Archive for the ‘Industry News’ Category

iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password

Thursday, November 9th, 2017

Since early days of iOS, iTunes-style system backups could be protected with a password. The password was always the property of the device; if the backup was protected with a password, it would come out encrypted. It didn’t matter whether one made a backup with iTunes, iOS Forensic Toolkit or other forensic software during the course of logical acquisition; if a backup password was enabled, all you’d get would be a stream of encrypted data.

Password protection of iOS system backups was always a hallmark of iOS data protection. We praised Apple for making it tougher for unauthorized persons to pair an iPhone to the computer in iOS 11. Today we discovered something that works in reverse, making it possible for anyone who can unlock an iPhone to simply reset the backup password. Is this so big of a deal? Prior to this discovery, forensic specialists would have to use high-end hardware to try recovering the original backup password at a rate of just several passwords per second, meaning that even the simplest password would require years to break. Today, it just takes a few taps to get rid of that password completely. If you know the passcode, logical acquisition now becomes a trivial and guaranteed endeavor.

(more…)

New Security Measures in iOS 11 and Their Forensic Implications

Thursday, September 7th, 2017

Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.

Establishing Trust with a PC Now Requires a Passcode

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

(more…)

iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak

Thursday, August 24th, 2017

If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.

Back to Phoenix. This thing is for real. Phoenix claims support for iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, and iPod 5g running the last version of iOS 9.3.5. We were able to verify these claims by successfully jailbreaking several test devices and using Elcomsoft iOS Forensic Toolkit to perform full physical acquisition (as in imaging and decrypting the physical data partition).

With Phoenix jailbreak, iOS Forensic Toolkit can perform physical acquisition of Apple’s 32-bit devices running iOS 9.3.5, which happens to be the last version of iOS 9. Users of iOS Forensic Toolkit can perform physical-level imaging and decryption of the data partition, decryption and examination of keychain items, and enjoy full unrestricted access to sandboxed app data. This level of access is simply not possible with any other acquisition methods. As an example, physical acquisition of jailbroken devices enables forensic access to saved email messages, passwords, and full conversation logs saved by some of the most secure messengers such as WhatsApp, Telegram, Signal, Skype and Facebook Messenger. Compared to iOS backup analysis, this method adds access to browser cache and temporary files, email messages, extended location history, and data that belongs to apps that explicitly disable backups.

(more…)

Government Request Reports: Google, Apple and Microsoft

Monday, January 16th, 2017

Every once in a while, hi-tech companies release reports on government requests that they received and served (or not). The different companies receive a different number of requests. They don’t treat them the same way, and they don’t report them the same way, which makes the comparison difficult. In this article, we’ll try to analyze and compare government request reports published by Apple, Google and Microsoft.

Since all three companies report on different things, and the sheer number of data is way too big for analyzing in a blog article, we’ll try to only compare data related to the North American region and Germany (as a single European country). (more…)

FBI Can Unlock Most Devices They Need To

Thursday, December 29th, 2016

According to Jim Baker, FBI General Counsel, the bureau can access information on most smartphones they are dealing with, even if encryption is enabled. In this article, we tried to find out which devices they can and cannot unlock, and why.

The FBI Can Unlock 87% Mobile Devices

According to Jim Baker, the agency can unlock some 87% of mobile devices, and get access to the data. So which devices they can and cannot unlock, exactly? Before we start crunching the numbers, please have a look at the following infographics:

(more…)

“We take privacy very seriously” – Apple, we do not buy it, sorry

Friday, November 18th, 2016

Good news: Apple has officially responded.

Bad news: We don’t buy it. Their response seems to address a different issue; worse, some of the reporters just quoted what Apple said without real understanding of the actual issue. So let’s try to follow the story step by step.

Apple has an option to back up phone data to iCloud. Doing that for many years now. On our side, we have a feature to download iCloud backups. The feature has been there for years, too. We are also able to download everything from iCloud Drive (including data belonging to third-party apps, something that is not available by standard means). We can download media files from iCloud Photo Library (and by the way, we discovered that they were not always deleted, see iCloud Photo Library: All Your Photos Are Belong to Us). Then we started to research how iOS devices sync data with iCloud, and discovered that Apple stores more than they officially say. All iOS versions allow users to choose which bits of data are to be synced – such as contacts, notes, calendars and other stuff. Here is a screen shot from iCloud settings captured on iPhone running iOS 10:


icloud_drive

(more…)

A Message to Our Customers, Apple and FBI

Thursday, February 18th, 2016

On Tuesday, a federal judge ordered Apple to assist the authorities in breaking into a locked iPhone 5C used by Syed Farook, who killed 14 in San Bernardino in December. According to the FBI, the phone might contain critical information about connections with Islamic terrorist groups. Apple opposed the motion and published an open letter at https://www.apple.com/customer-letter/ saying that “The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.”

So what is the government asking, does Apple have it, and is it technically possible to achieve what they are asking? Let’s try to find out.

(more…)

Why Do We Need Physical Acquisition?

Thursday, June 25th, 2015

With all the trouble of jailbreaking iOS 8 devices and the lack of support for 64-bit hardware, does iOS physical acquisition still present meaningful benefits to the investigator? Is it still worth your time and effort attempting to acquire that iPhone via a Lightning cord?

Granted, jailbroken iOS devices are rare as hen’s teeth. You are very unlikely to see one in the wild. However, we strongly believe that physical acquisition still plays an important role in the lab, and here are the reasons why.

  1. Apple’s current privacy policy explicitly denies government information requests if the device in question is running iOS 8. This means that handing over the device to Apple will no longer result in receiving its full image if the device is running iOS 8.x (source: https://www.apple.com/privacy/government-information-requests/)
  2. In many countries (Mexico, Brazil, Russia, East Europe etc.) Apple sells more 32-bit phones than 64-bit ones. Old iPhones traded in the US are refurbished and sold to consumers in other countries (BrightStar coordinates these operations for Apple in the US). As an example, new and refurbished iPhone 4S and 5 units accounted for some 46% of all iPhones sold through retail channels in Russia in Q1 2015.
  3. Physical extraction returns significantly more information compared to any other acquisition method including logical or over-the-air acquisition. In particular, we’re talking about downloaded mail and full application data including logs and cache files (especially those related to Internet activities). A lot of this information never makes it into backups.
  4. Full keychain extraction is only available with physical acquisition. Physical is the only way to fully decrypting the keychain including those records encrypted with device-specific keys. Those keychain items can be extracted from a backup file, but cannot be decrypted without a device-specific key. In addition, the keychain often contains the user’s Apple ID password.
  5. With physical acquisition, you can extract the ‘securityd’ (0x835) from the device. This key can be used to completely decrypt all keychain items from iCloud backups.
  6. Physical acquisition produces a standard DMG disk image with HFS+ file system. You can mount the image into the system and use a wider range of mobile forensic tools to analyze compared to iTunes or iCloud backup files.

(more…)