Cloud acquisition has been available for several years. iPhones and iPads running recent versions of iOS can store snapshots of their data in the cloud. Cloud backups are created automatically on a daily basis provided that the device is charging while connected to a known Wi-Fi network. While iCloud backups are great for investigations, there is one thing that might be missing, and that’s up-to-date information about user activities that occurred after the moment the backup was created. In this article, we’ll discuss an alternative cloud acquisition option available for iOS devices and compare it to the more traditional acquisition of iCloud backups.
Archive for the ‘Elcom-News’ Category
We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.
iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.
Why It Matters
Ever since the release of iOS 8, Apple declines government requests to extract information. According to Apple, “On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”
So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement. (more…)
Today we are super excited: our first book on mobile forensics just got published! The book is called “Mobile Forensics – Advanced Investigative Strategies”, and is about everything you need to successfully acquire evidence from the widest range of mobile devices. Unlike most other books on this subject, we don’t just throw file names or hex dumps at your face. Instead, we discuss the issues of seizing mobile devices and preserving digital evidence before it reaches the lab; talk about acquisition options available in every case, and help you choose the correct acquisition path to extract evidence with least time and minimal risk.
We used our years of expertise in researching and building forensic tools to help our readers better understand the acquisition process. We aimed our book at specialists with beginner to intermediate knowledge of mobile forensics. We did our best to make it a perfect learning and reference tool.
This book is about strategies and tools. We do believe in tools, but we also believe that even the best tool is useless if you don’t have clear understanding on what you are doing, and why. It’s not just about ElcomSoft products: we talk about a wide range of forensic tools covering most mobile devices.
Google is pushing Android to make it a truly secure mobile OS. Mandatory encryption and secure boot make physical acquisition of new Android devices a dead end.
While securing physical devices against all types of attacks, Google continues moving stuff into the cloud. Interestingly, these activities no longer coincide with Android releases; Google can add cloud features later in the production cycle by updating Google Services on the user’s Android device. One such updated added the ability to sync call logs between Android devices by uploading data into the user’s Google Drive account. We researched the protocol and added the ability to extract synced call logs to Elcomsoft Cloud Explorer 1.20. This cloud acquisition could be the only way to extract call logs since all Android devices since Android 6.0 are shipped with full-disk encryption out of the box.
Releasing a major update of a complex forensic tool is always tough. New data locations and formats, new protocols and APIs require an extensive amount of research. Sometimes, we discover things that surprise us. Researching Apple’s iCloud Photo Library (to be integrated into Elcomsoft Phone Breaker 6.0) led to a particularly big surprise. We discovered that Apple keeps holding on to the photos you stored in iCloud Photo Library and then deleted, keeping “deleted” images for much longer than the advertised 30 days without telling anyone. Elcomsoft Phone Breaker 6.0 becomes the first tool on the market to gain access to deleted images going back past 30 days.
Update September 1, 2016: Apple is fixing this as we speak. Deleted photos still appear, but we see less and less of them in every session. Whatever it was, it seems like Apple is fixing the issue as quick as they can.
For many months, a working jailbreak was not available for current versions of iOS. In the end of July, Pangu released public jailbreak for iOS 9.2-9.3.3. A few days ago, Apple patched the exploit and started seeding iOS 9.3.4. This was the shortest-living jailbreak in history.
With iOS getting more secure with each generation, the chance of successfully jailbreaking a device running a recent version of iOS are becoming slim. While this may not be the end of all for mobile forensic experts, we felt we need to address the issue in our physical acquisition toolkit.
Just now, we’ve updated Elcomsoft Cloud Explorer to version 1.10. This new release adds the ability to download email messages from the user’s Gmail account for offline analysis. In order to do that, we had to develop a highly specialized email client. We opted to use Google’s proprietary Gmail API to download mail. In this article, we’ll explain our decision and detail the benefits you’ll be getting by choosing a tool that can talk to Gmail in Gmail language.
The Gmail API
The Gmail API is a set of publicly available APIs that can be used by third-party developers to access Gmail mailboxes. Google cites the Gmail API as the best choice for authorized access to a user’s Gmail data. According to Google, the Gmail API is an ideal solution for read-only mail extraction, indexing and backup, as well as for migrating email accounts (https://developers.google.com/gmail/api/guides/overview). Elcomsoft Cloud Explorer does exactly that: it offers read-only mail extraction to create an offline backup of messages from the user’s online account.
Unlike universal email protocols such as POP3 and IMAP, Google’s new API offers flexible access to the user’s Gmail account. By using the proprietary API, developers gain access to the user’s inbox complete with threads, messages, labels, drafts and history.
Most importantly, the Gmail API is blazing fast compared to legacy email protocols, and offers the ability to selectively download specific messages and threads (such as those falling within a certain time period).
Not all passwords provide equal protection. Some formats are more resistant to brute-force attacks than others. As an example, Microsoft Office 2013 and 2016 employ a smart encryption scheme that is very slow to decrypt. Even the fastest available GPU units found in NVIDIA’s latest GeForce GTX 1080 will only allow trying some 7100 passwords per second.
One solution is employing a custom dictionary, possibly containing the user’s passwords that were easier to break. Observing the common pattern in those other passwords may allow creating a custom mask that could greatly reduce the number of possible combinations.
How often do you think forensic specialists have to deal with encrypted containers? Compared with office documents and archives that are relatively infrequent, every second case involves an encrypted container. It may vary, but these evaluations are based on a real survey conducted by our company.
It is hard to overestimate the importance of the topic. In the first part of our story we discussed the way of getting access to encrypted volumes using an encryption key. Now, let’s see which other ways can be used.
Unlike Elcomsoft Forensic Disk Decryptor, Elcomsoft Distributed Password Recovery does not search for existing decryption keys. Instead, it tries to unlock password-protected disks by attacking the password. The tool applies an impressive variety of techniques for attacking the password. In this case, the whole disk encryption scheme is only as strong as its password. Fortunately, the tool can execute a wide range of attacks including wordlist attack, combination attacks, mask attacks, smart attacks and so on and so forth, with advanced GPU acceleration and distributed processing on top of that. The whole sophisticated arsenal comes in particularly handy if we speak about more or less secure passwords.