It’s Hashed, Not Encrypted

September 9th, 2020 by Oleg Afonin

How many times have you seen the phrase: “Your password is securely encrypted”? More often than not, taking it at face value has little sense. Encryption means the data (such as the password) can be decrypted if you have the right key. Most passwords, however, cannot be decrypted since they weren’t encrypted in the first place. Instead, one might be able to recover them by running a lengthy attack. Let’s talk about the differences between encryption and hashing and discuss why some passwords are so much tougher to break.

Read the rest of this entry »

Unlocking BitLocker Volumes by Booting from a USB Drive

June 30th, 2020 by Oleg Afonin

BitLocker is Windows default solution for encrypting disk volumes. A large number of organizations protect startup disks with BitLocker encryption. While adding the necessary layer of security, BitLocker also has the potential of locking administrative access to the encrypted volumes if the original Windows logon password is lost. We are offering a straightforward solution for reinstating access to BitLocker-protected Windows systems with the help of a bootable USB drive.

Read the rest of this entry »

The Mysterious Apple DCSD Cable Demystified

June 19th, 2020 by James Duffy

A lot of people have asked me over the past couple of months – “What’s that cable on your desk, James?”. Today I’ll tell you all about it. Every accessory that connects to your iPhone via lightning is ‘flashed’ with an Accessory ID. The Accessory ID essentially identifies the device connected to the iPhone as a specific type. For example, a Lightning-To-Ethernet adapter will identify itself with it’s assigned Accessory ID so the iPhone knows how to treat the device and interact with it. It’s sort of like directing the iPhone to use a specific driver to interact with said device.

Read the rest of this entry »

iOS, watchOS and tvOS Acquisition Methods Compared: Compatibility Notes

June 18th, 2020 by Vladimir Katalov

How can you obtain the highest amount of data from an iPhone, iPad, Apple TV or Apple Watch? This is not as simple as it may seem. Multiple overlapping extraction methods exist, and some of them are limited to specific versions of the OS. Let’s go through them and summarize their availability and benefits.

Read the rest of this entry »

iOS Extraction Without a Jailbreak: Full iOS 10 Support

June 16th, 2020 by Oleg Afonin

Originally released in September 2016, iOS 10 was regularly updated for most devices until July 2017. The 64-bit iPhones capable of running iOS 10 range from the iPhone 5s to iPhone 7 and 7 Plus. While one is hardly likely to encounter an iOS 10 in the wild, forensic labs still process devices running the older version of the OS. In this update, we’ve brought support for jailbreak-free extraction back to the roots, adding support for the oldest version of iOS capable of running on the iPhone 7 generation of devices. Let’s see what it takes to extract an older iPhone without a jailbreak. In addition, we have expanded support for the Apple TV devices, now offering keychain decryption in addition to file system extraction for both Apple TV 4 (Apple TV HD) and Apple TV 4K running tvOS 13.4 through 13.4.5.

Read the rest of this entry »

Jailbreaking Apple TV 4K

June 12th, 2020 by Vladimir Katalov

Is jailbreaking an Apple TV worth it? If you are working in the forensics, it definitely is. When connected to the user’s Apple account with full iCloud access, the Apple TV synchronizes a lot of data. That data may contain important evidence, and sometimes may even help access other iCloud data. I have some great news for the forensic crowd: the Apple TV does not have a passcode. And some bad news: jailbreaking is not as easy and straightforward as we’d like it to be. Let’s have a look at what can be done.

Read the rest of this entry »

iCloud Extraction Streamlined

June 11th, 2020 by Vladimir Katalov

Apple iCloud contains massive amounts of data, which may become highly valuable evidence. The oldest and most frequently mentioned are iCloud backups, which ElcomSoft were the first to extract back in 2012. A lot has changed since then. Today, iCloud backups account for a very minor part of the evidence available in iCloud. Learn what types of data are stored in iCloud, how Apple protects the data with end-to-end encryption, and how to access that valuable evidence with the updated Elcomsoft Phone Breaker.

Read the rest of this entry »

iCloud Backups, Synced Data and End-to-End Encryption

June 10th, 2020 by Oleg Afonin

Since iOS 5, Apple allows users to back up their phones and tablets automatically into their iCloud account. Initially, iCloud backups were similar in content to local (iTunes) backups without the password. However, the introduction of iCloud sync has changed the rules of the game. With more types of data synchronized through iCloud as opposed to being backed up, the content of iCloud backups gets slimmed down as synchronized information is excluded from cloud backups (but still present in local backups).

Read the rest of this entry »

Demystifying iOS Data Security

June 10th, 2020 by James Duffy

It’s an honor to be given the opportunity to post on the ElcomSoft Blog, and I’d like to thank the ElcomSoft team for supporting my research. Recently I’ve been sent over a few questions from members of the community, such as “Why can’t we decrypt the data from a disabled iPhone over SSH if we know the passcode?” and “I tried to SCP a file from the device to the Mac, but getting permission errors”. Today I’m going to answer these questions in a Q&A format for you all so hopefully we can shed some light on how this works! The article is aimed to be accessible for everybody, including beginners and non-technical users. Without further ado…

Read the rest of this entry »

Apple Two-Factor Authentication: SMS vs. Trusted Devices

June 8th, 2020 by Oleg Afonin

Multi-factor authentication is the new reality. A password alone is no longer considered sufficient. Phishing attacks, frequent leaks of password databases and the ubiquitous issue of reusing passwords make password protection unsafe. Adding “something that you have” to “something that you know” improves the security considerably, having the potential of cutting a chain attack early even in worst case scenarios. However, not all types of two-factor authentication are equally secure. Let’s talk about the most commonly used type of two-factor authentication: the one based on text messages (SMS) delivered to a trusted phone number.

Read the rest of this entry »

Researching Confide Messenger Encryption

June 8th, 2020 by Ivan Ponurovskiy

iPhone users have access to literally hundreds of instant messaging apps. These apps range all the way from the built-in iMessage app to the highly secure Signal messengers, with all stops in between. Many of the messaging apps are marketed as ‘secure’ or ‘protected’ messengers, touting end-to-end encryption and zero retention policies. We routinely verify such claims by analyzing the security of various instant messaging apps. It turned out that the degree of protection can vary greatly, having little to do with the developers’ claims. Today we’ll check out Confide, a tool advertising unprecedented level of security.

Read the rest of this entry »