This time, we are updating our bread-and-butter mobile forensic tool, Elcomsoft Phone Password Breaker, to version 3.0 (beta). This new version has many things that are new or have changed. Let’s see what’s new, and why. (more…)
Archive for the ‘Elcom-News’ Category
Phone Password Breaker with all-new UI, BlackBerry 10 support, and downloading Windows Phone 8 data from the cloudThursday, May 8th, 2014
With most waited winter holidays just around the corner, now is the best time to take care of your easy after-holidays start at work with less headache, more pleasure, and all your passwords in place.
We give you 35% discount for our product releases of 2013 starting from today and available till 16th December, 2013. This offer is valid for direct online purchases only, with help of your special coupon code NY2014-OFF35 (enter the code while placing your order) for the following products:
Elcomsoft Password Recovery Bundle includes all our software (except for Elcomsoft iOS Forensic Toolkit) and embraces all updates of the year.
Elcomsoft Distributed Password Recovery, a high-end solution for big networked workstations added hardware acceleration for a number of file formats(see www.elcomsoft.com/edpr.html) on AMD Radeon HD cards (including 7000 series) and support for Tesla K20.
Elcomsoft iOS Forensic Toolkit, an all-in-one solution for bit-precise physical acquisition of iOS devices got more flexibility on cracking the passcode in ‘Guided’ mode allowing you to detect the passcode type or perform the brute-force or dictionary attack with selected options. The toolkit also supports iPhone 5S and iPad 4 (jailbroken without passcode, non-jailbroken with passcode) for complete forensic analysis of devices’ contents.
Elcomsoft Phone Password Breaker, an ideal solution for investigation of Apple and BlackBerry mobile devices added support for iOS 7 iTunes and iCloud backups, including keychain decryption and flexible iCloud downloading and quick downloading of iCloud backup data by selected categories.
Advanced Office Password Recovery, an irreplaceable utility for home and corporate usage was speeded up in password recovery for MS Office 2007/2010 and 2013 with AMD OpenCL, NVIDIA CUDA, and NVIDIA Tesla K20.
Elcomsoft Wireless Security Auditor, a unique tool to recover the original WPA/WPA2-PSK text passwords also added support for latest AMD Radeon R2xx cards, NVIDIA graphic cards, and NVIDIA Tesla K20.
All our team wishes you a lot of new successful opportunities and greatest accomplishments in 2014!
This fall has been quite rich in IT security events for ElcomSoft. We managed to visit a number of conferences and trade shows in order to, as we say in Russia, see the others and be seen 🙂
it-sa in Nuremberg welcomed us with a few warm sunny days and a lot of IT-security experts at the event. Being a regular exhibitor at the trade show we were happy to yet again satisfy visitor’s curiosity about our products and represent our recent achievements in password recovery at our booth and technical forum.
Hack In The Box in Malaysia was a new event to us, as we’ve never been there before, but the first impression was nonetheless very positive. Vladimir Katalov pointed out super interesting talks and excellent organization of the event and also expressed his strong will to come to the event once again, next time in Amsterdam. Vlad’s talk titled “Cracking and Analyzing Apple’s iCloud Protocols” had genuine interest of both security professionals and media representatives. Violet Blue from ZDNet covered our talk in her glittering article “Apple’s iCloud cracked: Lack of two-factor authentication allows remote data download”.
The e-Crime’s e-Discovery and e-Investigations Forum in London went as always very smoothly with “well over 400 senior end users from the Private Sector” as noted by the organizers “creating easily the largest gathering of senior infosec and risk executives in the UK. The conference was full to capacity.”
Ruxcon in Melbourne extended a warm welcome to us not only by wonderful weather but also by undivided attention to Vladimir Katalov’s presentation on modern smartphone forensics, as the room was totally packed, to which SC Magazine has its own evidence. Slides of the talk can be found at the conference page http://ruxcon.org.au/slides/
More events are to follow, so please have a look at our calendar of events at http://www.elcomsoft.com/events.html and come along with us!
We’ve just returned from Karlsruhe, Germany from an event named FTDay. Hosted by mh-Service, a long-time ElcomSoft partner in Germany, this was a small but quality event. The first day was packed with sessions. The second day was dedicated to practical workshops.
During the first day, we talked about the acquisition methods for iOS devices. Physical, logical or iCloud? Apparently, physical acquisition still rules: this topic is still hot, even though the latest iPhones and iPads are only conditionally acquirable. The iCloud? Great for the corporate guys, but I’ve been told in private that German police has its hands tied when it comes to acquiring data from the cloud.
Karlsruhe is a relatively small city on the south-west of Germany. City center surprisingly crowded. Lots of shopping, old ruins not so much. Beautiful palace and gardens. Bought a great “Der kleine Maulwurf puzzlebuch” for my little one. Good food with prices on a relatively high side (compared to east of Germany). Going there as a tourist? This ain’t Montreal!
It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.
The new version of Elcomsoft Phone Password Breaker is released! While you can read an official press-release to get an idea of what’s new and updated, you may as well keep reading this blog post to learn not only what is updated, but also why we did it.
Dedicated to iCloud Forensics
This new release is more or less completely dedicated to enhancing support for remote recovery of iOS devices via iCloud. Why do it this way?
Because iCloud analysis remains one of the most convenient ways to acquire iOS devices. You can read more about iCloud analysis in a previous post here. Let’s see what else is available.
Soon after releasing the updated version of iOS Forensic Toolkit we started receiving questions about the new product. Did we really break iPhone 5? Does it truly work? Are there limitations, and what can you do about them? We decided to assemble all these questions into a small FAQ. If you’d rather read the full, more technical version of this FAQ, visit the following page instead: Elcomsoft iOS Forensic Toolkit FAQ. Those with non-technical background please read along.
I’ve just returned from REcon 2013 held in Montreal, where I talked about breaking iCloud services (everyone: the slides from that presentation are available right here, and the organizers promised a video soon). I spoke about WHY breaking the iCloud, HOW we did it and WHO can use it. I can briefly stop here, and elaborate the points.
Apparently, more than half of REcon participants are using iPhones (I asked). Some of them are even making backups. And some of those who make backups do them over the iCloud. Now that’s a good reason to want to break in, isn’t it? 🙂
So then I talked a little about how we did it. We used the classic man-in-the-middle attack, intruding into the private domain of a doomed electronic device bought in the nearest iStore on a cold Russian night… Well, except for the “night” part, it was exactly like that.
And then we discussed a little about who can use our tools. “Is it legal?” I expected that question. Always asked, even at underground hackers’ meetings. Well, it’s certainly legal in Russia, and none of our US customers complained either. I mean, we have US Secret Services, the FBI, Army and Navy and multiple police departments all over the US and Canada as our valued customers, and they never suggested we’re doing something wrong, so it must be legal. Right?
Montreal is a beautiful city. Loved it! The old town, the pier, the underground city… it’s vivid and relaxed, old and modern at the same time. It so happened they hosted a French music festival right at the doorsteps of our hotel (the 25th FrancoFolies), so I enjoyed a beautiful city during the day and relaxed to wonderful music at night. I’ll be sure to put Montreal onto a shortlist when planning my next trip!
The CEIC 2013 conference is over. We were happy to connect with our partners and customers at our booth during the show hours. We’d like to thank everyone who stopped by, and give our special thanks to those providing valuable feedback and suggestion on our products. (To those who wanted to see our tools settled under a single roof: we’re working on it!)
At our booth, we had a Treasury Chest raffle demonstrating the concept of brute force recovery. Visitors were asked to unlock a chest by trying three keys one after another. The tricky part: a bowl with a thousand keys only had a single real thing. The chance of winning now seems pretty slim, does it not? Well, we are happy to tell that both prizes were won!
The first prize, Kindle Fire HD, went to Calgary, Canada. The second Kindle Fire HD went to Alabama. Congratulations to both winners!
We received lots of valuable feedback from our customers and resellers. Rest assured we’ll be working hard to implement these suggestions!
See You Next Year at CEIC 2014!
Meet us next year in Las Vegas during CEIC 2014 show at booth #212! It’s too early to book a flight yet, but make sure to mark the dates: May 19-22, 2014!
We have just updated Advanced Office Password Recovery and Distributed Password Recovery with NVIDIA Tesla K20 support, enabling world’s fastest password recovery with NVIDIA’s latest supercomputing platform. Elcomsoft Advanced Office Password Recovery removes document restrictions and recovers passwords protecting Microsoft Office documents, while Elcomsoft Distributed Password Recovery can quickly break a wide range of passwords on multiple workstations with near zero scalability overhead.
GPU-accelerated password recovery dramatically reduces the time required to break long and complex passwords, offering more than 20-fold performance gain over CPU-only operations (compared to a quad-core Intel i7 CPU). NVIDIA’s latest Tesla K20 platform further increases the performance, delivering a nearly 1.5x performance increase compared to the use of a dual-core NVIDIA GeForce GTX 690 board.
A workstation equipped with an NVIDIA Tesla K20 unit can crunch as many as 27500 Office 2007 passwords per second, or 13500 passwords per second in the case of Microsoft Office 2010. In comparison, the next-best solution, a dual-core GeForce GTX 690 board, can try some 19000 Office 2007 or 9000 Office 2010 passwords per second.
The updated Elcomsoft Advanced Office Password Recovery and Elcomsoft Distributed Password Recovery now fully support the latest NVIDIA supercomputing hardware, enabling users to gain unrestricted access to many types of documents in far less time.
BitLocker, PGP and TrueCrypt set industry standard in the area of whole-disk and partition encryption. All three tools provide strong, reliable protection, and offer a perfect implementation of strong crypto.
Normally, information stored in any of these containers is impossible to retrieve without knowing the original plain-text password protecting the encrypted volume. The very nature of these crypto containers suggests that their target audience is likely to select long, complex passwords that won’t be easy to guess or brute-force. And this is exactly the weakness we’ve targeted in our new product: Elcomsoft Forensic Disk Decryptor.
The Weakness of Crypto Containers
The main and only weakness of crypto containers is human factor. Weak passwords aside, encrypted volumes must be mounted for the user to have on-the-fly access to encrypted data. No one likes typing their long, complex passwords every time they need to read or write a file. As a result, keys used to encrypt and decrypt data that’s being written or read from protected volumes are kept readily accessible in the computer’s operating memory. Obviously, what’s kept readily accessible can be retrieved near instantly by a third-party tool. Such as Elcomsoft Forensic Disk Decryptor.
Retrieving Decryption Keys
In order to access the content of encrypted containers, we must retrieve the appropriate decryption keys. Elcomsoft Forensic Disk Decryptor can obtain these keys from memory dumps captured with one of the many forensic tools or acquired during a FireWire attack. If the computer is off, Elcomsoft Forensic Disk Decryptor can retrieve decryption keys from a hibernation file. It’s important that encrypted volumes are mounted at the time a memory dump is obtained or the PC goes to sleep; otherwise, the decryption keys are destroyed and the content of encrypted volumes cannot be decrypted without knowing the original plain-text password.
“The new product includes algorithms allowing us to analyze dumps of computers’ volatile memory, locating areas that contain the decryption keys. Sometimes the keys are discovered by analyzing byte sequences, and sometimes by examining crypto containers’ internal structures. When searching for PGP keys, the user can significantly speed up the process if the exact encryption algorithm is known.”
It is essential to note that Elcomsoft Forensic Disk Decryptor extracts all the keys from a memory dump at once, so if there is more than one crypto container in the system, there is no need to re-process the memory dump.
Using forensic software for taking snapshots of computers’ memory is nothing new. The FireWire attack method existed for many years, but for some reason it’s not widely known. This method is described in detail in many sources such as http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf or http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
The FireWire attack method is based on a known security issue that impacts FireWire / i.LINK / IEEE 1394 links. One can take direct control of a PC or laptop operating memory (RAM) by connecting through a FireWire. After that, grabbing a full memory dump takes only a few minutes. What made it possible is a feature of the original FireWide/IEEE 1394 specification allowing unrestricted access to PC’s physical memory for external FireWire devices. Direct Memory Access (DMA) is used to provide that access. As this is DMA, the exploit is going to work regardless of whether the target PC is locked or even logged on. There’s no way to protect a PC against this threat except explicitly disabling FireWire drivers. The vulnerability exists for as long as the system is running. There are many free tools available to carry on this attack, so Elcomsoft Forensic Disk Decryptor does not include a module to perform one.
If the computer is turned off, there are still chances that the decryption keys can be retrieved from the computer’s hibernation file. Elcomsoft Forensic Disk Decryptor comes with a module analyzing hibernation files and retrieving decryption keys to protected volumes.
Complete Decryption and On-the-Fly Access
With decryption keys handy, Elcomsoft Forensic Disk Decryptor can go ahead and unlock the protected disks. There are two different modes available. In complete decryption mode, the product will decrypt everything stored in the container, including any hidden volumes. This mode is useful for collecting the most evidence, time permitting.
In real-time access mode, Elcomsoft Forensic Disk Decryptor mounts encrypted containers as drive letters, enabling quick random access to encrypted data. In this mode files are decrypted on-the-fly at the time they are read from the disk. Real-time access comes handy when investigators are short on time (which is almost always the case).
We are also adding True Crypt and Bitlocker To Go plugins to Elcomsoft Distributed Password Recovery, enabling the product to attack plain-text passwords protecting the encrypted containers with a range of advanced attacks including dictionary, mask and permutation attacks in addition to brute-force.
The unique feature of Elcomsoft Forensic Disk Decryptor is the ability to mount encrypted disks as a drive letter, using any and all forensic tools to quickly access the data. This may not seem secure, and may not be allowed by some policies, but sometimes the speed and convenience is everything. When you don’t have the time to spend hours decrypting the entire crypto container, simply mount the disk and run your analysis tools for quick results!
More information about Elcomsoft Forensic Disk Decryptor is available on the official product page at http://www.elcomsoft.com/efdd.html