ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Training in Vienna
July 10th, 2018 by Oleg Afonin

Did you know we have forensic trainings? We’ve partnered with T3K Forensics to feature a 3-day training on iOS forensics. This fall in beautiful Vienna, 17.-19.10.2018, we’ll train a group of law enforcement and forensic specialists on every aspect of iOS acquisition and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience jailbreaking and extracting iOS devices, pulling data from locked iPhones and accessing the cloud for even more evidence.

In this training:

  • Mobile acquisition workflow
  • Seizing, storing and transporting wireless capable mobile devices
  • Acquisition methods that don’t work
  • Full-disk encryption, passcode and biometrics
  • Acquisition methods: logical, physical and cloud
  • Logical acquisition: extracting encrypted and unencrypted backups; shared files; photos and videos; crash logs
  • Logical acquisition of locked devices: locating, extracting and using lockdown records
  • Physical acquisition: jailbreaking, imaging the file system, extracting passwords and decrypting the keychain
  • Cloud acquisition: synced data; backups; messages; iCloud Keychain (Safari passwords)

Read the rest of this entry »

Tags: ,
Posted in Elcom-News, General | Comments Off on Training in Vienna

Using iOS 11.2-11.3.1 Electra Jailbreak for iPhone Physical Acquisition
July 10th, 2018 by Oleg Afonin

It’s been fast. iOS 11.3.1 and all earlier versions of the system down to iOS 11.2 have been successfully jailbroken. In addition, the jailbreak is compatible with iOS 11.4 beta 1 through 3. We normally wouldn’t post about each new jailbreak release; however, this time things are slightly different. The new Electra jailbreak uses two different exploits and presents two very different installation routines depending on whether or not you have a developer account with Apple. Considering how much more stable the developer-account exploit is compared to the routine available to the general public, this time it pays to be an Apple developer.

We tested the Electra jailbreak and can confirm that iOS Forensic Toolkit 4.0 is fully compatible. File system imaging and keychain extraction work; no OpenSSH installation required as Electra includes an SSH client listening on port 22.

Why Jailbreak?

For the general consumer, jailbreak is one open security vulnerability calling for trouble. Apple warns users against jailbreaking their devices, and there is much truth in their words.

Forensic experts use jailbreaks for much different reasons compared to enthusiast users. A wide-open security vulnerability is exactly what they want to expose the device’s file system, circumvent iOS sandbox protection and access protected data. Jailbreaking extract the largest set of data from the device. During jailbreaking, many software restrictions imposed by iOS are removed through the use of software exploits.

In addition to sandboxed app data (which includes conversation histories and downloaded mail), experts can also extract and decrypt the keychain, a system-wide storage for online passwords, authentication tokens and encryption keys. Unlike keychain items obtained from a password-protected local backup, physical extraction of a jailbroken device gains access to keychain items secured with the highest protection class ThisDeviceOnly (this is how).

The New Electra Jailbreak

Jailbreaking iOS versions past 11.1.2 (for which a Google-discovered vulnerability was published along with a proof-of-concept tool) was particularly challenging but not impossible. At this time, a team of jailbreakers discovered not one but two different vulnerabilities, releasing two versions of Electra jailbreak. Why the two versions?

Read the rest of this entry »

Tags: , , , , ,
Posted in General, Security, Software | Comments Off on Using iOS 11.2-11.3.1 Electra Jailbreak for iPhone Physical Acquisition

This $39 Device Can Defeat iOS USB Restricted Mode
July 9th, 2018 by Oleg Afonin

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A connected computer or accessory will not detect a “smart” device. If anything, an iPhone in USB Restricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified as a smart device. This effectively blocks forensic tools from being able to crack passcodes if the iPhone spent more than one hour locked. Since law enforcement needs time (more than one hour) to transport the seized device to a lab, and then more time to obtain an extraction warrant, USB Restricted Mode seems well designed to block this scenario. Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May (this article; scroll down to the “Mitigation” chapter).

Read the rest of this entry »

Tags: , , ,
Posted in Did you know that...?, Hardware, Security | Comments Off on This $39 Device Can Defeat iOS USB Restricted Mode

Apple Warns Users against Jailbreaking iOS Devices: True or False?
July 2nd, 2018 by Oleg Afonin

Apple has an article on their official Web site, warning users against jailbreaking iOS devices. The article “Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issues” is available at https://support.apple.com/en-us/HT201954. How much truth is in that article, and is jailbreaking as dangerous as Apple claims? We’ll comment the article based on our extensive experience in jailbreaking more than a hundred devices running every version of iOS imaginable.

Security Vulnerabilities

Apple introduces the concept of jailbreaking by stating the following: “iOS is designed to be reliable and secure from the moment you turn on your device. Built-in security features protect against malware and viruses and help to secure access to personal information and corporate data. Unauthorized modifications to iOS (also known as “jailbreaking”) bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch” (HT201954). According to Apple, jailbreaking introduces security vulnerabilities by “…eliminating security layers designed to protect your personal information and your iOS device.

True. Jailbreaking is a process that is specifically designed to circumvent security layers designed to protect information on iOS devices. In fact, this is exactly why we need a jailbreak for tools such as Elcomsoft iOS Forensic Toolkit to operate. Without a jailbreak, we would not be able to access the file system, extract sandboxed app data or decrypt the keychain (including items secured with the highest protection class). Installing a jailbreak, on the other hand, allows us doing all of that – and more. Read the rest of this entry »

Tags: ,
Posted in Security, Tips & Tricks | Comments Off on Apple Warns Users against Jailbreaking iOS Devices: True or False?

Breaking Deeper Into iPhone Secrets
June 20th, 2018 by Vladimir Katalov

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

Read the rest of this entry »

Tags: , , , ,
Posted in Did you know that...?, Elcom-News, Software, Tips & Tricks | Comments Off on Breaking Deeper Into iPhone Secrets

iOS Forensic Toolkit 4.0 with Physical Keychain Extraction
June 20th, 2018 by Oleg Afonin

We have just released an update to iOS Forensic Toolkit. This is not just a small update. EIFT 4.0 is a milestone, marking the departure from supporting a large number of obsolete devices to focusing on current iOS devices (the iPhone 5s and newer) with and without a jailbreak. Featuring straightforward acquisition workflow, iOS Forensic Toolkit can extract more information from supported devices than ever before.

Feature wise, we are adding iOS keychain extraction via a newly discovered Secure Enclave bypass. With this new release, you’ll be able to extract and decrypt all keychain records (even those secured with the highest protection class, ThisDeviceOnly) from 64-bit iOS devices. The small print? You’ll need a compatible jailbreak. No jailbreak? We have you covered with logical acquisition and another brand new feature: the ability to extract crash logs.

Read the rest of this entry »

Tags: , , , , ,
Posted in Elcom-News, Software | Comments Off on iOS Forensic Toolkit 4.0 with Physical Keychain Extraction

iOS 11.4.1 Second Beta Extends USB Restricted Mode with Manual Activation
June 14th, 2018 by Vladimir Katalov

Thinking Apple is done with USB Restricted Mode? Not yet. They have at least one more deus ex machina to shake up the forensic community.

More than a month ago, we made a report iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. The feature was not included into the final release of iOS 11.4, but returned in a much different shape in iOS 11.4.1 beta (iOS 11.4.1 Beta: USB Restricted Mode Has Arrived). The feature is also part of the first iOS 12 beta introduced a a few days later.

Finally, Apple has officially confirmed the existence of USB Restricted Mode, and the law enforcement community is not happy about it. (Cops Are Predictably Pissed About Apple’s Plan to Turn Off USB Data Access on iPhones). Some sources speculated about LE being able to break into the phones without the warrant.

If that was not enough, Apple added insult to injury. Do you remember the S.O.S. mode we described in New Security Measures in iOS 11 and Their Forensic Implications?

I’ve got good news for you. Or bad news, depending on who you are. In the second beta of 11.4.1 released just days ago, activating the SOS mode enables USB restrictions, too. This feature was not present in the first 11.4.1 beta (and it is not part of any other version of iOS including iOS 12 beta). In all other versions of iOS, the SOS mode just disables Touch/Face ID. The SOS feature in iOS 11.4.1 beta 2 makes your iPhone behave exactly like if you did not unlock it for more than an hour, effectively blocking all USB communications until you unlock the device (with a passcode, as Touch ID/Face ID would be also disabled).

Posted in Did you know that...?, Security | Comments Off on iOS 11.4.1 Second Beta Extends USB Restricted Mode with Manual Activation

How to Obtain iMessages from iCloud
June 14th, 2018 by Oleg Afonin

iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta, but was stripped from the final release. It re-appeared and disappeared several times during the iOS 11 development cycle, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.

iMessages in iCloud

Even before iOS 11 Apple had Continuity (https://support.apple.com/en-us/HT204681), a convenient mechanism for accessing iMessages from multiple Apple devices registered with the same Apple ID. With Continuity, users can effectively send and receive iMessages on their Mac. Speaking of Mac computers, one could access iMessages by simply signing in to the same iCloud account in the Messages app. Without Continuity, one would only receive iMessages with no SMS; with Continuity, both iMessages and SMS messages would be delivered.

However, even with Continuity in place, iMessages were never stored in iCloud or synced with iCloud. Instead, the messages were only stored locally on enrolled devices. This led to a major problem, making it impossible for the user to keep iMessage conversations in sync between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would not be deleted on their Mac, and vice versa. Forensic experts knew about this, and made active use of this feature. Multiple cases are known where law enforcement experts were analyzing the user’s Mac in order to gain access to iMessages that were already wiped from their iPhone.

iCloud sync for iMessage introduced in iOS 11.4 takes care of this problem by changing the way iMessage sync is handled. Instead of using the flawed Continuity mechanism, iOS 11.4 now stores iMessages in iCloud. The messages are automatically synchronized across all enrolled devices on the user’s Apple ID. iCloud sync works similar to existing synchronizations such as iCloud Keychain, iCloud Photo Library or iCloud contacts. Read the rest of this entry »

Tags: , , , ,
Posted in Elcom-News, Software | Comments Off on How to Obtain iMessages from iCloud

iCloud and iMessage Security Concerns
June 14th, 2018 by Vladimir Katalov

We also trust these companies in ways that we do not understand yet. How many of you trust Apple? No voting… Just me 🙂 Damn! OK. May I ask you a very good question. Trusting to do what? Trusting when they say: “iMessages are end-to-end encrypted”? I mean, with all of that massive security engineering, to make sure it’s as good as it can be, so they genuinely believe they’ve done that. I do, generally, they’re great people. But… people believe themselves they can defend themselves against the Russians. If the Russians specifically targeted Apple, it’s only they can defend themselves.Ian Levy, director at the GCHQ on anniversary of the foundation of the FIPR event that was held on 29/04/2018).

This is probably just a co-incident, but “the Russians” are concerned about iCloud security, too.

Read the rest of this entry »

Tags: , , , , , , ,
Posted in Did you know that...?, Industry News, Security, Tips & Tricks | Comments Off on iCloud and iMessage Security Concerns

Protecting Your Data and Apple Account If They Know Your iPhone Passcode
June 12th, 2018 by Oleg Afonin

This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.

This time around we’ll be playing devil’s advocate. We’ll tell you how to defend your data and your Apple account if they have your iPhone and know your passcode.

iOS Devices Are Secure

We praised the iOS security model on multiple occasions. Speaking of the current pack of iOS versions (including iOS 11.4 release, 11.4.1 public beta and 12.0 first developer beta), we have full-disk encryption with decryption keys derived from the user’s passcode and protected by Secure Enclave. Thanks to the iOS keychain, we enjoy the additional layer of protection for our passwords and other sensitive information. If you protected your iPhone with a 6-digit passcode (which you really should, and which is the default since at least iOS 10), most of your information is securely encrypted until you first unlock your iPhone after it completes the boot sequence. Even if they take the memory chip off, they won’t get anything meaningful due to the encryption. Read the rest of this entry »

Tags: , , , , , ,
Posted in Did you know that...?, Security | Comments Off on Protecting Your Data and Apple Account If They Know Your iPhone Passcode

« Older Entries
Newer Entries »