encrypted at the location of the server. When third-party vendors are used to store data, Apple never gives them the keys. Apple retains the encryption keys in its U.S. data centres.

While Apple correctly claims that it does not keep deleted content once it is cleared from Apple’s servers, we have found that, in many cases, some content may still be available on Apple servers. As a result, tools such as Elcomsoft Phone Breaker can access and download such content.

Additionally, Apple does not explicitly mention certain types of data such as the phone-to-cloud communication logs. These logs record the phone’s dynamic IP address and store records going back some 28 days.

What Apple Provides When Serving Privacy Requests

Apple is committed to disclosing information to end users according to the European Data Protection Directive (EDPR) or serving a request for personal data submitted via Apple’s Data & Privacy portal. Users can request a download of a copy of their data from Apple apps and services. This, according to Apple, may include purchase or app usage history and the data users store with Apple, such as calendars, photos or documents. Below is the list of information disclosed by Apple:

Note: iCloud backups are only provided when Apple serves government requests. End users exercising their rights under the European Data Protection Directive (EDPR) or requesting their personal data via Apple’s Data & Privacy portal do not receive a copy of their iCloud backups.

What Apple Does Not Provide

Any information that falls under the End-to-end encrypted data category as defined in the iCloud security overview is never disclosed to the law enforcement. End users may only obtain end-to-end encrypted data by setting up a compatible Apple device and typing a screen lock passcode of their past device.

Obtaining End-to-End Encrypted Data

Since Apple refuses to provide legal access to any of the data the company protects with end-to-end encryption, experts must use third-party tools to extract this information from iCloud. Elcomsoft Phone Breaker is one of the few tools on the market that can touch these encrypted categories. Elcomsoft Phone Breaker can extract the iCloud backups, files and synchronized data. In addition, the tool can download and decrypt the following types of end-to-end encrypted data:

  • iCloud Keychain
  • Health
  • Messages in iCloud
  • Screen Time password
  • FileVault2 recovery token

In order to access end-to-end encrypted data, the following information is required:

  1. The user’s Apple ID and password
  2. A valid, non-expired one-time code to pass Two-Factor Authentication
  3. The user’s screen lock passcode or system password to any current or past device enrolled in the trusted circle

More information:

Conclusion

In this article, we described the discrepancy between the data Apple collects from its users and stores on its servers, and the data the company gives away to the law enforcement when serving a government request. Some of the most essential categories are not disclosed, particularly the user’s passwords (iCloud Keychain), text messages and iMessages (Messages in iCloud), the user’s physical activity logs (Health), device usage patterns (Screen Time) and Home data. Most of this information can be only accessed by using third-party tools such as Elcomsoft Phone Breaker, and only if the complete set of authentication credentials (the login and password, 2FA code and screen lock/system password) are known.

Challenges in Computer and Mobile Forensics: What to Expect in 2020

The past two years introduced a number of challenges forensic experts have never faced before. In 2018, Apple made it more difficult for the police to safely transport a seized iPhone to the lab by locking the USB port with USB restricted mode, making data preservation a challenge. The release of the A12 platform, also in 2018, made it difficult to unlock iOS devices protected with an unknown password, while this year’s release of iOS 13 rendered unlock boxes useless on iPhones based on the two most recent platforms.

On desktop and especially laptop computers, the widespread use of SSD drives made it impossible to access deleted data due to trim and garbage collection mechanisms. The users’ vastly increased reliance on cloud services and mass migration off the forensically transparent SMS platform towards the use of end-to-end encrypted messaging apps made communications more difficult to intercept and analyze.

Sheer amounts of data are greater than ever, making users rely more on external (attached) storage compared to using internal hard drives. Many attached storage devices are using secure encryption, some of them without even prompting the user. Extracting data from such devices becomes a challenge, while analyzing the huge amounts of information now requires significantly more time and effort.

The number of online accounts used by an average consumer grows steadily year over year. While password reuse and the use of cloud services to store and synchronize passwords makes experts’ jobs easier, the spread of secure, encrypted password management services is turning into a new challenge.

Knowing everyday challenges in desktop and mobile forensics, we can now peek into the future. (more…)

Skype synchronizes chats, text messages and files sent and received with the Microsoft Account backend. Accessing Skype conversation histories by performing a forensic analysis of the user’s Microsoft Account is often the fastest and easiest way to obtain valuable evidence. Learn how to use Elcomsoft Phone Breaker to quickly extract the complete conversation histories along with attachments and metadata from the user’s Microsoft Account.

What’s It All About?

With over 1.55 billion accounts and more than 420 million daily users, Skype is one of the world’s biggest instant messaging apps. While there is no lack of competition in the highly crowded market of instant messaging apps, Skype maintains its user base. This feature-rich app is available for all relevant platforms, and is actively developed and frequently updated by Microsoft. Skype is secure (enough) while maintaining transparency to the law enforcement, which makes Skype the only allowed VoIP communication app in countries such as the UAE. The free Skype-to-phone calls included with all Microsoft Office 365 subscriptions help Skype gain popularity among corporate and small office users, while integration with Alexa and Cortana voice assistants makes Skype the tool of choice for voice calls.

(more…)

Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).

The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:

  • Screen lock password (this is your iPhone passcode)
  • iCloud password (this is your Apple Account password)
  • iTunes backup password (protects backups made on your computer)
  • Screen Time password (secures your device and account, can protect changes to above passwords)
  • One-time codes (the “half-password” if your account uses Two-Factor Authentication)

In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.

(more…)

The Screen Time passcode is an optional feature of iOS 12 and 13 that can be used to secure the Content & Privacy Restrictions. Once the password is set, iOS will prompt for the Screen Time passcode if an expert attempts to reset the device backup password (iTunes backup password) in addition to the screen lock passcode. As a result, experts will require two passcodes in order to reset the backup password: the device screen lock passcode and the Screen Time passcode. Since the 4-digit Screen Time passcode is separate to the device lock passcode (the one that is used when locking and unlocking the device), it becomes an extra security layer effectively blocking logical acquisition attempts.

Since users don’t have to enter Screen Time passcodes as often as they are required to enter their screen lock passcode, it is easy to genuinely forget that password. Apple does not offer an official routine for resetting or recovering Screen Time passcodes other than resetting the device to factory settings and setting it up as a new device (as opposed to restoring it from the backup). For this reason, the official route is inacceptable during the course of device acquisition.

Unofficially, users can recover their Screen Time passcode by making a fresh local backup of the device and inspecting its content with a third-party tool. In iOS 12, the Screen Time passcode can be only recovered from password-protected backups; in iOS 13, the passcode cannot be obtained even from the local backup. If local backups are protected with a password not known to the expert, the situation becomes a deadlock: one cannot reset an unknown backup password without a Screen Time passcode, and one cannot access the Screen Time passcode without decrypting the backup.

Elcomsoft Phone Breaker 9.20 offers an effective solution to the deadlock by obtaining Screen Time passcodes from the user’s iCloud account. The tool supports all versions of iOS 12 and 13.

(more…)

In iOS forensics, cloud extraction is a viable alternative when physical acquisition is not possible. The upcoming release of iOS 13 brings additional security measures that will undoubtedly make physical access even more difficult. While the ability to download iCloud backups has been around for years, the need to supply the user’s login and password followed by two-factor authentication was always a roadblock.

Some five years ago, we learned how to use authentication tokens to access iCloud backups without a password. In Breaking Into iCloud: No Password Required we discussed the benefits of this approach. During the next years, we learned how to use authentication tokens to access other types of data stored in iCloud including the user’s photo library, browsing history, contacts, calendars and other information that Apple synchronizes across all of the user’s devices that are signed in to the same Apple account.

Many things have changed since then. Tokens can no longer be used to access iCloud backups, period. Tokens cannot be used to access passwords (iCloud Keychain), Screen Time, Health and Messages. Sometime last year Apple pinned authentication tokens to a particular computer, making them usable just from the very PC or Mac they’ve been created on. It took us more than a year to figure out a workaround allowing experts to transfer authentication tokens from the user’s computer. Even today, this workaround is only working if the user had a macOS computer. With this number of restrictions, are authentication tokens still usable? What can you obtain from the user’s iCloud account with an authentication token, and what can be accessed with a login and password? How two-factor authentication affects what’s available in an iCloud account, and why knowing the screen lock passcode (or Mac system password) can help? Keep reading to find out.

(more…)