ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Demystifying Android Physical Acquisition

May 29th, 2018 by Oleg Afonin

Numerous vendors advertise many types of solutions for extracting evidence from Android devices. The companies claim to support tens of thousands of models, creating the impression that most (if not all) Android devices can be successfully acquired using one method or another.

On the other side of this coin is encryption. Each Google-certified Android device released with Android 6.0 or later must be fully encrypted by the time the user completes the initial setup. There is no user-accessible option to decrypt the device or to otherwise skip the encryption. While this Google’s policy initially caused concerns among the users and OEM’s, today the strategy paid out with the majority of Android handsets being already encrypted.

So how do the suppliers of forensic software overcome encryption, and can they actually extract anything from an encrypted Android smartphone locked with an unknown passcode? We did our own research. Bear with us to find out!

Many thanks to Oleg Davydov from Oxygen Forensics for his invaluable help and advise.

Read the rest of this entry »

Apple Strikes Back: the iPhone Cracking Challenge

May 11th, 2018 by Vladimir Katalov

We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).

Today, we’ll discuss the main challenges of iOS forensics, look at some of the most interesting solutions available to law enforcement, and share our experience gaining access to some of the most securely protected evidence stored in Apple iOS devices. Read the rest of this entry »

iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics

May 8th, 2018 by Oleg Afonin

UPDATE June 2, 2018: USB Restricted Mode did not make it into iOS 11.4. However, in iOS 11.4.1 Beta USB Restricted Mode Has Arrived

A new iOS update is about to roll out in the next few weeks or even days. Reading Apple documentation and researching developer betas, we discovered a major new security feature that is about to be released with iOS 11.4. The update will disable the Lightning port after 7 days since the device has been last unlocked. What is the meaning of this security measure, what reasons are behind, and what can be done about it? Let’s have a closer look.

USB Restricted Mode in iOS 11.4

In the iOS 11.4 Beta, Apple introduced a new called USB Restricted Mode. In fact, the feature made its first appearance in the iOS 11.3 Beta, but was later removed from the final release. This is how it works:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

The functionality of USB Restricted Mode is actually very simple. Once the iPhone or iPad is updated to the latest version of iOS supporting the feature, the device will disable the USB data connection over the Lightning port one week after the device has been last unlocked. Read the rest of this entry »

Legal and Technical Implications of Chinese iCloud Operations

April 10th, 2018 by Vladimir Katalov

On February 28, 2018, Apple has officially moved its Chinese iCloud operations and encryption keys to China. The reaction to this move from the media was overwhelmingly negative. The Verge, The Guardian, Reuters, Wired, and CNN among other Western media outlets expressed their concerns about the Chinese government potentially violating the human rights of its citizens. Politics aside, we will review Apple policies governing the Chinese accounts, and look into the technical implementation of Chinese iCloud operations. Let us see if the fears are substantiated.

The Fear of China

Even if the change only affects iCloud accounts registered in mainland China, there is no lack of publications bashing apple for complying with Chinese laws. Below are just a few stories from the top of the news feed.

Journalists express their concerns regarding the potential violation of Chinese users human rights. “In the past, if Chinese authorities wanted to access [Chinese] Apple’s user data, they had to go through an international legal process and comply with U.S. laws on user rights, according to Ronald Deibert, director of the University of Toronto’s Citizen Lab, which studies the intersection of digital policy and human rights. “They will no longer have to do so if iCloud and cryptographic keys are located in China’s jurisdiction,” he told CNNMoney.” [CNN]

Read the rest of this entry »

Demystifying Advanced Logical Acquisition

April 3rd, 2018 by Vladimir Katalov

We were attending the DFRWS EU forum in beautiful Florence, and held a workshop on iOS forensics. During the workshop, an attendee tweeted a photo of the first slide of our workshop, and the first response was from… one of our competitors. He said “Looking forward to the “Accessing a locked device” slide”. You can follow our conversation on Twitter, it is worth reading.

No, we cannot break the iPhone passcode. Still, sometimes we can get the data out of a locked device. The most important point is: we never keep our methods secret. We always provide full disclosure about what we do, how our software works, what the limitations are, and what exactly you can expect if you use this and that tool. Speaking of Apple iCloud, we even reveal technical information about Apple’s network and authentication protocols, data storage formats and encryption. If we cannot do something, we steer our customers to other companies (including competitors) who could help. Such companies include Oxygen Forensics (the provider of one of the best mobile forensic products) and Passware (the developer of excellent password cracking tools and our direct competitor).

Let’s start with “Logical acquisition”. We posted about it more than once, but it never hurts to go over it again. By “Logical acquisition”, vendors usually mean nothing more than making an iTunes-style backup of the phone, full stop.

Then, there is that “advanced logical” advertised by some forensic companies. There’s that “method 2” acquisition technique and things with similarly cryptic names. What is that all about?

I am not the one to tell you how other software works (not because I don’t know, but because I don’t feel it would be ethical), but I’ll share information on how we do it with our software: the methods we use, the limitations, and the expected outcome.

Read the rest of this entry »

Google Services Blocked on Uncertified Devices

April 3rd, 2018 by Oleg Afonin

After testing waters for more than a year, Google has finally pulled the plug and began blocking access to Google Play services on uncertified devices. Why Google took this step, who is affected, and what it means for the end users? Let’s try to find out.

Google Play Services Certification

In March 2017, Google rolled out a Google Play Services update that had a very minor addition. At the very bottom of its settings page, the Services would now display device certification status.

This is how it looks on an uncertified device:

What is this all about?

Read the rest of this entry »

What’s Broken in iOS for iPhone X

March 28th, 2018 by Oleg Afonin

Apple’s latest and greatest iPhone, the iPhone X, received mixed reviews and sells slower than expected. While the high price of the new iPhone is a major factor influencing the slow sales, some of the negative points come from the device usability. The combination of design language, hardware and software interactions make using the new iPhone less than intuitive in many situations. In this article, we collected the list of utterly strange design decisions affecting the daily use of the iPhone X.

The Return of Slide to Unlock

In iOS 10, Apple has finally rid of the infamous “slide to unlock” prompt, replacing it with the prompt to that asks iPhone users (as well as users of Touch ID equipped iPads) to press the home button to gain access to the home screen. This means that, by default, users could no longer simply rest their finger on the home button to unlock their device with their fingerprint.

A workaround was discovered quickly. Apparently, it was possible to alter the “Rest Finger to Open” option in General > Accessibility > Home Button to make iPhones capable of “raise-to-wake” unlock without pressing down on the home button.

This option is still present in iOS 11, and still works on all devices equipped with Touch ID – but not Face ID. The iPhone X is the only device in Apple’s stable that cannot be automatically unlocked when picked up. Users must still reach for the very bottom of the device’s screen and… yes: swipe up to unlock. This feels like a huge step back to pre-iOS 10 days, and annoys many users.

Read the rest of this entry »

iPhone X Eye Strain: How to Stop OLED Flickering in Just Three Clicks

March 5th, 2018 by Oleg Afonin

The iPhone X uses a new (for Apple) display technology. For the first time ever, Apple went with an OLED display instead of the IPS panels used in all other iPhones. While OLED displays have numerous benefits such as the true blacks and wide color gamut, the majority of OLED displays (particularly those made by Samsung) tend to flicker. The flickering is particularly visible at low brightness levels, causing eyestrain and headaches to sensitive users. Very few users have the slightest idea of what’s going on, attributing these health issues to oversaturated colors, the oh-so-harmful blue light and anything but OLED flickering.

So let us have a look at what OLED flickering is and how to get rid of it on the iPhone X for much better low-light readability.

Read the rest of this entry »

Breaking into iOS 11

February 20th, 2018 by Oleg Afonin

In the world of mobile forensics, physical acquisition is still the way to go. Providing significantly more information compared to logical extraction, physical acquisition can return sandboxed app data (even for apps that disabled backups), downloaded mail, Web browser cache, chat histories, comprehensive location history, system logs and much more.

In order to extract all of that from an i-device, you’ll need the extraction tool (iOS Forensic Toolkit) and a working jailbreak. With Apple constantly tightening security of its mobile ecosystem, jailbreaking becomes increasingly more difficult. Without a bug hunter at Google’s Project Zero, who released the “tfp0” proof-of-concept iOS exploit, making a working iOS 11 jailbreak would take the community much longer, or would not be possible.

The vulnerability exploited in tfp0 was present in all versions of iOS 10 on all 32-bit and 64-bit devices. It was also present in early versions of iOS 11. The last vulnerable version was iOS 11.2.1. Based on the tfp0 exploit, various teams have released their own versions of jailbreaks.

Read the rest of this entry »

ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter