ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Did you know that…?’ Category

iOS Acquisition on Windows: Tips&Tricks

Friday, September 6th, 2019

When you perform Apple iCloud acquisition, it almost does not matter what platform to use, Windows or macOS (I say almost, because some differences still apply, as macOS has better/native iCloud support). Logical acquisition can be done on any platform as well. But when doing full file system acquisition of jailbroken devices using Elcomsoft iOS Forensic Toolkit, we strongly recommend using macOS. If you are strongly tied to Windows, however, there are some things you should know.

(more…)

iOS 12.4 File System Extraction

Friday, September 6th, 2019

The iOS 12.4 jailbreak is out, and so is Elcomsoft iOS Forensic Toolkit. Using the two together, one can image the file system and decrypt the keychain of iPhone and iPad devices running most versions of iOS (except iOS 12.3 and and the latest 12.4.1, but 12.4 is still signed right now).

There is more to this jailbreak situation than meets the eye. There is not one but two different jailbreaks: unc0ver and Chimera. Both jailbreak tools come in several versions; the differences between their versions are severe. There is also a tool that can access the file system (but not the keychain) on some iOS devices without a jailbreak. Finally, we’ve been able to jailbreak the Apple TV running affected versions of tvOS.

In this article I’ll explain the differences between the two jailbreaks and their versions, provide information about the tool one can use to access the file system without jailbreaking, and provide instructions on how to safely jailbreak in offline mode.

(more…)

Apple TV Forensics 03: Analysis

Wednesday, September 4th, 2019

This post continues the series of articles about Apple companion devices. If you haven’t seen them, you may want to read Apple TV and Apple Watch Forensics 01: Acquisition first. If you are into Apple Watch forensics, have a look at Apple Watch Forensics 02: Analysis as well. Today we’ll have a look at what’s inside of the Apple TV.

A recent market analysis shows that Apple has sold more than 13 million Apple TV devices worldwide since 2016. Since 2007, Apple manufactured 6 different Apple TV models. Like any other Apple device, the model can be easily identified by checking the label on the bottom of the device.

 

The first-generation Apple TV (model A1218) contains a regular hard drive that can be extracted and imaged with a traditional approach. The operating system is a modified version of Mac OS X 10.4 (Tiger). A detailed explanation on how to approach this kind of devices was introduced at DEFCON 2009 by Kevin Estis and Randy Robbins (the presentation is available here while the video is available here).

The Apple TV from second (model A1378) to fourth (A1625) generations have an internal NAND storage varying from 8 GB (A1378 – A1427 – A1469) to 32 or 64 GB (A1625). These models also feature a USB port connection (micro USB or USB-C). The availability of a USB port allows connecting the device to a PC/Mac. Forensic experts can use the port for data extraction. Apple removed USB connectivity in the latest, fifth generation Apple TV (Apple TV 4K, model A1842), making it more difficult to connect and extract data.

(more…)

How to Extract and Decrypt Signal Conversation History from the iPhone

Thursday, August 29th, 2019

With over half a million users, Signal is an incredibly secure cross-platform instant messaging app. With emphasis on security, there is no wonder that Signal is frequently picked as a communication tool by those who have something to hide. Elcomsoft Phone Viewer can now decrypt Signal databases extracted from the iPhone via physical (well, file system) acquisition, and that was a tough nut to crack.

What exactly makes Signal so difficult to crack? Let us first look at how one can gain access to users’ communications occurring in other instant messengers.

Interception: the MITM attack

The first method is interception. One can attempt to intercept conversations in transit. This in turn is very difficult as everyone is touting point-to-point encryption. While technically the traffic can be intercepted, decrypting it will require a malicious app installed on the end-user device (such as the infamous NSO Group spyware). Without direct government intervention or proposed encryption backdoors one can hardly ever intercept messaging with a MITM attack. It is very important to understand that even if your iPhone is secure, the other party’s device running the iOS, Android or desktop app (which is much easier to break) might be compromised. If the other party is compromised, all your communications with that party will be compromised as well.

Signal implements special protection measures against MITM attacks, making certificate spoofing useless and complicating malware-based attacks. (more…)

How To Access Screen Time Password and Recover iOS Restrictions Password

Thursday, August 29th, 2019

The Screen Time passcode (known as the Restrictions passcode in previous versions of iOS) is a separate 4-digit passcode designed to secure changes to the device settings and the user’s Apple ID account and to enforce the Content & Privacy Restrictions. You can add the Screen Time passcode when activating Screen Time on a child’s device or if you want to add an extra layer of security to your own device.

The 4-digit Screen Time passcode is separate to the main screen lock passcode you are using to unlock your device. If you configure Screen Time restrictions to your usage scenarios, you’ll hardly ever need to type the Screen Time password on your device.

Using the Screen Time password can be a great idea if you want to ensure that no one can reset your iTunes backup password, disable Find My iPhone or change your Apple ID password even if they steal your device *and* know your device passcode. On a flip side, there is no official way to recover the Screen Time password if you ever forget it other than resetting the device and setting it up from scratch. Compared to the device screen lock passcode, Screen Time passwords are much easier to forget since you rarely need it.

In this article, we’ll show you how to reveal your iOS 12 Screen Time passcode (or the Restrictions passcode if you’re using iOS 7 through 11) using Elcomsoft Phone Viewer. (more…)

Why iOS 12.4 Jailbreak Is a Big Deal for the Law Enforcement

Tuesday, August 27th, 2019

By this time, seemingly everyone has published an article or two about Apple re-introducing the vulnerability that was patched in the previous version of iOS. The vulnerability was made into a known exploit, which in turn was used to jailbreak iOS 12.2 (and most previous versions). We’ll look at it from the point of view of a forensic expert.

(more…)

Extended Mobile Forensics: Analyzing Desktop Computers

Tuesday, July 30th, 2019

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

Accessing iCloud With and Without a Password in 2019

Thursday, July 25th, 2019

In iOS forensics, cloud extraction is a viable alternative when physical acquisition is not possible. The upcoming release of iOS 13 brings additional security measures that will undoubtedly make physical access even more difficult. While the ability to download iCloud backups has been around for years, the need to supply the user’s login and password followed by two-factor authentication was always a roadblock.

Some five years ago, we learned how to use authentication tokens to access iCloud backups without a password. In Breaking Into iCloud: No Password Required we discussed the benefits of this approach. During the next years, we learned how to use authentication tokens to access other types of data stored in iCloud including the user’s photo library, browsing history, contacts, calendars and other information that Apple synchronizes across all of the user’s devices that are signed in to the same Apple account.

Many things have changed since then. Tokens can no longer be used to access iCloud backups, period. Tokens cannot be used to access passwords (iCloud Keychain), Screen Time, Health and Messages. Sometime last year Apple pinned authentication tokens to a particular computer, making them usable just from the very PC or Mac they’ve been created on. It took us more than a year to figure out a workaround allowing experts to transfer authentication tokens from the user’s computer. Even today, this workaround is only working if the user had a macOS computer. With this number of restrictions, are authentication tokens still usable? What can you obtain from the user’s iCloud account with an authentication token, and what can be accessed with a login and password? How two-factor authentication affects what’s available in an iCloud account, and why knowing the screen lock passcode (or Mac system password) can help? Keep reading to find out.

(more…)

Breaking and Securing Apple iCloud Accounts

Thursday, July 25th, 2019

The cloud becomes an ever more important (sometimes exclusive) source of the evidence whether you perform desktop or cloud forensics. Even if you are not in forensics, cloud access may help you access deleted or otherwise inaccessible data.

Similar to smartphones or password-protected desktops, cloud access is a privilege that is supposed to be only available to the rightful account owner. You would need a login and password and possibly the second factor. These aren’t always available to forensic experts. In fact, it won’t be easy to access everything stored in the cloud if you have all the right credentials.

Apple iCloud is one of the most advanced cloud solutions on the market, with lots of services available. These include comprehensive device backups, synchronization services across the entire Apple ecosystem including the Apple TV and Apple Watch devices, file storage, password management, home IoT devices, Health data and more. And it is pretty secure.

Let’s review all the possibilities of accessing Apple iCloud data with or without a password.

(more…)

iOS 13 (Beta) Forensics

Thursday, July 25th, 2019

iOS 13 is on the way. While the new mobile OS is still in beta, so far we have not discovered many revolutionary changes in the security department. At the same time, there are quite a few things forensic specialists will need to know about the new iteration of Apple’s mobile operating system. In this article, we’ll be discussing the changes and their meaning for the mobile forensics.

iCloud backups

We’ve seen several changes to iCloud backups that break third-party tools not designed with iOS 13 in mind. Rest assured we’ve updated our tools to support iOS 13 iCloud backups already. We don’t expect the backup format to change once iOS 13 is officially released, yet we keep an eye on them.

First, Apple has changed the protocol and encryption. There’s nothing major, but those changes were more than enough to effectively block all third-party tools without explicit support for iOS 13.

Second, cloud backups (at least in the current beta) now contain pretty much the same set of info as unencrypted local backups. Particularly missing from iCloud backups made with iOS 13 devices are call logs and Safari history. This information is now stored exclusively as “synchronized data”, which makes it even more important for the investigator to extract synced evidence in addition to backups. Interestingly, nothing was changed about synced data; you can still use the same tools and sign in with either Apple ID/password/2FA or authentication tokens. (more…)