ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Hardware’ Category

Identifying SSD Controller and NAND Configuration

Thursday, January 31st, 2019

In our previous article Why SSDs Die a Sudden Death (and How to Deal with It) we talked about SSD endurance and how it’s not the only thing affecting real life reliability. In that article, we assumed that manufacturers’ specifications of certain SSD models remain similar for a given SSD model. In fact, this is not the case. Quite a few manufacturers play tricks with consumers, releasing a certain SSD model with top notch specifications only to downgrade them at some point during the production cycle (but certainly after receiving its share of glowing reviews). While some OEMs do note the change at least in the revision number, the rest will just quote the small print allowing them to “change specifications at any time without prior notice”. We’ve seen well known SSD manufacturers switching from reliable MLC NAND to planar TLC trash within the same model (and zero notice to potential buyers). How can you tell which NAND configuration your particular SSD drive employs and whether or not it lives up to your expectations? Read along to find out. (more…)

Why SSDs Die a Sudden Death (and How to Deal with It)

Friday, January 18th, 2019

Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.

In our previous article Life after Trim: Using Factory Access Mode for Imaging SSD Drives we only mentioned reliability of SSD drives briefly. As you may know, NAND flash memory can sustain a limited number of write operations. Manufacturers of today’s consumer SSD drives usually guarantee about 150 to 1200 write cycles before the warranty runs out. This can lead to the conclusion that a NAND flash cell can sustain up to 1200 write cycles, and that an SSD drive can actually survive more than a thousand complete rewrites regardless of other conditions. This, however, is not fully correct. Certain usage conditions and certain types of load can wear SSD drives significantly faster compared to their declared endurance. In this article, we’ll look why a perfectly healthy SSD drive with 98-99% remaining life can die a sudden death. We’ll also give recommendations on tools and approaches that can get the data back even if the SSD drive is corrupted or does not appear in the system. (more…)

Life after Trim: Using Factory Access Mode for Imaging SSD Drives

Wednesday, January 16th, 2019

Many thanks to Roman Morozov, ACELab technical support specialist, for sharing his extensive knowledge and expertise and for all the time he spent ditching bugs in this article.

SSDs are weird. They are weird in the way they write data, and even weirder in the way they delete information. In the good old days of striped magnetic recording, one could delete a file and rest assured its content was still there until overwritten at some (hopefully distant) moment in the future; not so on an SSD.

SSDs are different. They are different in handling deleted data, wiping evidence irreversibly in the background like they were criminals’ best friends. Just power on the SSD, and it’ll start background garbage collection, erasing trimmed blocks even if you connected it through a write blocker. Image the SSD, and you won’t find anything in the “empty” areas – even if the actual data was still there at the time of the imaging. One more thing: your SSD has more storage capacity than it says on the box. 5 to 15% of the physical storage capacity is dedicated for a non-addressable pool; any data one deletes from the SSD that is subsequently trimmed by the OS can go straight into that pool, without any chance of accessing or even addressing the blocks.

Until very recently your only way of accessing deleted evidence on an SSD would be taking the chips off and performing a labour-intensive, time-consuming (let alone extremely expensive) chip-off analysis. We asked our partners from a forensic data recovery lab, and they told us they can do a four-chip SSD in a matter of two weeks. They also said they’d rather steer clear of the recent ten-chip SSDs, and they won’t do anything about encryption.

Did I say encryption? It could be easier than you think. A recent discovery points out that Windows built-in BitLocker protection tends to delegate the job of encrypting data to the SSD controller (as opposed to doing the encryption on the computer using the CPU). As found in the research, many consumer-grade SSDs take it easy, keeping the encryption key unprotected in the storage chips on the SSD.

In this article, we’ll talk about a recent development in SSD forensics allowing to prevent background trimming of evidence and providing access to the entire storage capacity of the disk including non-addressable areas. This method employs a so-called factory access mode. However, before we talk about factory access mode, let us first have a look at how SSDs store information and why it is so easy to destroy evidence and so insanely difficult to recover it. (more…)

iPhone Xs PWM Demystified: How to Reduce Eyestrain by Disabling iPhone Xs and Xs Max Display Flicker

Tuesday, October 30th, 2018

The iPhone Xs employs a revised version of the OLED panel we’ve seen in last year’s iPhone X. The iPhone Xs Max uses a larger, higher-resolution version of the panel. Both panels feature higher peak brightness compared to the OLED panel Apple used in the iPhone X. While OLED displays are thinner and more power-efficient compared to their IPS counterparts, most OLED displays (including those installed in the iPhone Xs and Xs max) will flicker at lower brightness levels. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. The OLED flickering issue is still mostly unheard of by most consumers. In this article we will demystify OLED display flickering and provide a step by step instruction on how to conveniently disable (and re-enable) PWM flickering on iPhone Xs and Xs Max displays to reduce eyestrain. (more…)

Using Intel Built-in Graphic Cores to Accelerate Password Recovery

Tuesday, August 14th, 2018

GPU acceleration is the thing when you need to break a password. Whether you use brute force, a dictionary of common words or a highly customized dictionary comprised of the user’s existed passwords pulled from their Web browser, extracted from their smartphone or downloaded from the cloud, sheer performance is what you need to make the job done in reasonable time.

Making use of the GPU cores of today’s high-performance video cards is not something one can ignore. A single video card such as an NVIDIA GTX 1080 offers 50 to 400 times the performance of a high-end, multi-core Intel CPU on some specific tasks – which include calculations of cryptographic operations required to break encryption and brute-force passwords. The benefits are very real:

But what if you don’t have immediate access to a computer with a dedicated high-end video card? What if you are working in the field and using a laptop with its video output handled by Intel’s built-in graphic chip?

We have good news for you: you can use that built-in Intel chip to speed up password attacks. Granted, a power-sipping Intel chip won’t give you as much performance as a dedicated board dissipating 200W of heat, but that extra performance will literally cost you nothing. Besides, many ElcomSoft tools such as Elcomsoft Distributed Password Recovery will simply add that extra GPU chip to the list of available hardware resources, effectively squeezing the last bit of performance from your PC. (more…)

This $39 Device Can Defeat iOS USB Restricted Mode

Monday, July 9th, 2018

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A connected computer or accessory will not detect a “smart” device. If anything, an iPhone in USB Restricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified as a smart device. This effectively blocks forensic tools from being able to crack passcodes if the iPhone spent more than one hour locked. Since law enforcement needs time (more than one hour) to transport the seized device to a lab, and then more time to obtain an extraction warrant, USB Restricted Mode seems well designed to block this scenario. Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May (this article; scroll down to the “Mitigation” chapter).

(more…)

Breaking Passwords in the Cloud: Using Amazon P2 Instances

Tuesday, August 1st, 2017

Cloud services such as Amazon EC2 can quickly deliver additional computing power on demand. Amazon’s recent introduction of the a type of EC2 Compute Units made this proposition much more attractive than ever before. With Elcomsoft Distributed Password Recovery now supporting Amazon’s new P2 instances, each with up to 16 GPU units, users can get as much speed as they need the moment they need. In this article, we’ll discuss the benefits of using cloud compute units for password recovery, and provide a step-by-step guide on how to add virtual instances to Elcomsoft Distributed Password Recovery. (more…)

Inside ElcomSoft Lab. Part 1

Friday, January 20th, 2017

Staying on the bleeding edge of today’s technologies requires constant work. ElcomSoft lab is one of the busiest places in the company. Last year, we had dozens of devices passing through our lab. This publication opens the series of articles in which we’ll share insider’s information on what we do, what we are about to do, and how we do that. So let’s shed some light on what’s going on inside ElcomSoft lab.

Android

(more…)

Fingerprint Readers in pre-Android 6 Smartphones: A Call for Disaster

Thursday, January 19th, 2017

Back in 2013, Apple has added a fingerprint reader to its then new iPhone 5s. Around that time, OEMs manufacturing Android devices have also started equipping their devices with fingerprint sensors. It turned out that Apple and Android OEMs came to severely different results. In this article, we’ll have a look at fingerprint reader implementations in pre-Marshmallow Android devices and see why they were a terrible idea. (more…)

Elcomsoft Wireless Security Auditor Gets Wi-Fi Sniffer

Thursday, December 1st, 2016

We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.

(more…)