Archive for the ‘Elcomsoft News’ category

The wide spread of full-disk encryption makes live system analysis during incident response a challenge, but also an opportunity. A timely detection of full-disk encryption or a mounted crypto container allows experts take extra steps to secure access to encrypted evidence before pulling the plug. What steps are required and how to tell if the system is using full-disk encryption? “We have a tool for that”.

The long-awaited update for Elcomsoft Phone Breaker has arrived. The update brought back the ability to download iCloud backups, which was sorely broken since recent server-side changes introduced by Apple. We are also excited to become the first forensic company to offer support for iCloud backups saved by iOS 14 beta devices, all while supporting the full spectrum of two-factor authentication methods. We are proud to provide the most comprehensive forensic support of Apple iCloud with unmatched performance, accelerating forensic investigations and providing access to critical evidence stored in the cloud.

19 years ago, on July 16, 2001, the FBI arrested Dmitry Sklyarov, almost immediately after his speech at the DEF CON hacker conference, on a number of charges by Adobe. Dmitry was accused of many things, from software trafficking to conspiring with Elcomsoft and “third parties”, who put up the software for sale that could bypass technological protection on copyrighted material. Dmitry’s career at Elcomsoft began with a project on gaining access to protected Access databases. Soon, Dmitry got an idea about the security of PDF documents, and so he started working on it. From this idea the never-to-be-forgotten Advanced eBook Processor was born, because of which Dmitry was arrested in 2001 at DEF CON in Las Vegas, NV.

Breaking passwords becomes more difficult with every other update of popular software. Microsoft routinely bumps the number of hash iterations to make Office document protection coherent with current hardware. Apple uses excessive protection of iTunes backups since iOS 10.1, making brute force attacks a thing of the past. VeraCrypt and BitLocker were secure from the get go. However, everything is not lost if you consider human nature.

QQ Browser is one of China’s most popular Web browsers. With some 10% of the Chinese market and the numerous Chinese users abroad, QQ Browser is used by the millions. Like many of its competitors, QQ Browser offers the ability to store website passwords. The passwords are securely encrypted, and can be only accessed once the user signs into their Windows account. Learn what you need to do to extract passwords from Tencent QQ Browser.

BitLocker is Windows default solution for encrypting disk volumes. A large number of organizations protect startup disks with BitLocker encryption. While adding the necessary layer of security, BitLocker also has the potential of locking administrative access to the encrypted volumes if the original Windows logon password is lost. We are offering a straightforward solution for reinstating access to BitLocker-protected Windows systems with the help of a bootable USB drive.

Originally released in September 2016, iOS 10 was regularly updated for most devices until July 2017. The 64-bit iPhones capable of running iOS 10 range from the iPhone 5s to iPhone 7 and 7 Plus. While one is hardly likely to encounter an iOS 10 in the wild, forensic labs still process devices running the older version of the OS. In this update, we’ve brought support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS capable of running on the iPhone 7 generation of devices. Let’s see what it takes to extract an older iPhone without a jailbreak. In addition, we have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5.

Apple iCloud contains massive amounts of data, which may become highly valuable evidence. The oldest and most frequently mentioned are iCloud backups, which ElcomSoft were the first to extract back in 2012. A lot has changed since then. Today, iCloud backups account for a very minor part of the evidence available in iCloud. Learn what types of data are stored in iCloud, how Apple protects the data with end-to-end encryption, and how to access that valuable evidence with the updated Elcomsoft Phone Breaker.

Extracting the fullest amount of information from the iPhone, which includes a file system image and decrypted keychain records, often requires installing a jailbreak. Even though forensically sound acquisition methods that work without jailbreaking do exist, they may not be available depending on the tools you use. A particular combination of iOS hardware and software may also render those tools ineffective, requiring a fallback to jailbreak. Today, the two most popular and most reliable jailbreaks are checkra1n and unc0ver. How do they fare against each other, and when would you want to use each?

The unc0ver v5 jailbreak has been available for a while now. It supports the newest versions of iOS up to and including iOS 13.5, and this is fantastic news for DFIR community, as it allows extracting the full file system and the keychain when acquiring the newest latest iPhone models such as the iPhone 11 and 11 Pro, and SE 2020. In this article, I’ll talk about the unc0ver jailbreak, the installation and usage for the purpose of file system extraction, and discuss the differences between jailbreak-based and jailbreak-free extraction.