ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘General’ Category

iOS Forensics Training in Vienna: 17-19 Oct 2018

Monday, October 1st, 2018

There’s still time to register for the upcoming ElcomSoft training program in Vienna! Held in partnership with T3K-Forensics, this three-day training program will cover everything about iOS forensics. Law enforcement and forensic specialists are welcome to sign up! We’ll cover all the bases from seizing and transporting mobile devices to iOS extraction and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience obtaining evidence from iOS devices, pulling data from locked iPhones and accessing iCloud for even more evidence.

In this training:

  • Mobile acquisition workflow
  • Seizing, storing and transporting wireless capable mobile devices
  • The challenge of USB Restricted Mode in iOS 11 and iOS 12
  • Full-disk encryption, passcode and biometric authentication
  • Logical acquisition: extracting encrypted and unencrypted backups; shared files; photos and videos; crash logs; accessing stored passwords
  • Logical acquisition of locked devices: locating, extracting and using lockdown records
  • Physical acquisition: jailbreaking, imaging the file system, extracting passwords and decrypting the keychain
  • Cloud acquisition: synced data; backups; messages; iCloud Keychain (Safari passwords)

Where: Vienna, Austria
Language: English
Dates: 17-19 Oct, 2018

Sign Up!

(more…)

Android Pie Lockdown Option: a Match for iOS SOS Mode?

Wednesday, August 8th, 2018

We have already covered the emergency SOS mode introduced in iOS 11. When entering this mode, the phone disables Touch ID and Face ID, requiring the passcode to unlock the phone. It appears that Google is taking cues from Apple, adding a new Lockdown Option to the newly released Android 9 Pie. Let us see what is similar and what is different between iOS SOS mode and Android 9.0 Pie Lockdown Option.

(more…)

Accessing Lockdown Files on macOS

Thursday, July 12th, 2018

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

What Are Lockdown Records, Technically?

A down to the Earth explanation of a lockdown records is it’s simply a file stored on the user’s computer. More technically, lockdown files keep cryptographic keys that are used to allow iOS devices communicate with computers they are paired to. Such pairing records are created the first time the user connects their iOS device to a Mac or PC that has iTunes installed. Lockdown records help the iPhone talk to the computer even if the iPhone in question is locked, so that the user does not have to unlock the device every time it’s connected to the PC. This means that experts may be able to perform logical acquisition of locked iOS devices if they can obtain a valid, non-expired lockdown record. There are some “ifs and buts” though. Namely, lockdown records expire after a while. And you can only use lockdown records if the iPhone in question was unlocked (with its passcode) at least once after it was powered on or rebooted. Otherwise, the data partition remains encrypted, and you can access very little information (yet you can still get some info about the device).

macOS Protects Access to Lockdown Files

In macOS, lockdown records are stored at /private/var/db/lockdown. Starting with macOS High Sierra, Apple restricts access to this folder. If you are analyzing a live system, you’ll need to manually grant access rights to this folder. This is how.

(more…)

Training in Vienna

Tuesday, July 10th, 2018

Did you know we have forensic trainings? We’ve partnered with T3K Forensics to feature a 3-day training on iOS forensics. This fall in beautiful Vienna, 17.-19.10.2018, we’ll train a group of law enforcement and forensic specialists on every aspect of iOS acquisition and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience jailbreaking and extracting iOS devices, pulling data from locked iPhones and accessing the cloud for even more evidence.

In this training:

  • Mobile acquisition workflow
  • Seizing, storing and transporting wireless capable mobile devices
  • Acquisition methods that don’t work
  • Full-disk encryption, passcode and biometrics
  • Acquisition methods: logical, physical and cloud
  • Logical acquisition: extracting encrypted and unencrypted backups; shared files; photos and videos; crash logs
  • Logical acquisition of locked devices: locating, extracting and using lockdown records
  • Physical acquisition: jailbreaking, imaging the file system, extracting passwords and decrypting the keychain
  • Cloud acquisition: synced data; backups; messages; iCloud Keychain (Safari passwords)

(more…)

Using iOS 11.2-11.3.1 Electra Jailbreak for iPhone Physical Acquisition

Tuesday, July 10th, 2018

It’s been fast. iOS 11.3.1 and all earlier versions of the system down to iOS 11.2 have been successfully jailbroken. In addition, the jailbreak is compatible with iOS 11.4 beta 1 through 3. We normally wouldn’t post about each new jailbreak release; however, this time things are slightly different. The new Electra jailbreak uses two different exploits and presents two very different installation routines depending on whether or not you have a developer account with Apple. Considering how much more stable the developer-account exploit is compared to the routine available to the general public, this time it pays to be an Apple developer.

We tested the Electra jailbreak and can confirm that iOS Forensic Toolkit 4.0 is fully compatible. File system imaging and keychain extraction work; no OpenSSH installation required as Electra includes an SSH client listening on port 22.

Why Jailbreak?

For the general consumer, jailbreak is one open security vulnerability calling for trouble. Apple warns users against jailbreaking their devices, and there is much truth in their words.

Forensic experts use jailbreaks for much different reasons compared to enthusiast users. A wide-open security vulnerability is exactly what they want to expose the device’s file system, circumvent iOS sandbox protection and access protected data. Jailbreaking extract the largest set of data from the device. During jailbreaking, many software restrictions imposed by iOS are removed through the use of software exploits.

In addition to sandboxed app data (which includes conversation histories and downloaded mail), experts can also extract and decrypt the keychain, a system-wide storage for online passwords, authentication tokens and encryption keys. Unlike keychain items obtained from a password-protected local backup, physical extraction of a jailbroken device gains access to keychain items secured with the highest protection class ThisDeviceOnly (this is how).

The New Electra Jailbreak

Jailbreaking iOS versions past 11.1.2 (for which a Google-discovered vulnerability was published along with a proof-of-concept tool) was particularly challenging but not impossible. At this time, a team of jailbreakers discovered not one but two different vulnerabilities, releasing two versions of Electra jailbreak. Why the two versions?

(more…)

Legal and Technical Implications of Chinese iCloud Operations

Tuesday, April 10th, 2018

On February 28, 2018, Apple has officially moved its Chinese iCloud operations and encryption keys to China. The reaction to this move from the media was overwhelmingly negative. The Verge, The Guardian, Reuters, Wired, and CNN among other Western media outlets expressed their concerns about the Chinese government potentially violating the human rights of its citizens. Politics aside, we will review Apple policies governing the Chinese accounts, and look into the technical implementation of Chinese iCloud operations. Let us see if the fears are substantiated.

The Fear of China

Even if the change only affects iCloud accounts registered in mainland China, there is no lack of publications bashing apple for complying with Chinese laws. Below are just a few stories from the top of the news feed.

Journalists express their concerns regarding the potential violation of Chinese users human rights. “In the past, if Chinese authorities wanted to access [Chinese] Apple’s user data, they had to go through an international legal process and comply with U.S. laws on user rights, according to Ronald Deibert, director of the University of Toronto’s Citizen Lab, which studies the intersection of digital policy and human rights. “They will no longer have to do so if iCloud and cryptographic keys are located in China’s jurisdiction,” he told CNNMoney.” [CNN]

(more…)

Google Services Blocked on Uncertified Devices

Tuesday, April 3rd, 2018

After testing waters for more than a year, Google has finally pulled the plug and began blocking access to Google Play services on uncertified devices. Why Google took this step, who is affected, and what it means for the end users? Let’s try to find out.

Google Play Services Certification

In March 2017, Google rolled out a Google Play Services update that had a very minor addition. At the very bottom of its settings page, the Services would now display device certification status.

This is how it looks on an uncertified device:

What is this all about?

(more…)

What’s Broken in iOS for iPhone X

Wednesday, March 28th, 2018

Apple’s latest and greatest iPhone, the iPhone X, received mixed reviews and sells slower than expected. While the high price of the new iPhone is a major factor influencing the slow sales, some of the negative points come from the device usability. The combination of design language, hardware and software interactions make using the new iPhone less than intuitive in many situations. In this article, we collected the list of utterly strange design decisions affecting the daily use of the iPhone X.

The Return of Slide to Unlock

In iOS 10, Apple has finally rid of the infamous “slide to unlock” prompt, replacing it with the prompt to that asks iPhone users (as well as users of Touch ID equipped iPads) to press the home button to gain access to the home screen. This means that, by default, users could no longer simply rest their finger on the home button to unlock their device with their fingerprint.

A workaround was discovered quickly. Apparently, it was possible to alter the “Rest Finger to Open” option in General > Accessibility > Home Button to make iPhones capable of “raise-to-wake” unlock without pressing down on the home button.

This option is still present in iOS 11, and still works on all devices equipped with Touch ID – but not Face ID. The iPhone X is the only device in Apple’s stable that cannot be automatically unlocked when picked up. Users must still reach for the very bottom of the device’s screen and… yes: swipe up to unlock. This feels like a huge step back to pre-iOS 10 days, and annoys many users.

(more…)

iPhone X Eye Strain: How to Stop OLED Flickering in Just Three Clicks

Monday, March 5th, 2018

The iPhone X uses a new (for Apple) display technology. For the first time ever, Apple went with an OLED display instead of the IPS panels used in all other iPhones. While OLED displays have numerous benefits such as the true blacks and wide color gamut, the majority of OLED displays (particularly those made by Samsung) tend to flicker. The flickering is particularly visible at low brightness levels, causing eyestrain and headaches to sensitive users. Very few users have the slightest idea of what’s going on, attributing these health issues to oversaturated colors, the oh-so-harmful blue light and anything but OLED flickering.

So let us have a look at what OLED flickering is and how to get rid of it on the iPhone X for much better low-light readability.

(more…)

Apple iCloud Keeps More Real-Time Data Than You Can Imagine

Thursday, February 8th, 2018

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)