Archive for the ‘Security’ category

Home users and small offices are served by two major manufacturers of network attached storage devices (NAS): QNAP and Synology, with Western Digital being a distant third. All Qnap and Synology network attached storage models are advertised with support for hardware-accelerated AES encryption. Encrypted NAS devices can be a real roadblock on the way of forensic investigations. In this article, we’ll review the common encryption scenarios used in home and small office models of network attached storage devices made by Synology. (more…)

Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).

The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:

  • Screen lock password (this is your iPhone passcode)
  • iCloud password (this is your Apple Account password)
  • iTunes backup password (protects backups made on your computer)
  • Screen Time password (secures your device and account, can protect changes to above passwords)
  • One-time codes (the “half-password” if your account uses Two-Factor Authentication)

In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.

(more…)

What can and what cannot be done with an iOS device using Touch ID/Face ID authentication as opposed to knowing the passcode? The differences are huge. For the sake of simplicity, we’ll only cover iOS 12 and 13. If you just want a quick summary, scroll down to the end of the article for a table.

BFU and AFU

Let’s get it out of the way: everything that’s listed below applies exclusively to AFU (After First Unlock) devices. You cannot use biometrics to unlock an iOS device that’s been restarted or powered on; such devices are in the state known as BFU (Before First Unlock).

BFU, Before First Unlock: The iOS device was restarted or powered off; you powered it on but cannot unlock it because it’s protected with an unknown passcode.

AFU, After First Unlock: The iOS device was unlocked (with a passcode) at least once after it’s been last rebooted or powered on.

Screen Lock: Unlocking the Device

Touch ID or Face ID can be only used to unlock AFU devices. In order to unlock a BFU device, you’ll have to use the passcode. Even if you manage to bypass the lock screen (via an exploit), you won’t be able to access most device data as it will be encrypted. The decryption key is generated when the user first unlocks the device; the key is based on the passcode.

(more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

Jailbreaking is used by the forensic community to access the file system of iOS devices, perform physical extraction and decrypt device secrets. Jailbreaking the device is one of the most straightforward ways to gain low-level access to many types of evidence not available with any other extraction methods.

On the negative side, jailbreaking is a process that carries risks and other implications. Depending on various factors such as the jailbreak tool, installation method and the ability to understand and follow the procedure will affect the risks and consequences of installing a jailbreak. In this article we’ll talk about the risks and consequences of using various jailbreak tools and installation methods.

(more…)

In Apple’s land, losing your Apple Account password is not a big deal. If you’d lost your password, there could be a number of options to reinstate access to your account. If your account is not using Two-Factor Authentication, you could answer security questions to quickly reset your password, or use iForgot to reinstate access to your account. If you switched on Two-Factor Authentication to protect your Apple Account, you (or anyone else who knows your device passcode and has physical access to one of your Apple devices) can easily change the password; literally in a matter of seconds.

But what if you do know your password and your passcode but lost access to the only physical iOS device using your Apple ID and your SIM card at the same time? This could easily happen if you travel abroad and your phone is stolen together with the SIM card. There could be an even worse situation if your trusted phone number is no longer available (if, for example, you switched carrier or used a prepaid line and that line has expired).

It’s particularly interesting if you have a child under the age of 13 registered in your Family Sharing, and the child loses their only iOS device (at that age, they are likely to have just one) and their phone number (at that age, they are likely to use prepaid service). So let us explore what happens to your Apple Account if you lose access to your secondary authentication factor, and compare the process of regaining control over your account in Apple and Google ecosystems. (more…)

Full-disk encryption presents an immediate challenge to forensic experts. When acquiring computers with encrypted system volumes, the investigation cannot go forward without breaking the encryption first. Traditionally, experts would remove the hard drive(s), make disk images and work from there. We are offering a faster and easier way to access information required to break full-disk system encryption by booting from a flash drive and obtaining encryption metadata required to brute-force the original plain-text passwords to encrypted volumes. For non-system volumes, experts can quickly pull the system’s hibernation file to extract on-the-fly encryption keys later on with Elcomsoft Forensic Disk Decryptor.

What’s It All About?

It’s about an alternative forensic workflow for accessing evidence stored on computers protected with full-disk encryption. Once the system partition is encrypted, there is nothing one can do about it but break the encryption. Elcomsoft System Recovery helps launch password recovery attacks sooner compared to the traditional acquisition workflow, and offers a chance of mounting the encrypted volumes in a matter of minutes by extracting the system’s hibernation file that may contain on-the-fly encryption keys protecting the encrypted volumes.

This new workflow is especially handy when analyzing ultrabooks, laptops and 2-in-1 Windows tablet devices such as the Microsoft Surface range featuring non-removable, soldered storage or non-standard media. With just a few clicks (literally), experts can extract all information required to launch the attack on encrypted volumes.

Elcomsoft System Recovery offers unprecedented safety and compatibility. The use of a licensed Windows PE environment ensures full hardware compatibility and boot support for systems protected with Secure Startup. The tool mounts the user’s disks and storage media in strict read-only mode to ensure forensically sound extraction. (more…)

iOS 12 Rootless Jailbreak

February 22nd, 2019 by Oleg Afonin

The new generation of jailbreaks has arrived. Available for iOS 11 and iOS 12 (up to and including iOS 12.1.2), rootless jailbreaks offer significantly more forensically sound extraction compared to traditional jailbreaks. Learn how rootless jailbreaks are different to classic jailbreaks, why they are better for forensic extractions and what traces they leave behind.

Privilege Escalation

If you are follow our blog, you might have already seen articles on iOS jailbreaking. In case you didn’t, here are a few recent ones to get you started:

In addition, we published an article on technical and legal implications of iOS file system acquisition that’s totally worth reading.

Starting with the iPhone 5s, Apple’s first iOS device featuring a 64-bit SoC and Secure Enclave to protect device data, the term “physical acquisition” has changed its meaning. In earlier (32-bit) devices, physical acquisition used to mean creating a bit-precise image of the user’s encrypted data partition. By extracting the encryption key, the tool performing physical acquisition was able to decrypt the content of the data partition.

Secure Enclave locked us out. For 64-bit iOS devices, physical acquisition means file system imaging, a higher-level process compared to acquiring the data partition. In addition, iOS keychain can be obtained and extracted during the acquisition process.

Low-level access to the file system requires elevated privileges. Depending on which tool or service you use, privilege escalation can be performed by directly exploiting a vulnerability in iOS to bypass system’s security measures. This is what tools such as GrayKey and services such as Cellebrite do. If you go this route, you have no control over which exploit is used. You won’t know exactly which data is being altered on the device during the extraction, and what kind of traces are left behind post extraction.

In iOS Forensic Toolkit, we rely on public jailbreaks to circumvent iOS security measures. The use of public jailbreaks as opposed to closed-source exploits has its benefits and drawbacks. The obvious benefit is the lower cost of the entire solution and the fact you can choose the jailbreak to use. On the other hand, classic jailbreaks were leaving far too many traces, making them a bit overkill for the purpose of file system imaging. A classic jailbreak has to disable signature checks to allow running unsigned code. A classic jailbreak would include Cydia, a third-party app store that requires additional layers of development to work on jailbroken devices. In other words, classic jailbreaks such as Electra, Meridian or unc0ver carry too many extras that aren’t needed or wanted in the forensic world. (more…)

The two recent jailbreaks, unc0ver and Electra, have finally enabled file system extraction for Apple devices running iOS 11.4 and 11.4.1. At this time, all versions of iOS 11 can be jailbroken regardless of hardware. Let’s talk about forensic consequences of today’s release: keychain and file system extraction.

(more…)

Today’s smartphones and wearable devices collect overwhelming amounts of data about the user’s health. Health information including the user’s daily activities, workouts, medical conditions, body measurements and many other types of information is undoubtedly one of the most sensitive types of data. Yet, smartphone users are lenient to trust this highly sensitive information to other parties. In this research, we’ll figure out how Apple and Google as two major mobile OS manufacturers collect, store, process and secure health data. We’ll analyze Apple Health and Google Fit, research what information they store in the cloud, learn how to extract the data. We’ll also analyze how both companies secure health information and how much of that data is available to third parties.

Apple Health: the All-in-One Health App

The Apple Health app made its appearance in 2014 with the release of iOS 8. Since then, Apple Health is pre-installed on all iPhones.

Apple Health keeps working in background, collecting information about the user’s activities using the phone’s low-energy sensors.

In addition to low-energy sensors built into modern iPhone devices, Apple offers a range of companion devices that can collect additional information about the user’s health and activities. This information may include heart rate measurements, frequent and precise samples of location information (GPS), as well as specific data (fall detection, ECG). (more…)