Archive for the ‘Elcom-News’ Category

Fetching Call Logs, Browsing History and Location Data from Microsoft Accounts

Friday, June 16th, 2017

In other blog post, we discussed the updated Elcomsoft Phone Breaker that allows extracting search and browsing history, location data and call logs from users’ Microsoft Accounts. Now let’s talk about the origins of this data and how to enable its collection on different devices – even if they don’t run Microsoft Windows.

(more…)

The New Google Authentication Engine in Elcomsoft Cloud Explorer 1.31

Thursday, June 15th, 2017

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

(more…)

On Apple iCloud security and ‘deleted’ notes

Friday, May 19th, 2017

Apple, it’s not funny anymore.

Apple iCloud is a fantastic service. For me, it works far better than Google services, especially when it comes to cloud backups. I use it daily when working with my iPhone, iPad, Mac and MacBook at home. In the office, I still have to use the good old Windows PC, and I hate it. I use iCloud backups to keep my data safe (secured with two-factor authentication), and it really helped me on at least two occasions when I had my iPhone lost or broken far away from home. I use iCloud Photo Library to get my photos synced across devices. I actively use iCloud Drive when working with documents. I use iCloud syncing, including the keychain, to store my passwords and credit card data and have them all handy. I should say that I cannot work effectively without iCloud.

But we have a lot of security and privacy concerns. We completely understand that it is not possible to pick all three from the “security, privacy, usability” trio, but please give at al least two.

(more…)

ElcomSoft vs. The Cloud: a Game of Cat and Mouse

Friday, May 12th, 2017

We’ve got a few forensic tools for getting data off the cloud, with Apple iCloud and Google Account being the biggest two. Every once in a while, the cloud owners (Google and Apple) make changes to their protocols or authentication mechanisms, or employ additional security measures to prevent third-party access to user accounts. Every time this happens, we try to push a hotfix as soon as possible, sometimes in just a day or two. In this article, we’ll try to address our customers’ major concerns, give detailed explanations on what’s going on with cloud access, and provide our predictions on what could happen in the future.

Update 19/05/2017: what we predicted has just happened. Apple has implemented additional checks just two days ago. This time, the extra checks do not occur during the authentication stage. Instead, the company started blocking pull requests for backup data originating from what appears to Apple as a desktop device (as opposed to being an actual iPhone or iPad). Once again we had to rush a hotfix to our customers, releasing an update just today. Whether or not our solution stands the test of time is hard to tell at this time. It seems this time it’s no longer a game but a war.

This whole Apple blocking third-party clients issue creates numerous problems to our customers who are either legitimate Apple users or law enforcement officials who must have access to critical evidence now as opposed to maybe getting it from Apple in one or two weeks. This time it’s not about security or privacy of Apple customers. After all, accounts protected with two-factor authentication are and have been safe. We’ve had similar experience with Adobe several years ago, and surprisingly, it turned out Adobe had reasons beyond privacy or security of its customers.

(more…)

Routes and Places: Obtaining Enhanced Location Data from Google Accounts

Wednesday, April 26th, 2017

Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.

Google has changed that by introducing several mapping services running on top of location history. With its multi-million user base and an extremely comprehensive set of POI, Google can easily make educated guesses on which place the user has actually visited. Google knows (or makes a very good guess) when you eat or drink, stay at a hotel, go shopping or do other activities based on your exact location and the time you spent there. This extra information is also stored in your Google account – at least if you use an Android handset and have Location History turned on.

Elcomsoft Cloud Explorer 1.30 can now process Google’s enhanced location data, which means we can now correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI). This significantly improves readability of location data, providing a list of places (such as restaurants, landmarks or shops) instead of plain numbers representing geolocation coordinates. In this article, we’ll figure out how to obtain that data and how to analyze it. (more…)

Extracting Unread Notifications from iOS Backups

Thursday, March 2nd, 2017

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation! (more…)

How to Break 70% of Passwords in Minutes

Tuesday, February 14th, 2017

According to surveys, the average English-speaking consumer maintains around 27 online accounts. Memorizing 27 unique, cryptographically secure passwords is nearly impossible for a person one could reasonably call “average”. As a result, the average person tends to reuse passwords, which means that a single password (or its simple variations) can be used to protect multiple online accounts and services. The same passwords are very likely to be chosen to protect access to offline resources such as encrypted archives and documents. In fact, several independent researches published between 2012 and 2016 suggest that between 59 and 61 per cent of consumers reuse passwords.

Considering how consistent the numbers are between multiple researches carried out over the course of four years, we can safely assume that around 60% of consumers reuse their passwords. How can this data help us break passwords, and how did we arrive to the value of 70% in the title? Read along to find out! (more…)

ElcomSoft Extracts Deleted Safari Browsing History from iCloud

Thursday, February 9th, 2017

Your browsing history represents your habits. You are what you read, and your browsing history reflects that. Your Google searches, visits to news sites, activities in blogs and forums, shopping, banking, communications in social networks and other Web-based activities can picture your daily activities. It could be that the browsing history is the most intimate part of what they call “online privacy”. You wouldn’t want your browsing history become public, would you?

“When I die, delete my browsing history”. This is what many of us want. However, if you’re an iPhone user, this is not going to work. Apple may hide your browsing history but still keep your records in the cloud, and someone (maybe using ElcomSoft tools) could eventually download your browsing history. How could this happen? Read along to find out!

(more…)

Extracting WhatsApp Conversations from Android Smartphones

Thursday, February 2nd, 2017

As you may already know, we’ve added Android support to our WhatsApp acquisition tool, Elcomsoft Explorer for WhatsApp. While the updated tool can now extract WhatsApp communication histories directly from Android smartphones with or without root access, how do you actually use it, and how does it work? In this blog post we’ll be looking into the technical detail and learn how to use the tool.

(more…)