If you follow industry news, you already know about the release of iOS 9. You may also know that iOS 9 is the toughest one to break, with no jailbreak available now or in foreseeable future. With no jailbreak and no physical acquisition available for newer devices, what methods can you still use to obtain evidence from passcode-locked devices? Our answer to this is Elcomsoft Phone Breaker 5.0 that adds over-the-air acquisition support for iOS 9.
Archive for the ‘Elcom-News’ Category
We have just released a brand new tool, and this time it’s not about mobile forensics. Or is it?
Elcomsoft Password Digger is designed for decrypting the content of Mac OS protected storage, the keychain. For one, it’s a Windows tool, so you’ll need to pull keychain files from the Mac OS system along with any decryption metadata (such as the key file for the system keychain or user’s password for decrypting the user keychain). After decrypting the keychain, we’ll export everything into an XML, and create a filtered plain-text file that only contains passwords (to be used as a pluggable dictionary in various password recovery tools).
So what is this all about?
As you may already know from the official press release, we’ve recently updated Elcomsoft Phone Breaker to version 4.10. From that release, you could learn that the updated version of the tool targets passwords managers, adding the ability to instantly decrypt passwords stored in BlackBerry Password Keeper for BlackBerry 10 and attack 1Password containers.
If you read along the lines though it’s a different story.
Essentially, we’ve discovered a backdoor hidden in recent versions of BlackBerry Password Keeper allowing us to decrypt the content of that app instantly without brute-forcing the master password. For our customers, this means instant access to passwords and other sensitive information maintained by BlackBerry Password Keeper. No lengthy waits and no fruitless attacks, just pure convenience. But is this convenience intentional? Did BlackBerry leave a backdoor for government access, or is this an unintentional vulnerability left by the company renowned for its exemplary security model? Let’s try to find out.
With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?
Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.
- In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
- Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
- Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
- With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
- Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.
As everyone knows, the high-speed, extremely powerful and increasingly popular ElcomSoft tools have already become industry standard in IT-security, risk management and computer forensics industries. After achieving these targets, our team got a little… bored.
That’s why we’re happy to announce a refreshing turn in the history of our code-breaking business by making an injection of several completely different but entertaining activities. Instead of boring number-crunching code, we will now focus on making t-shirts, mugs, pins, smartphone cases, mobile games, and entertaining commercials, simply for the fact we’re always doing The Right Thing no matter what 🙂
Think it’s an April Fool’s joke? Just visit our new Web store or download our new game for Android and iOS to see how serious we are!
Discover our new business activities:
★ A new online shop with funny tees, pants, pins, mugs and phone cases
★ A new mobile game ElcomSafe for enriching your IT security vocabulary
★ And an amusing commercial to make you smile and kiss your dearest one
Have a wonderful day and a happy spring!
As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!
Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)
We have just released a long-awaited update to one of our flagship products, Elcomsoft Distributed Password Recovery. While you can learn more about what’s been added and changed from our official announcement, in this post we’d like to share some insight about the path we took to design this update. (more…)
Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute ForceWednesday, December 17th, 2014
We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.
With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups. (more…)