Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored
August 5th, 2020 by Oleg Afonin
The keychain is one of the hallmarks of the Apple ecosystem. Containing a plethora of sensitive information, the keychain is one of the best guarded parts of the walled garden. At the same time, the keychain is relatively underexplored by the forensic community. The common knowledge has it that the keychain contains the users’ logins and passwords, and possibly some payment card information. The common knowledge is missing the point: the keychain contains literally thousands of records belonging to various apps and the system that are required to access lots of other sensitive information. Let’s talk about the keychain, its content and its protection, and the methods used to extract, decrypt and analyze the various bits and pieces.
Extracting Passwords from Tencent QQ Browser
July 7th, 2020 by Oleg Afonin
QQ Browser is one of China’s most popular Web browsers. With some 10% of the Chinese market and the numerous Chinese users abroad, QQ Browser is used by the millions. Like many of its competitors, QQ Browser offers the ability to store website passwords. The passwords are securely encrypted, and can be only accessed once the user signs into their Windows account. Learn what you need to do to extract passwords from Tencent QQ Browser.
Unlocking BitLocker Volumes by Booting from a USB Drive
June 30th, 2020 by Oleg Afonin
BitLocker is Windows default solution for encrypting disk volumes. A large number of organizations protect startup disks with BitLocker encryption. While adding the necessary layer of security, BitLocker also has the potential of locking administrative access to the encrypted volumes if the original Windows logon password is lost. We are offering a straightforward solution for reinstating access to BitLocker-protected Windows systems with the help of a bootable USB drive.
The Mysterious Apple DCSD Cable Demystified
June 19th, 2020 by James Duffy
A lot of people have asked me over the past couple of months – “What’s that cable on your desk, James?”. Today I’ll tell you all about it. Every accessory that connects to your iPhone via lightning is ‘flashed’ with an Accessory ID. The Accessory ID essentially identifies the device connected to the iPhone as a specific type. For example, a Lightning-To-Ethernet adapter will identify itself with it’s assigned Accessory ID so the iPhone knows how to treat the device and interact with it. It’s sort of like directing the iPhone to use a specific driver to interact with said device.
iOS, watchOS and tvOS Acquisition Methods Compared: Compatibility Notes
June 18th, 2020 by Vladimir Katalov
How can you obtain the highest amount of data from an iPhone, iPad, Apple TV or Apple Watch? This is not as simple as it may seem. Multiple overlapping extraction methods exist, and some of them are limited to specific versions of the OS. Let’s go through them and summarize their availability and benefits.
iOS Extraction Without a Jailbreak: Full iOS 10 Support
June 16th, 2020 by Oleg Afonin
Originally released in September 2016, iOS 10 was regularly updated for most devices until July 2017. The 64-bit iPhones capable of running iOS 10 range from the iPhone 5s to iPhone 7 and 7 Plus. While one is hardly likely to encounter an iOS 10 in the wild, forensic labs still process devices running the older version of the OS. In this update, we’ve brought support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS capable of running on the iPhone 7 generation of devices. Let’s see what it takes to extract an older iPhone without a jailbreak. In addition, we have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5.
Jailbreaking Apple TV 4K
June 12th, 2020 by Vladimir Katalov
Is jailbreaking an Apple TV worth it? If you are working in the forensics, it definitely is. When connected to the user’s Apple account with full iCloud access, the Apple TV synchronizes a lot of data. That data may contain important evidence, and sometimes may even help access other iCloud data. I have some great news for the forensic crowd: the Apple TV does not have a passcode. And some bad news: jailbreaking is not as easy and straightforward as we’d like it to be. Let’s have a look at what can be done.
iCloud Extraction Streamlined
June 11th, 2020 by Vladimir Katalov
Apple iCloud contains massive amounts of data, which may become highly valuable evidence. The oldest and most frequently mentioned are iCloud backups, which ElcomSoft were the first to extract back in 2012. A lot has changed since then. Today, iCloud backups account for a very minor part of the evidence available in iCloud. Learn what types of data are stored in iCloud, how Apple protects the data with end-to-end encryption, and how to access that valuable evidence with the updated Elcomsoft Phone Breaker.
iCloud Backups, Synced Data and End-to-End Encryption
June 10th, 2020 by Oleg Afonin
Since iOS 5, Apple allows users to back up their phones and tablets automatically into their iCloud account. Initially, iCloud backups were similar in content to local (iTunes) backups without the password. However, the introduction of iCloud sync has changed the rules of the game. With more types of data synchronized through iCloud as opposed to being backed up, the content of iCloud backups gets slimmed down as synchronized information is excluded from cloud backups (but still present in local backups).
Demystifying iOS Data Security
June 10th, 2020 by James Duffy
It’s an honor to be given the opportunity to post on the ElcomSoft Blog, and I’d like to thank the ElcomSoft team for supporting my research. Recently I’ve been sent over a few questions from members of the community, such as “Why can’t we decrypt the data from a disabled iPhone over SSH if we know the passcode?” and “I tried to SCP a file from the device to the Mac, but getting permission errors”. Today I’m going to answer these questions in a Q&A format for you all so hopefully we can shed some light on how this works! The article is aimed to be accessible for everybody, including beginners and non-technical users. Without further ado…
Apple Two-Factor Authentication: SMS vs. Trusted Devices
June 8th, 2020 by Oleg Afonin
Multi-factor authentication is the new reality. A password alone is no longer considered sufficient. Phishing attacks, frequent leaks of password databases and the ubiquitous issue of reusing passwords make password protection unsafe. Adding “something that you have” to “something that you know” improves the security considerably, having the potential of cutting a chain attack early even in worst case scenarios. However, not all types of two-factor authentication are equally secure. Let’s talk about the most commonly used type of two-factor authentication: the one based on text messages (SMS) delivered to a trusted phone number.
