ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Elcom-News’ Category

Apple iCloud Keeps More Real-Time Data Than You Can Imagine

Thursday, February 8th, 2018

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)

How to Instantly Access BitLocker, TrueCrypt, PGP and FileVault 2 Volumes

Wednesday, January 31st, 2018

It’s been a long while since we made an update to one of our most technically advanced tools, Elcomsoft Forensic Disk Decryptor (EFDD). With this tool, one could extract data from an encrypted disk volume (FileVault 2, PGP, BitLocker or TrueCrypt) by utilizing the binary encryption key contained in the computer’s RAM. We could find and extract that key by analyzing the memory dump or hibernation files.

What Elcomsoft Forensic Disk Decryptor did not do until now was pretty much everything else. It couldn’t use plain text passwords to mount or decrypt encrypted volumes, and it didn’t support escrow (recovery) keys. It didn’t come with a memory imaging tool of its own, making its users rely on third-party solutions.

With today’s release, Elcomsoft Forensic Disk Decryptor gets back on its feets, including everything that was missing in earlier versions. Plain text passwords and recovery keys, a Microsoft-signed kernel-level RAM imaging tool, the highly anticipated portable version and support for the industry-standard EnCase .E01 and encrypted DMG images are now available. But that’s not everything! We completely revamped the way you use the tool by automatically identifying all available encrypted volumes, and providing detailed information about the encryption method used for each volume.

(more…)

How to Extract Media Files from iOS Devices

Tuesday, January 9th, 2018

Media files (Camera Roll, pictures and videos, books etc.) are an important part of the content of mobile devices. The ability to quickly extract media files can be essential for an investigation, especially with geotags (location data) saved in EXIF metadata. Pulling pictures and videos from an Android smartphone can be easier than obtaining the rest of the data. At the same time, media extraction from iOS devices, while not impossible, is not the easiest nor the most obvious process. Let’s have a look at tools and techniques you can use to extract media files from unlocked and locked iOS devices.

Ways to Extract Media Files

There is more than one way you could use to extract media files. (more…)

Breaking Apple iCloud: Reset Password and Bypass Two-Factor Authentication

Tuesday, November 28th, 2017

Who am I to tell you to use two-factor authentication on all accounts that support it? This recommendation coming from someone whose business is supplying law enforcement with tools helping them do their job might be taken with a grain of salt by an average consumer. Yet we still strongly believe that, however good a password you have to encrypt your local documents or NAS drives, any remotely popular online service absolutely requires an additional authentication factor.

We covered the risks related to passwords more than once. There is no lack of horror stories floating on the Internet, ranging from leaking private photos to suddenly losing access to all data and devices registered on a certain account. Today, smartphones store excessive amounts of information. If any of that data is synced with a cloud, the data will be shared with something other than just your device.

So what is that “other” thing that you need to secure access to your account? It might be something you have in addition to something you know. Something that cannot be easily stolen or accessed remotely. This is exactly what two-factor authentication is for.

All three major mobile companies, Apple, Google and Microsoft, offer very different implementations of two-factor authentication. Speaking Google, you have several convenient options: SMS (which is not really secure, and Google knows it), the recently added Google Prompt, the classic Google Authenticator app, printable backup codes, FIDO keys and a few more. (Spoiler: if you are on a different side and need to extract the data as opposed to protecting it, we have an app for that).

What about Apple? There are a few things you should definitely know about Apple’s implementation. The problem with Apple is that Apple accounts protected with two-factor authentication can be actually less secure at some points. Surprised? Keep reading.

(more…)

Target: Apple Two-Factor Authentication

Tuesday, November 28th, 2017

Two-factor authentication is essential to secure one’s access to online accounts. We studied multiple implementations of two-factor authentication including those offered by Apple, Google and Microsoft. While Google’s implementation offers the largest number of options, we feel that Apple has the most balanced implementation. The closed ecosystem and the resulting deep integration with the core OS makes it easy for Apple to control exactly how it works and on which devices.

Suppressing the Prompt

Since Apple introduced Two-Factor Authentication (as a replacement of the older and much less secure Two-Step Verification), Apple customers are alerted immediately of someone’s attempt to access their Apple account. A 2FA prompt is pushed instantly and concurrently to all devices the user has in their Apple account once someone attempts to log in. This has always been a hassle for forensic experts trying to perform investigations without alerting the suspect, as merely entering a login and password and seeing a 2FA prompt would mean it’s already too late, as the suspect has been alerted with a prompt.

Or, better to say, it used to be an issue. Just not anymore! Elcomsoft Phone Breaker 8.1, our newest release, now carries out an additional check (which wasn’t exactly easy to make since there is no official API and obviously no documentation), allowing the tool to detect whether or not Two-Factor Authentication is enabled on a given Apple account without triggering a 2FA prompt. The expert will now have the choice of whether to proceed (and potentially alert the suspect) or stop right there.

(more…)

The Future of Android Security: Why Google Pushes Away from SMS to Prompt Verification

Thursday, November 23rd, 2017

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

SMS Are Insecure, Aren’t They?

In late July 2016, the US National Institute of Standards and Technology’s (NIST) released an updated set of guidelines that deprecated SMS as a way to deliver two factor authentication because of their many insecurities. A year later, NIST took it back, no longer recommending to “deprecate” SMS usage. Are we, or are we not at risk if we choose to have our two-factor authentication delivered over the (arguably) insecure SMS channel?

(more…)

The iPhone is Locked-Down: Dealing with Cold Boot Situations

Thursday, November 9th, 2017

Even today, seizing and storing portable electronic devices is still troublesome. The possibility of remote wipe routinely makes police officers shut down smartphones being seized in an attempt to preserve evidence. While this strategy used to work just a few short years ago, this strategy is counter-productive today with full-disk encryption. In all versions of iOS since iOS 8, this encryption is based on the user’s passcode. Once the iPhone is powered off, the encryption key is lost, and the only way to decrypt the phone’s content is unlocking the device with the user’s original passcode. Or is it?

The Locked iPhone

The use of Faraday bags is still sporadic, and the risk of losing evidence through a remote wipe command is well-known. Even today, many smartphones are delivered to the lab in a powered-off state. Investigating an iPhone after it has been powered off is the most difficult and, unfortunately, the most common situation for a forensic professional. Once the iOS device is powered on after being shut down, or if it simply reboots, the data partition remains encrypted until the moment the user unlocks the device with their passcode. Since encryption keys are based on the passcode, most information remains encrypted until first unlock. Most of it, but not all. (more…)

What can be extracted from locked iPhones with new iOS Forensic Toolkit

Thursday, November 9th, 2017

Tired of reading on lockdown/pairing records? Sorry, we can’t stop. Pairing records are the key to access the content of a locked iPhone. We have recently made a number of findings allowing us to extract even more information from locked devices through the use of lockdown records. It’s not a breakthrough discovery and will never make front page news, but having more possibilities is always great.

Physical acquisition rules if it can be done. Physical works like a charm for ancient devices (up to and including the iPhone 4). For old models such as the iPhone 4s, 5 and 5c, full physical acquisition can still be performed, but  only if the device is already unlocked and a jailbreak can be installed. All reasonably recent models (starting with the iPhone 5s and all the way up to the iPhone 7 – but no 8, 8 Plus or the X) can be acquired as well, but for those devices all you’re getting is a copy of the file system with no partition imaging and no keychain. At this time, no company in the world can perform the full physical acquisition (which would include decrypting the disk image and the keychain) for iPhone 5s and newer.

The only way to unlock the iPhone (5s and newer) is hardware-driven. For iOS 7 and earlier, as well as for some early 8.x releases, the process was relatively easy. With iOS 9 through 11, however, it is a headache. There is still a possibility to enter the device into the special mode when the number of passcode attempts is not limited and one can brute-force the passcode, albeit at a very low rate of up to several minutes per passcode.

The worst about this method is its very low reliability. You can use a cheap Chinese device for trying passcodes at your own risk, or pay a lot of money to somebody else who will do about the same for you. Those guys do have more experience, and the risk is lower, but there still is no warranty of any kind, and you won’t get your money back if they fail.

There are other possibilities as well. We strongly recommend you to try the alternative method described below before taking the risk of “bricking” the device or paying big money for nothing.

(more…)

Can You Unlock That iPhone?

Monday, October 30th, 2017

“Can you unlock that iPhone?” is one of the most common questions we hear on various events and from our customers. There is no simple answer, but more often than not some options are available.

Just a few years back, the most common question was “can you crack that password?” We are still being asked that every other day, but locked iPhones are now more abundant than unknown passwords. There is a simple explanation for that: the iPhone is an ultimate source of evidence. That, before we even mention the many urgent cases when the phone needs to be unlocked.

Cover all possible scenarios in one short article would not be possible; for (much) more details you are welcome to read our Smartphone forensics book that explores the topic in depth. Keep reading to see what can be done in some cases.

(more…)