Posts Tagged ‘ECX’

We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Fit support. Google Fit is a relatively little known Google service aimed at tracking the user’s health and physical activities. In line with pretty much every other Google service, Google Fit synchronizes massive amounts of data with the user’s Google Account, storing activity-related information collected by all of the user’s devices in a single place. When extracting these data, we discovered massive amounts of location points stored alongside with information related to the user’s physical activities. Learn what is stored in Google Fit and how to extract it from the cloud!

What’s it all about

Google Fit extraction is about the massive amounts of data related to the user’s health and physical activities stored in the Google’s cloud. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can be truly invaluable during an investigation.

Google Fit is not the only type of information collected by Google. The search giant collects massive amounts of information. The types of data range from many years worth of the user’s location history to all of the user’s password saved in the Chrome browser or used with Android apps. Google Photos, Gmail, contacts and calendars, search requests and Web history, voice snippets, call logs and text messages and a lot more can make for some invaluable evidence. While Google readily returns most of that data when serving legal requests, Elcomsoft Cloud Explorer offers a much easier and near-instant extraction solution that requires far less paperwork. Considering the number of fully encrypted Android smartphones that may or may not be physically unlocked, Elcomsoft Cloud Explorer becomes truly irreplaceable, discovering more evidence than ever by revealing the hidden data one would never imagine existed, browsing deep inside into the user’s online activities going many years back. Elcomsoft Cloud Explorer does what Google itself does not do, offering a single point for downloading, discovering and analyzing evidence collected by Google.

How Google Fit collects information

Google Fit is both an app and a service. The Google Fit app is available for Android and iOS platforms; it can be used on both Android phones and Apple iPhones. The Google Fit service processes and stores information collected from all supported devices where it’s installed in the user’s Google Account.

While many users associate Google Fit with WearOS smartwatches, in reality the app does not require a smartwatch or a fitness tracker. A connected activity tracking device can provide information such as the number of steps walked, the number of stairs climbed, the user’s hear rate or periodic location points obtained from the tracker’s GPS sensor. When used without a compatible fitness tracker, the Google Fit app can source activity data from a smart combination of the phone’s built-in low-energy sensors, frequently obtained location points and a lot of artificial intelligence.

Google Fit data extracted from the user’s Google Account returns massive amounts of precise location points, allowing to pinpoint the user’s location with ultimate precision and granularity. Access to comprehensive location history and other critical real-time evidence can be vital for investigating crime.

Obtaining Google Account credentials

In order to sign in to the user’s Google Account, one requires the full set of Google credentials. The login and password can be often extracted from the user’s computer (with Elcomsoft Internet Password Breaker), from the cloud (with Elcomsoft Phone Breaker) or iOS keychain (with Elcomsoft iOS Forensic Toolkit).

In addition, some data from the Google Account (Google Fit being a notable exception) can be accessed with a token. The token is literally a cookie in Chrome, and can be extracted from the user’s computer. Elcomsoft Cloud Explorer includes a utility that automatically locates and extracts the authentication token from the Chrome browser installed on the user’s Mac or Windows PC. Using the extracted token, Elcomsoft Cloud Explorer authenticates into the user’s Google Account and displays the list of categories available for extraction.

Accessing Google Fit data

In order to extract Google Fit data from the user’s Google Account, you will need Elcomsoft Cloud Explorer 2.30 or newer.

  1. Launch Elcomsoft Cloud Explorer and create a new snapshot. Authenticate with the user’s login and password (Google Account). If required, pass two-factor authentication.
  2. Select the “Google Fit” check box.
  3. The data will be downloaded in several seconds to several minutes.
  4. After the processing, you can access Google Fit data from the main window.

Analyzing Google Fit data

You will be able to sort or group activities. The “Sessions” tab displays activity sessions detected by the Google Fit app. Activity sessions may include sleeping, walking, jogging and other types of activities.

Note that the sessions are detected automatically by the various apps and devices. Have a look at the “Package name” tab to discover which package has detected which session.

“Steps” can be either raw data from the connected smartwatch or fitness tracker, or information generated by the Google Fit app based on a combination of the smartphone’s step counter, the user’s height, and a lot of location data. If no external smartwatch or activity tracker is connected, the Google Fit app uses artificial intelligence to calculate the number of steps based on the abovementioned data. The app only polls the smartphone’s built-in step sensor at large intervals, relying more on location data than on the step counter.

Walking and running activities are automatically detected by the app based on the user’s heart rate, step count and location data.

One of the most interesting reports is “Locations”. By design, Google Fit collects massive amounts or location data. The test account reports 13,788 location points in 9 month. Considering that our test device was used on few rare occasions, the number of location reports is truly excessive. Clicking on a location point opens Google Maps.

Conclusion

Google Fit data may contain detailed information about the user’s location and physical conditions including the number of steps, types of activity, heart rate, elevation, and a lot more. Additional information provided by compatible health tracking devices may include blood pressure, elevation, precise step count, and additional location data collected from the GPS sensor built into the smartwatch or tracker. Analyzing the massive amounts of Google Fit data can become invaluable help when searching for evidence and investigating crime. The detailed, high-frequency location data collected by Google’s fitness app accompanied with information about the user’s physical condition can shed light on the user’s activities in a given timeframe.

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

SMS Are Insecure, Aren’t They?

In late July 2016, the US National Institute of Standards and Technology’s (NIST) released an updated set of guidelines that deprecated SMS as a way to deliver two factor authentication because of their many insecurities. A year later, NIST took it back, no longer recommending to “deprecate” SMS usage. Are we, or are we not at risk if we choose to have our two-factor authentication delivered over the (arguably) insecure SMS channel?

(more…)

In each major Android update, Google improves security on the one hand, and moves a few more things to the cloud on the other. The recently finalized and finally released Android 8.0 Oreo adds one important thing to all devices running the newest build of Google’s OS: the ability to back up SMS text messages into the user’s Google Account.

If you follow our blog, you may recall we’ve already talked about the issue a few months ago. Back in April, we were excited to introduce a new feature to Elcomsoft Cloud Explorer, enabling cloud acquisition of text messages from Google Account. Back then, the feature was limited strictly to Google Pixel and Pixel XL devices running Android 7 Nougat.

The release of Android 8.0 Oreo has finally brought the feature to all devices regardless of make and model, allowing any device to back up and restore SMS text message via the user’s Google Account.

We updated Elcomsoft Cloud Explorer accordingly, enabling support for cloud-based SMS extraction for devices running Android 8. There aren’t many of those yet aside of Google Pixel and Pixel XL devices, but many users of Nexus 5x and 6p have already received the update. More devices will follow. Let’s have a look at how this new feature works. Before we begin, let us first clear the confusion that arises between Android data sync and data backups. (more…)

There are three major mobile operating systems, and three major cloud services. Most Android users are deep into the Google’s ecosystem. iCloud is an essential part of iOS, while cloud services provided by Microsoft under the OneDrive umbrella are used not only by the few Windows Phone and Windows 10 Mobile customers but by users of other mobile and desktop platforms.

In this article, we’ll try to figure out what types of data are available for extraction and forensic analysis in the three major cloud platforms: Apple iCloud, Google Account and Microsoft Account.

Acquisition Tools

For the purpose of this article, we will use ElcomSoft-developed cloud extraction tools.

(more…)

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

(more…)

Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.

Google has changed that by introducing several mapping services running on top of location history. With its multi-million user base and an extremely comprehensive set of POI, Google can easily make educated guesses on which place the user has actually visited. Google knows (or makes a very good guess) when you eat or drink, stay at a hotel, go shopping or do other activities based on your exact location and the time you spent there. This extra information is also stored in your Google account – at least if you use an Android handset and have Location History turned on.

Elcomsoft Cloud Explorer 1.30 can now process Google’s enhanced location data, which means we can now correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI). This significantly improves readability of location data, providing a list of places (such as restaurants, landmarks or shops) instead of plain numbers representing geolocation coordinates. In this article, we’ll figure out how to obtain that data and how to analyze it. (more…)

Google is pushing Android to make it a truly secure mobile OS. Mandatory encryption and secure boot make physical acquisition of new Android devices a dead end.

While securing physical devices against all types of attacks, Google continues moving stuff into the cloud. Interestingly, these activities no longer coincide with Android releases; Google can add cloud features later in the production cycle by updating Google Services on the user’s Android device. One such updated added the ability to sync call logs between Android devices by uploading data into the user’s Google Drive account. We researched the protocol and added the ability to extract synced call logs to Elcomsoft Cloud Explorer 1.20. This cloud acquisition could be the only way to extract call logs since all Android devices since Android 6.0 are shipped with full-disk encryption out of the box.

(more…)

In today’s thoroughly connected world, everyone shares at least some of their personal information with, well, strangers. Voluntarily or not, people using personal computers or mobile devices have some of their information transmitted to, processed, stored and used by multiple online service providers.

Took a selfie shot? Your face (and possibly your friends’ faces) will be marked, and the photo will be uploaded to one or another cloud storage provider on your behalf. Used your phone to look up a place to eat? Your search will be remembered and used later on to push you suggestions next time when you’re around. Emails and messages that you write, persons you communicate with, your comprehensive location history and all the photos you shoot (accompanied with appropriate geotags) are carefully collected, processed and stored. Web sites you visit along with logins and passwords, your complete browsing history and pretty much everything you do with your phone can and probably will be recorded and used on you to “enhance your experience”.

Some service providers collect more information than others. Google appears to be the absolute champion in this regard. Being a major service provider penetrating into every area of our lives, Google collects, stores and processes overwhelming amounts of data.

(more…)