ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

iOS Forensic Toolkit 4.0 with Physical Keychain Extraction

June 20th, 2018 by Oleg Afonin

We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

Feature wise, we are adding iOS keychain extraction via a newly discovered Secure Enclave bypass. With this new release, you’ll be able to extract and decrypt all keychain records (even those secured with the highest protection class, ThisDeviceOnly) from 64-bit iOS devices. The small print? You’ll need a compatible jailbreak. No jailbreak? We have you covered with logical acquisition and another brand new feature: the ability to extract crash logs.

Read the rest of this entry »

iOS 11.4.1 Second Beta Extends USB Restricted Mode with Manual Activation

June 14th, 2018 by Vladimir Katalov

Thinking Apple is done with USB Restricted Mode? Not yet. They have at least one more deus ex machina to shake up the forensic community.

More than a month ago, we made a report iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. The feature was not included into the final release of iOS 11.4, but returned in a much different shape in iOS 11.4.1 beta (iOS 11.4.1 Beta: USB Restricted Mode Has Arrived). The feature is also part of the first iOS 12 beta introduced a a few days later.

Finally, Apple has officially confirmed the existence of USB Restricted Mode, and the law enforcement community is not happy about it. (Cops Are Predictably Pissed About Apple’s Plan to Turn Off USB Data Access on iPhones). Some sources speculated about LE being able to break into the phones without the warrant.

If that was not enough, Apple added insult to injury. Do you remember the S.O.S. mode we described in New Security Measures in iOS 11 and Their Forensic Implications?

I’ve got good news for you. Or bad news, depending on who you are. In the second beta of 11.4.1 released just days ago, activating the SOS mode enables USB restrictions, too. This feature was not present in the first 11.4.1 beta (and it is not part of any other version of iOS including iOS 12 beta). In all other versions of iOS, the SOS mode just disables Touch/Face ID. The SOS feature in iOS 11.4.1 beta 2 makes your iPhone behave exactly like if you did not unlock it for more than an hour, effectively blocking all USB communications until you unlock the device (with a passcode, as Touch ID/Face ID would be also disabled).

How to Obtain iMessages from iCloud

June 14th, 2018 by Oleg Afonin

iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta, but was stripped from the final release. It re-appeared and disappeared several times during the iOS 11 development cycle, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.

iMessages in iCloud

Even before iOS 11 Apple had Continuity (https://support.apple.com/en-us/HT204681), a convenient mechanism for accessing iMessages from multiple Apple devices registered with the same Apple ID. With Continuity, users can effectively send and receive iMessages on their Mac. Speaking of Mac computers, one could access iMessages by simply signing in to the same iCloud account in the Messages app. Without Continuity, one would only receive iMessages with no SMS; with Continuity, both iMessages and SMS messages would be delivered.

However, even with Continuity in place, iMessages were never stored in iCloud or synced with iCloud. Instead, the messages were only stored locally on enrolled devices. This led to a major problem, making it impossible for the user to keep iMessage conversations in sync between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would not be deleted on their Mac, and vice versa. Forensic experts knew about this, and made active use of this feature. Multiple cases are known where law enforcement experts were analyzing the user’s Mac in order to gain access to iMessages that were already wiped from their iPhone.

iCloud sync for iMessage introduced in iOS 11.4 takes care of this problem by changing the way iMessage sync is handled. Instead of using the flawed Continuity mechanism, iOS 11.4 now stores iMessages in iCloud. The messages are automatically synchronized across all enrolled devices on the user’s Apple ID. iCloud sync works similar to existing synchronizations such as iCloud Keychain, iCloud Photo Library or iCloud contacts. Read the rest of this entry »

iCloud and iMessage Security Concerns

June 14th, 2018 by Vladimir Katalov

We also trust these companies in ways that we do not understand yet. How many of you trust Apple? No voting… Just me 🙂 Damn! OK. May I ask you a very good question. Trusting to do what? Trusting when they say: “iMessages are end-to-end encrypted”? I mean, with all of that massive security engineering, to make sure it’s as good as it can be, so they genuinely believe they’ve done that. I do, generally, they’re great people. But… people believe themselves they can defend themselves against the Russians. If the Russians specifically targeted Apple, it’s only they can defend themselves.Ian Levy, director at the GCHQ on anniversary of the foundation of the FIPR event that was held on 29/04/2018).

This is probably just a co-incident, but “the Russians” are concerned about iCloud security, too.

Read the rest of this entry »

Protecting Your Data and Apple Account If They Know Your iPhone Passcode

June 12th, 2018 by Oleg Afonin

This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.

This time around we’ll be playing devil’s advocate. We’ll tell you how to defend your data and your Apple account if they have your iPhone and know your passcode.

iOS Devices Are Secure

We praised the iOS security model on multiple occasions. Speaking of the current pack of iOS versions (including iOS 11.4 release, 11.4.1 public beta and 12.0 first developer beta), we have full-disk encryption with decryption keys derived from the user’s passcode and protected by Secure Enclave. Thanks to the iOS keychain, we enjoy the additional layer of protection for our passwords and other sensitive information. If you protected your iPhone with a 6-digit passcode (which you really should, and which is the default since at least iOS 10), most of your information is securely encrypted until you first unlock your iPhone after it completes the boot sequence. Even if they take the memory chip off, they won’t get anything meaningful due to the encryption. Read the rest of this entry »

The iOS File System: TAR and Aggregated Locations Analysis

June 7th, 2018 by Oleg Afonin

Finally, TAR support is there! Using Elcomsoft iOS Forensic Toolkit to pull TAR images out of jailbroken iOS devices? You’ll no longer be left on your own with the resulting TAR file! Elcomsoft Phone Viewer 3.70 can now open the TAR images obtained with Elcomsoft iOS Forensic Toolkit or GrayKey and help you analyse evidence in that file. In addition, we added an aggregated view for location data extracted from multiple sources – such as the system logs or geotags found in media files.

What Are These TAR Files Anyway?

While TAR is just an uncompressed file archive used in UNIX-based operating systems, this speaks little of its importance for the mobile forensic specialist.

Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, physical acquisition is exclusively available via file system extraction because of full-disk encryption. Even with a jailbreak, you must run the tarball command on the device itself in order to bypass the encryption. Since the file system image is captured and packed by iOS, you’ll get exactly the same TAR file regardless of the tool performing physical acquisition. Whether you use iOS Forensic Toolkit or GrayKey, you’ll receive exactly the same TAR archive containing an image of the device’s file system. Read the rest of this entry »

Apple Probably Knows What You Did Last Summer

June 5th, 2018 by Vladimir Katalov

“Significant Locations” are an important part of the evidence logged on iPhones. Forensic experts doing the acquisition will try accessing Significant Locations. At the same time, many iPhone users are completely unaware of the existence of this feature. What are Significant Locations, where are they stored, and how to extract them, and what value do they serve in investigations?

Privacy Issues

iOS 11 and iOS 12 after it supposedly come with a slew of privacy enhancements. When it comes to Significant Locations, what we see is quite the opposite. There is an unresolved privacy issue instead.

Speaking strictly of “significant locations”, iOS 10 and older versions used to retain this data no longer than 45 days. Older records would be purged from the device. In iOS 11.4, the current release, location data is kept for at least 120 days (or 4 months). Apple does not provide ANY information about how or when it collects your location data; moreover, there is no official statement about how this data is being used. The only article that we were able to discover is “Location Services & Privacy“. Have a look at the following quote:

Significant Locations – Your iPhone will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you. This data is transmitted end-to-end encrypted between your iCloud connected devices and will not be shared without your consent. It will be used to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories.

Read the rest of this entry »

iOS 11.4.1 Beta: USB Restricted Mode Has Arrived

June 2nd, 2018 by Oleg Afonin

As we wrote back in May, Apple is toying with the idea of restricting USB access to iOS devices that have not been unlocked for a certain period of time. At the time of publication, our article received a lot of controversial reports. When this mode did not make it into the final build of iOS 11.4, we enjoyed a flow of sarcastic comments from journalists and the makers of passcode cracking toolkits. Well, there we have it: Apple is back on track with iOS 11.4.1 beta including the new, improved and user-configurable USB Restricted Mode.

What’s It All About?

The USB Restricted Mode first made its appearance in iOS 11.3 beta. The idea behind this mode is well covered in our previous article iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. At the time of 11.3 beta, the feature had the following description:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

The idea behind USB Restricted Mode was pretty ingenious. The feature appeared to be directly targeting passcode cracking solutions such as those made by Cellerbrite and GrayShift. The device running iOS 11.3 beta would disable the USB data connection over the Lightning port one week after the device has been last unlocked. The feature was not user-configurable, but it could be disabled via corporate policies and device management solutions.

Apparently, the feature did not make it into the final release iOS 11.3. While we had reasons to believe it would be included with iOS 11.4, Apple skipped it in iOS 11.4, replacing it instead with a toned-down version that would require unlocking the iOS device after 24 hours in order for it to communicate with a USB accessory. While this toned-down feature would complicate the work of forensic experts by effectively disabling logical acquisition with lockdown records, it had zero effect on passcode cracking solutions such as those offered by Cellebrite and GrayShift.

The “proper” USB Restricted Mode, the one that would completely shut down all data communications between the iOS device and the computer, was still missing in iOS 11.4. Only to reappear – in a much refined form – in iOS 11.4.1 beta. Read the rest of this entry »

WhatsApp Business Acquisition Guide

May 29th, 2018 by Oleg Afonin

Starting with version 2.40, Elcomsoft Extractor for WhatsApp supports physical and cloud acquisition of WhatsApp Business. The physical extraction method requires root access, while cloud acquisition requires authenticating into the user’s Google Drive account with proper authentication credential. In addition, a verification code received from WhatsApp as an SMS must be provided to decrypt the backup downloaded from Google Drive. In this guide, we’ll describe all the steps required to perform physical and cloud acquisition of WhatsApp Business. Read the rest of this entry »

Demystifying Android Physical Acquisition

May 29th, 2018 by Oleg Afonin

Numerous vendors advertise many types of solutions for extracting evidence from Android devices. The companies claim to support tens of thousands of models, creating the impression that most (if not all) Android devices can be successfully acquired using one method or another.

On the other side of this coin is encryption. Each Google-certified Android device released with Android 6.0 or later must be fully encrypted by the time the user completes the initial setup. There is no user-accessible option to decrypt the device or to otherwise skip the encryption. While this Google’s policy initially caused concerns among the users and OEM’s, today the strategy paid out with the majority of Android handsets being already encrypted.

So how do the suppliers of forensic software overcome encryption, and can they actually extract anything from an encrypted Android smartphone locked with an unknown passcode? We did our own research. Bear with us to find out!

Many thanks to Oleg Davydov from Oxygen Forensics for his invaluable help and advise.

Read the rest of this entry »