Archive for the ‘Did you know that…?’ Category

The Future of Android Security: Why Google Pushes Away from SMS to Prompt Verification

Thursday, November 23rd, 2017

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

SMS Are Insecure, Aren’t They?

In late July 2016, the US National Institute of Standards and Technology’s (NIST) released an updated set of guidelines that deprecated SMS as a way to deliver two factor authentication because of their many insecurities. A year later, NIST took it back, no longer recommending to “deprecate” SMS usage. Are we, or are we not at risk if we choose to have our two-factor authentication delivered over the (arguably) insecure SMS channel? (more…)

iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password

Thursday, November 9th, 2017

Since early days of iOS, iTunes-style system backups could be protected with a password. The password was always the property of the device; if the backup was protected with a password, it would come out encrypted. It didn’t matter whether one made a backup with iTunes, iOS Forensic Toolkit or other forensic software during the course of logical acquisition; if a backup password was enabled, all you’d get would be a stream of encrypted data.

Password protection of iOS system backups was always a hallmark of iOS data protection. We praised Apple for making it tougher for unauthorized persons to pair an iPhone to the computer in iOS 11. Today we discovered something that works in reverse, making it possible for anyone who can unlock an iPhone to simply reset the backup password. Is this so big of a deal? Prior to this discovery, forensic specialists would have to use high-end hardware to try recovering the original backup password at a rate of just several passwords per second, meaning that even the simplest password would require years to break. Today, it just takes a few taps to get rid of that password completely. If you know the passcode, logical acquisition now becomes a trivial and guaranteed endeavor.

(more…)

The iPhone is Locked-Down: Dealing with Cold Boot Situations

Thursday, November 9th, 2017

Even today, seizing and storing portable electronic devices is still troublesome. The possibility of remote wipe routinely makes police officers shut down smartphones being seized in an attempt to preserve evidence. While this strategy used to work just a few short years ago, this strategy is counter-productive today with full-disk encryption. In all versions of iOS since iOS 8, this encryption is based on the user’s passcode. Once the iPhone is powered off, the encryption key is lost, and the only way to decrypt the phone’s content is unlocking the device with the user’s original passcode. Or is it?

The Locked iPhone

The use of Faraday bags is still sporadic, and the risk of losing evidence through a remote wipe command is well-known. Even today, many smartphones are delivered to the lab in a powered-off state. Investigating an iPhone after it has been powered off is the most difficult and, unfortunately, the most common situation for a forensic professional. Once the iOS device is powered on after being shut down, or if it simply reboots, the data partition remains encrypted until the moment the user unlocks the device with their passcode. Since encryption keys are based on the passcode, most information remains encrypted until first unlock. Most of it, but not all. (more…)

What can be extracted from locked iPhones with new iOS Forensic Toolkit

Thursday, November 9th, 2017

Tired of reading on lockdown/pairing records? Sorry, we can’t stop. Pairing records are the key to access the content of a locked iPhone. We have recently made a number of findings allowing us to extract even more information from locked devices through the use of lockdown records. It’s not a breakthrough discovery and will never make front page news, but having more possibilities is always great.

Physical acquisition rules if it can be done. Physical works like a charm for ancient devices (up to and including the iPhone 4). For old models such as the iPhone 4s, 5 and 5c, full physical acquisition can still be performed, but  only if the device is already unlocked and a jailbreak can be installed. All reasonably recent models (starting with the iPhone 5s and all the way up to the iPhone 7 – but no 8, 8 Plus or the X) can be acquired as well, but for those devices all you’re getting is a copy of the file system with no partition imaging and no keychain. At this time, no company in the world can perform the full physical acquisition (which would include decrypting the disk image and the keychain) for iPhone 5s and newer.

The only way to unlock the iPhone (5s and newer) is hardware-driven. For iOS 7 and earlier, as well as for some early 8.x releases, the process was relatively easy. With iOS 9 through 11, however, it is a headache. There is still a possibility to enter the device into the special mode when the number of passcode attempts is not limited and one can brute-force the passcode, albeit at a very low rate of up to several minutes per passcode.

The worst about this method is its very low reliability. You can use a cheap Chinese device for trying passcodes at your own risk, or pay a lot of money to somebody else who will do about the same for you. Those guys do have more experience, and the risk is lower, but there still is no warranty of any kind, and you won’t get your money back if they fail.

There are other possibilities as well. We strongly recommend you to try the alternative method described below before taking the risk of “bricking” the device or paying big money for nothing.

(more…)

The art of iOS and iCloud forensics

Thursday, November 2nd, 2017
  • The rise and fall of physical acquisition
  • Jailbreak to the rescue
  • In the shade of iCloud
  • iCloud Keychain acquisition hits the scene

iOS 11 has arrived, now running on every second Apple device. There could not be a better time to reminiscent how iOS forensics has started just a few short years ago. Let’s have a look at what was possible back then, what is possible now, and what can be expected of iOS forensics in the future.

(more…)

Can You Unlock That iPhone?

Monday, October 30th, 2017

“Can you unlock that iPhone?” is one of the most common questions we hear on various events and from our customers. There is no simple answer, but more often than not some options are available.

Just a few years back, the most common question was “can you crack that password?” We are still being asked that every other day, but locked iPhones are now more abundant than unknown passwords. There is a simple explanation for that: the iPhone is an ultimate source of evidence. That, before we even mention the many urgent cases when the phone needs to be unlocked.

Cover all possible scenarios in one short article would not be possible; for (much) more details you are welcome to read our Smartphone forensics book that explores the topic in depth. Keep reading to see what can be done in some cases.

(more…)

How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed

Monday, October 23rd, 2017

iOS forensics is always a lot of fun. Say, you’ve got an iPhone of a recent generation. It’s locked, you are blank about the passcode, and the worst part is it’s more than just the four proverbial digits (the last iOS defaults to six). And you don’t have their computer, and there is not an iCloud account either. A horror story where no one, even us, can do anything about it.

However, the reality has far more than 50 shades of (insert you favorite color). Almost every case is unique. Over 1.2 billion iPhones are sold to date, and they tend to show up in every other investigation. The iPhone is the ultimate source of evidence, no doubt.

(more…)

iOS vs. Android: Physical Data Extraction and Data Protection Compared

Friday, October 20th, 2017

Today’s mobile devices are getting increasingly more resistant to physical imaging, mostly due to the use of full-disk encryption. Full-disk encryption makes useless some low-level acquisition techniques of yesterday, which includes JTAG and chip-off.

iOS was using full-disk encryption since the days of iOS 4 released back in 2011, while Android only started enforcing encryption in devices manufactured with Android 6 and newer on board. Today, pretty much any smartphone you can buy new comes with full-disk encryption out of the box. Does this mean that Android smartphones are just resistant to physical imaging as their Apple counterparts, or is Android still a big security mess? Let’s have a look at some protection mechanisms implemented in modern versions of Android that are to prevent unauthorized access to user data, and how these mechanisms may become completely useless in the right circumstances. (more…)

Obtaining Detailed Information about iOS Installed Apps

Tuesday, October 3rd, 2017

Accessing the list of apps installed on an iOS device can give valuable insight into which apps the user had, which social networks they use, and which messaging tools they communicate with. While manually reviewing the apps by examining the device itself is possible by scrolling a potentially long list, we offer a better option. Elcomsoft Phone Viewer can not just display the list of apps installed on a given device, but provide information about the app’s version, date and time of acquisition (first download for free apps and date and time of purchase for paid apps), as well as the Apple ID that was used to acquire the app. While some of that data is part of iOS system backups, data on app’s acquisition time must be obtained separately by making a request to Apple servers. Elcomsoft Phone Viewer automates such requests, seamlessly displaying the most comprehensive information about the apps obtained from multiple sources.

In this how-to guide, we’ll cover the steps required to access the list of apps installed on an iOS device. (more…)

Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords

Thursday, September 28th, 2017

In this how-to guide, we’ll cover the steps required to access the list of saved wireless networks along with their passwords.

Step 1: Make a password-protected backup

In order to extract the list of Wi-Fi networks from an iOS device, you must first create a password-protected local backup of the iOS device (iPhone, iPad or iPod Touch). While we recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu), Apple iTunes can be also used to make the backup. Make sure to configure a backup password if one is not enabled; otherwise you will be unable to access Wi-Fi passwords. (more…)