The boom in personal electronic devices recording literally every persons’ step introduced a new type of forensic evidence: the digital evidence. In this day and age, significantly more forensic evidence is available in digital form compared to physical evidence of yesteryear. Are law enforcement and intelligence agencies ready to handle the abundance of digital evidence? And more importantly, do frontline officers have the skills and technical expertise required to handle and preserve this wealth of information?

An update to Google Play Services enables manual Google Drive backup option on many Android handsets. Since Android 6.0, Android has had an online backup solution, allowing Android users back up and restore their device settings and app data from their Google Drive account. Android backups were running on top of Google Play Services; in other words, they were always part of Google Android as opposed to being part of Android Open Source. Unlike iOS with predictable iCloud backups and the manual “Backup now” option, Google’s backup solution behaved inconsistently at best. In our (extensive) tests, we discovered that the first backup would be only made automatically on the second day, while data for most applications would be backed up days, if not weeks after the initial backup. The ability to manually initiate a backup was sorely missing. (more…)

If you are involved with iOS forensics, you have probably used at least one of these modes. Both DFU and Recovery modes are intended for recovering iPhone and iPad devices from issues if the device becomes unusable, does not boot or has a problem installing an update.

Working in a mobile forensic company developing tools for iCloud forensics, logical and physical extraction of iPhone devices, we don’t live another day without being asked if (or “how”) we can help remove iCloud lock from a given iPhone. Without throwing a definite “yes” or “no” (or “just buy this tool”), we’ve decided to gather everything we know about bypassing, resetting and disabling iCloud activation lock on recent Apple devices.

There’s still time to register for the upcoming ElcomSoft training program in Vienna! Held in partnership with T3K-Forensics, this three-day training program will cover everything about iOS forensics. Law enforcement and forensic specialists are welcome to sign up! We’ll cover all the bases from seizing and transporting mobile devices to iOS extraction and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience obtaining evidence from iOS devices, pulling data from locked iPhones and accessing iCloud for even more evidence.

Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.

We have already covered the emergency SOS mode introduced in iOS 11. When entering this mode, the phone disables Touch ID and Face ID, requiring the passcode to unlock the phone. It appears that Google is taking cues from Apple, adding a new Lockdown Option to the newly released Android 9 Pie. Let us see what is similar and what is different between iOS SOS mode and Android 9.0 Pie Lockdown Option.

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

Did you know we have forensic trainings? We’ve partnered with T3K Forensics to feature a 3-day training on iOS forensics. This fall in beautiful Vienna, 17.-19.10.2018, we’ll train a group of law enforcement and forensic specialists on every aspect of iOS acquisition and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience jailbreaking and extracting iOS devices, pulling data from locked iPhones and accessing the cloud for even more evidence.

It’s been fast. iOS 11.3.1 and all earlier versions of the system down to iOS 11.2 have been successfully jailbroken. In addition, the jailbreak is compatible with iOS 11.4 beta 1 through 3. We normally wouldn’t post about each new jailbreak release; however, this time things are slightly different. The new Electra jailbreak uses two different exploits and presents two very different installation routines depending on whether or not you have a developer account with Apple. Considering how much more stable the developer-account exploit is compared to the routine available to the general public, this time it pays to be an Apple developer.