On Apple iCloud security and ‘deleted’ notes

May 19th, 2017 by Vladimir Katalov

Apple, it’s not funny anymore.

Apple iCloud is a fantastic service. For me, it works far better than Google services, especially when it comes to cloud backups. I use it daily when working with my iPhone, iPad, Mac and MacBook at home. In the office, I still have to use the good old Windows PC, and I hate it. I use iCloud backups to keep my data safe (secured with two-factor authentication), and it really helped me on at least two occasions when I had my iPhone lost or broken far away from home. I use iCloud Photo Library to get my photos synced across devices. I actively use iCloud Drive when working with documents. I use iCloud syncing, including the keychain, to store my passwords and credit card data and have them all handy. I should say that I cannot work effectively without iCloud.

But we have a lot of security and privacy concerns. We completely understand that it is not possible to pick all three from the “security, privacy, usability” trio, but please give at al least two.

Read the rest of this entry »

ElcomSoft vs. The Cloud: a Game of Cat and Mouse

May 12th, 2017 by Oleg Afonin

We’ve got a few forensic tools for getting data off the cloud, with Apple iCloud and Google Account being the biggest two. Every once in a while, the cloud owners (Google and Apple) make changes to their protocols or authentication mechanisms, or employ additional security measures to prevent third-party access to user accounts. Every time this happens, we try to push a hotfix as soon as possible, sometimes in just a day or two. In this article, we’ll try to address our customers’ major concerns, give detailed explanations on what’s going on with cloud access, and provide our predictions on what could happen in the future.

Update 19/05/2017: what we predicted has just happened. Apple has implemented additional checks just two days ago. This time, the extra checks do not occur during the authentication stage. Instead, the company started blocking pull requests for backup data originating from what appears to Apple as a desktop device (as opposed to being an actual iPhone or iPad). Once again we had to rush a hotfix to our customers, releasing an update just today. Whether or not our solution stands the test of time is hard to tell at this time. It seems this time it’s no longer a game but a war.

This whole Apple blocking third-party clients issue creates numerous problems to our customers who are either legitimate Apple users or law enforcement officials who must have access to critical evidence now as opposed to maybe getting it from Apple in one or two weeks. This time it’s not about security or privacy of Apple customers. After all, accounts protected with two-factor authentication are and have been safe. We’ve had similar experience with Adobe several years ago, and surprisingly, it turned out Adobe had reasons beyond privacy or security of its customers.

Read the rest of this entry »

Extracting Text Messages from Google Accounts

April 26th, 2017 by Oleg Afonin

Elcomsoft Cloud Explorer 1.30 can now pull SMS (text) messages straight off the cloud, and offers enhanced location processing with support for Routes and Places. In this article, we’ll have a close look at the new features and get detailed instructions on how to use them. The first article will discuss the text messages, while enhanced location data will be covered in the one that follows.

Text Messages: Part of Android Backups (sort of)

Before we begin extracting text messages, let us check where they come from. As you may know, Android 6.0 has finally brought automated data backups. While Android backups are not nearly as complete or as comprehensive as iOS backups, they still manage to save the most important things such as device settings, the list of installed apps and app data into the cloud. Being a Google OS, Android makes use of the user’s Google Account to store backups. Unlike Apple, Google does not count the space taken by these backups towards your Google Drive allotment. At the same time, Google allows for a very limited data set to be saved into the cloud, so you can forget about multi-gigabyte backups you have probably seen in iOS.

Read the rest of this entry »

Routes and Places: Obtaining Enhanced Location Data from Google Accounts

April 26th, 2017 by Oleg Afonin

Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.

Google has changed that by introducing several mapping services running on top of location history. With its multi-million user base and an extremely comprehensive set of POI, Google can easily make educated guesses on which place the user has actually visited. Google knows (or makes a very good guess) when you eat or drink, stay at a hotel, go shopping or do other activities based on your exact location and the time you spent there. This extra information is also stored in your Google account – at least if you use an Android handset and have Location History turned on.

Elcomsoft Cloud Explorer 1.30 can now process Google’s enhanced location data, which means we can now correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI). This significantly improves readability of location data, providing a list of places (such as restaurants, landmarks or shops) instead of plain numbers representing geolocation coordinates. In this article, we’ll figure out how to obtain that data and how to analyze it. Read the rest of this entry »

How Long Does It Take to Crack Your Password?

April 4th, 2017 by Oleg Afonin

We hear the “how long will it take to break…” question all the time. The answer is always the same: “it depends”. In this article we’ll try to give a detailed explanation and a definite answer for as many possible combinations as possible.

Do you need that password?

First thing first: are you sure you absolutely need o know that password? In many cases, protection can be removed without cracking the original password. This, for example, applies to legacy Quicken and QuickBooks documents, Microsoft Office documents saved in Microsoft Office 97-2000 or newer versions of Office in the Office 97-2003 format with default encryption settings, Microsoft SQL Server databases and certain types of Windows passwords (with few exceptions). Read the rest of this entry »

Extracting Unread Notifications from iOS Backups

March 2nd, 2017 by Oleg Afonin

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation! Read the rest of this entry »

How to Break 70% of Passwords in Minutes

February 14th, 2017 by Oleg Afonin

According to surveys, the average English-speaking consumer maintains around 27 online accounts. Memorizing 27 unique, cryptographically secure passwords is nearly impossible for a person one could reasonably call “average”. As a result, the average person tends to reuse passwords, which means that a single password (or its simple variations) can be used to protect multiple online accounts and services. The same passwords are very likely to be chosen to protect access to offline resources such as encrypted archives and documents. In fact, several independent researches published between 2012 and 2016 suggest that between 59 and 61 per cent of consumers reuse passwords.

Considering how consistent the numbers are between multiple researches carried out over the course of four years, we can safely assume that around 60% of consumers reuse their passwords. How can this data help us break passwords, and how did we arrive to the value of 70% in the title? Read along to find out! Read the rest of this entry »

ElcomSoft Extracts Deleted Safari Browsing History from iCloud

February 9th, 2017 by Vladimir Katalov

Your browsing history represents your habits. You are what you read, and your browsing history reflects that. Your Google searches, visits to news sites, activities in blogs and forums, shopping, banking, communications in social networks and other Web-based activities can picture your daily activities. It could be that the browsing history is the most intimate part of what they call “online privacy”. You wouldn’t want your browsing history become public, would you?

“When I die, delete my browsing history”. This is what many of us want. However, if you’re an iPhone user, this is not going to work. Apple may hide your browsing history but still keep your records in the cloud, and someone (maybe using ElcomSoft tools) could eventually download your browsing history. How could this happen? Read along to find out!

Read the rest of this entry »

How to Break 30 Per Cent of Passwords in Seconds

February 6th, 2017 by Oleg Afonin

This article opens a new series dedicated to breaking passwords. It’s no secret that simply getting a good password recovery tool is not enough to successfully break a given password. Brute-force attacks are inefficient for modern formats (e.g. encrypted Office 2013 documents), while using general dictionaries can still be too much for speedy attacks and too little to actually work. In this article, we’ll discuss the first of the two relatively unknown vectors of attack that can potentially break 30 to 70 per cent of real-world passwords in a matter of minutes. The second method will be described in the follow-up article. Read the rest of this entry »

Extracting WhatsApp Conversations from Android Smartphones

February 2nd, 2017 by Oleg Afonin

As you may already know, we’ve added Android support to our WhatsApp acquisition tool, Elcomsoft Explorer for WhatsApp. While the updated tool can now extract WhatsApp communication histories directly from Android smartphones with or without root access, how do you actually use it, and how does it work? In this blog post we’ll be looking into the technical detail and learn how to use the tool.

Read the rest of this entry »

RSS for posts
RSS for comments
Subscribe
ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter