Windows Hello: No TPM No Security

August 4th, 2022 by Oleg Afonin

While Windows 11 requires a Trusted Platform Module (TPM), older versions of Windows can do without while still using PIN-based Windows Hello sign-in. We prove that all-digit PINs are a serious security risk on systems without a TPM, and can be broken in a matter of minutes.

Read the rest of this entry »

Logical Acquisition: Not as Simple as It Sounds

June 23rd, 2022 by Vladimir Katalov

Speaking of mobile devices, especially Apple’s, “logical acquisition” is probably the most misused term. Are you sure you know what it is and how to properly use it, especially if you are working in mobile forensics? Let us shed some light on it.

Read the rest of this entry »

checkm8 Extraction: the iPads, iPods, and TVs

June 21st, 2022 by Oleg Afonin

The ninth beta of iOS Forensic Toolkit 8.0 for Mac introduces forensically sound, checkm8-based extraction of sixteen iPad, iPod Touch and Apple TV models. The low-level extraction solution is now available for all iPad and all iPod Touch models susceptible to the checkm8 exploit.

Read the rest of this entry »

Filling the Gaps: iOS 14 Full File System Extracted

June 9th, 2022 by Oleg Afonin

iOS Forensic Toolkit 7.40 brings gapless low-level extraction support for several iOS versions up to and including iOS 15.1 (15.1.1 on some devices), adding compatibility with previously unsupported versions of iOS 14.

Read the rest of this entry »

Live System Analysis: Extracting BitLocker Keys

May 20th, 2022 by Oleg Afonin

Live system analysis is the easiest and often the only way to access encrypted data stored on BitLocker-protected disks. In this article we’ll discuss the available options for extracting BitLocker keys from authenticated sessions during live system analysis.

Read the rest of this entry »

Breaking Passwords on Alder Lake CPUs

May 18th, 2022 by Oleg Afonin

In Alder Lake, Intel introduced hybrid architecture. Large, hyperthreading-enabled Performance cores are complemented with smaller, single-thread Efficiency cores. The host OS is responsible for assigning threads to one core or another. We discovered that Windows 10 scheduler is not doing a perfect job when it comes to password recovery, which requires a careful approach to thread scheduling.

Read the rest of this entry »

checkm8: Unlocking and Imaging the iPhone 4s

May 12th, 2022 by Elcomsoft R&D

The seventh beta of iOS Forensic Toolkit 8.0 for Mac introduces passcode unlock and forensically sound checkm8 extraction of iPhone 4s, iPad 2 and 3. The new solution employs a Raspberry Pi Pico board to apply the exploit. Learn how to configure and use the Pico microcontroller for extracting an iPhone 4s!

Read the rest of this entry »

Identifying the iPhone Model

May 5th, 2022 by Oleg Afonin

A pre-requisite to successful forensic analysis is accurate information about the device being investigated. Knowing the exact model number of the device helps identify the SoC used and the range of available iOS versions, which in turn pre-determines the available acquisition methods. Identifying the iPhone model may not be as obvious as it may seem. In this article, we’ll go through several methods for finding the iPhone model.

Read the rest of this entry »

Agent-Based Low-Level iOS File System Extraction

April 29th, 2022 by Oleg Afonin

While we continue working on the major update to iOS Forensic Toolkit with forensically sound checkm8 extraction, we keep updating the current release branch. iOS Forensic Toolkit 7.30 brings low-level file system extraction support for iOS 15.1, expanding the ability to perform full file system extraction on iOS devices ranging from the iPhone 8 through iPhone 13 Pro Max.

Read the rest of this entry »

iOS Low-Level Acquisition: How to Sideload the Extraction Agent

April 26th, 2022 by Oleg Afonin

Regular or disposable Apple IDs can now be used to extract data from compatible iOS devices if you have a Mac. The use of a non-developer Apple ID carries certain risks and restrictions. In particular, one must “verify” the extraction agent on the target iPhone, which requires an active Internet connection. Learn how to verify the extraction agent signed with a regular or disposable Apple ID without the risk of receiving an accidental remote lock or remote erase command.

Read the rest of this entry »

Preventing BitLocker Lockout and Recovering Access to Encrypted System Drive

April 19th, 2022 by Oleg Afonin

Encrypting a Windows system drive with BitLocker provides effective protection against unauthorized access, especially when paired with TPM. A hardware upgrade, firmware update or even a change in the computer’s UEFI BIOS may effectively lock you out, making your data inaccessible and the Windows system unbootable. How to prevent being locked out and how to restore access to the data if you are prompted to unlock the drive? Read along to find out.

Read the rest of this entry »