ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Did you know that…?’ Category

Technical and Legal Implications of iOS File System Acquisition

Thursday, February 21st, 2019

There has been a lot of noise regarding GrayKey news recently. GrayKey is an excellent appliance for iOS data extraction, and yes, it can help access more evidence. As always, the devil is in the detail.

A couple of quotes first, coming from the company who now partners with GrayShift to bundle their mobile forensic software (one of the best on the market, I would say) with GrayKey. They do support GrayKey-extracted data as well, and here is what they say:

“From the first iPhone extraction from GrayKey we were blown away with the amount of data they recovered”

“we’re seeing data we haven’t seen in years”

Actually, this is not exactly the case. Speaking of full file system acquisition, it’s been us who were the first on the market some 3 years ago, see Physical Acquisition for 64-bit Devices, iOS 9 Support.

Since then, we’ve been actively developing and updating iOS Forensic Toolkit, adding support for newer versions of iOS. We published a number of articles in our blog describing the benefits of file system extraction and what you can get: location data, cached mail, app-specific data, CPU and network usage data and much more.

Yes, we use the different approach, that requires jailbreaking (more on that later).

(more…)

A New Method for Decrypting WhatsApp Backups

Thursday, December 20th, 2018

WhatsApp remains one of the most popular instant messengers. With more than 1.5 billion users and about half billion daily active users, WhatsApp sends over 100 billion messages per day. WhatsApp is secure thanks to end-to-end encryption to make intercepted messages impossible to decrypt. While this is great news to consumers and privacy advocates, it is also bad news for the law enforcement. Once an expert accepts to access the suspect’s WhatsApp communication history, they will struggle with the encryption and demand for a vendor-provided backdoor (WhatsApp: The Bad Guys’ Secret Weapon).

Are there any other options to access WhatsApp conversations? We know of at least two. The first option is capturing the message database directly from the device of either party. The other option is going through the cloud. WhatsApp does not have its own native cloud service such as Telegram. All it has is a messaging relay service, which does not store messages for any longer than required to pass them along. In other words, any message that passes through WhatsApp servers is immediately deleted once it’s delivered (and it would be of no use to forensic experts anyway due to end-to-end encryption). It is important to note that WhatsApp accounts cannot be used on more than one device.

Let’s review WhatApp recovery/decryption options for both Android and iOS, and see what is new in Elcomsoft eXplorer for WhatsApp (EXWA).

(more…)

Six Ways to Decrypt iPhone Passwords from the Keychain

Tuesday, December 18th, 2018

In Apple’s world, the keychain is one of the core and most secure components of macOS, iOS and its derivatives such as watchOS and tvOS. The keychain is intended to keep the user’s most valuable secrets securely protected. This includes protection for authentication tokens, encryption keys, credit card data and a lot more. End users are mostly familiar with one particular feature of the keychain: the ability to store all kinds of passwords. This includes passwords to Web sites (Safari and third-party Web browsers), mail accounts, social networks, instant messengers, bank accounts and just about everything else. Some records (such as Wi-Fi passwords) are “system-wide”, while other records can be only accessed by their respective apps. iOS 12 further develops password auto-fill, allowing users to utilize passwords they stored in Safari in many third-party apps.

If one can access information saved in the keychain, one can then gain the keys to everything managed by the device owner from their online accounts to banking data, online shopping, social life and much more.

Apple offers comprehensive documentation for developers on keychain services, and provides additional information in iOS Security Guide.

In this article we assembled information about all existing methods for accessing and decrypting the keychain secrets.

(more…)

Can Forensic Experts Keep Up with the Digital Age?

Wednesday, December 5th, 2018

The boom in personal electronic devices recording literally every persons’ step introduced a new type of forensic evidence: the digital evidence. In this day and age, significantly more forensic evidence is available in digital form compared to physical evidence of yesteryear. Are law enforcement and intelligence agencies ready to handle the abundance of digital evidence? And more importantly, do frontline officers have the skills and technical expertise required to handle and preserve this wealth of information?

Digital forensic evidence is a major challenge today, and will become even more of a challenge tomorrow. Crypto currencies and the dark net created an effective shield for criminals committing online fraud and extorting ransom, trafficking drugs and human beings, supporting and financing international terrorism.

Digital evidence that lands on end user devices is also well shielded from investigation efforts. The unilateral push for hardware-backed secure encryption by major vendors of mobile operating systems (Google and Apple) covers criminals with almost unbreakable protection, building a wall around digital evidence that could be vital for investigations. (more…)

Apple Health Is the Next Big Thing: Health, Cloud and Security

Thursday, November 29th, 2018

Health data is among the most important bits of information about a person. Health information is just as sensitive as the person’s passwords – and might be even more sensitive. It is only natural that health information is treated accordingly. Medical facilities are strictly regulated and take every possible security measure to restrict access to your medical records.

Since several versions of iOS, your health information is also stored in Apple smartphones, Apple cloud and various other devices. In theory, this information is accessible to you only. It’s supposedly stored securely and uses strong encryption. But is that really so? What if Apple uploads this data to the cloud? Is it still secure? If not, can we extract it? Let’s try to find out.

(more…)

Extracting Apple Health Data from iCloud

Thursday, November 29th, 2018

Heartrate, sleeping habits, workouts, steps and walking routines are just a few things that come to mind when we speak of Apple Health. Introduced in September 2014 with iOS 8, the Apple Health app is pre-installed on all iPhones. The app makes use of low-energy sensors, constantly collecting information about the user’s physical activities. With optional extra hardware (e.g. Apple Watch), Apple Health can collect significantly more information. In this article we’ll talk about the types of evidence collected by Apple Health, how they are stored and how to extract the data. (more…)

iMessage Security, Encryption and Attachments

Thursday, November 15th, 2018

iMessage is undoubtedly one of the most popular instant messaging platforms for an obvious reason: it’s built in to iOS and ships with every iPhone by default. iMessage does not require complex setup, so the number of iMessage users is closely matching the number of iPhone users. Apple sells about 200 million iPhones every year, and the total number of iPhones sold is more than a billion. Unless you absolutely must chat with someone outside of Apple’s ecosystem (like those poor Android folks), you won’t need Skype, WhatsApp or Telegram. It’s also comforting to know that iMessage works everywhere around the world while most other messengers are oppressed in one or more countries.

But what about iMessage security? Is it safe to use if you’re concerned about your privacy? Is there a reason why countries such as China, Iran or Russia block other messengers but keep iMessage going? Is it safe from hackers? What about Law Enforcement? And what about Apple itself? It must have access to your messages to target the ads, right? Is it OK to send those private snapshots or share your location via iMessage?

There is no simple answer, but we’ll do our best to shed some light on that.

(more…)

iPhone Xs PWM Demystified: How to Reduce Eyestrain by Disabling iPhone Xs and Xs Max Display Flicker

Tuesday, October 30th, 2018

The iPhone Xs employs a revised version of the OLED panel we’ve seen in last year’s iPhone X. The iPhone Xs Max uses a larger, higher-resolution version of the panel. Both panels feature higher peak brightness compared to the OLED panel Apple used in the iPhone X. While OLED displays are thinner and more power-efficient compared to their IPS counterparts, most OLED displays (including those installed in the iPhone Xs and Xs max) will flicker at lower brightness levels. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. The OLED flickering issue is still mostly unheard of by most consumers. In this article we will demystify OLED display flickering and provide a step by step instruction on how to conveniently disable (and re-enable) PWM flickering on iPhone Xs and Xs Max displays to reduce eyestrain. (more…)

Everything You Wanted to Know about Activation Lock and iCloud Lock

Thursday, October 4th, 2018

Working in a mobile forensic company developing tools for iCloud forensics, logical and physical extraction of iPhone devices, we don’t live another day without being asked if (or “how”) we can help remove iCloud lock from a given iPhone. Without throwing a definite “yes” or “no” (or “just buy this tool”), we’ve decided to gather everything we know about bypassing, resetting and disabling iCloud activation lock on recent Apple devices.

What Is Activation Lock (iCloud Lock)?

Activation Lock, or iCloud Lock, is a feature of Find My iPhone, Apple’s proprietary implementation of a much wider protection system generally referred as Factory Reset Protection (FRP). Factory Reset Protection, or “kill switch”, is regulated in the US via the Smartphone Theft Prevention Act of 2015. The Act requires device manufacturers to feature a so-called “kill switch” allowing legitimate users to remotely wipe and lock devices. The purpose of the kill switch was to discourage smartphone theft by dramatically reducing resale value of stolen devices.

According to Apple, “Activation Lock is a feature that’s designed to prevent anyone else from using your iPhone, iPad, iPod touch, or Apple Watch if it’s ever lost or stolen. Activation Lock is enabled automatically when you turn on Find My iPhone. … Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.”

Update 25.07.2019: new/additional information on that topic is now available in Breaking and Securing Apple iCloud Accounts article. (more…)

Analysing Apple Pay Transactions

Thursday, August 30th, 2018

With more than 127 million users in multiple countries, Apple Pay is one of the more popular contactless payment systems. Unlike some competing payment technologies, Apple Pay is not only tightly integrated into Apple’s ecosystem but is exclusive to Apple devices.

Apple Pay serves as a digital wallet, digitizing user’s payment cards and completely replacing traditional swipe-and-sign and chip-and-PIN transactions at compatible terminals. However, unlike traditional wallets, Apple Pay also keeps detailed information about the user’s point of sale transactions. Due to the sheer amount of highly sensitive information processed by the system, Apple Pay is among the most securely protected vaults in compatible devices. In this article we’ll show you where and how this information is stored in the file system, how to extract it from the iPhone and how to analyse the data. (more…)