Posts Tagged ‘ECX’

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

SMS Are Insecure, Aren’t They?

In late July 2016, the US National Institute of Standards and Technology’s (NIST) released an updated set of guidelines that deprecated SMS as a way to deliver two factor authentication because of their many insecurities. A year later, NIST took it back, no longer recommending to “deprecate” SMS usage. Are we, or are we not at risk if we choose to have our two-factor authentication delivered over the (arguably) insecure SMS channel?

(more…)

In each major Android update, Google improves security on the one hand, and moves a few more things to the cloud on the other. The recently finalized and finally released Android 8.0 Oreo adds one important thing to all devices running the newest build of Google’s OS: the ability to back up SMS text messages into the user’s Google Account.

If you follow our blog, you may recall we’ve already talked about the issue a few months ago. Back in April, we were excited to introduce a new feature to Elcomsoft Cloud Explorer, enabling cloud acquisition of text messages from Google Account. Back then, the feature was limited strictly to Google Pixel and Pixel XL devices running Android 7 Nougat.

The release of Android 8.0 Oreo has finally brought the feature to all devices regardless of make and model, allowing any device to back up and restore SMS text message via the user’s Google Account.

We updated Elcomsoft Cloud Explorer accordingly, enabling support for cloud-based SMS extraction for devices running Android 8. There aren’t many of those yet aside of Google Pixel and Pixel XL devices, but many users of Nexus 5x and 6p have already received the update. More devices will follow. Let’s have a look at how this new feature works. Before we begin, let us first clear the confusion that arises between Android data sync and data backups. (more…)

There are three major mobile operating systems, and three major cloud services. Most Android users are deep into the Google’s ecosystem. iCloud is an essential part of iOS, while cloud services provided by Microsoft under the OneDrive umbrella are used not only by the few Windows Phone and Windows 10 Mobile customers but by users of other mobile and desktop platforms.

In this article, we’ll try to figure out what types of data are available for extraction and forensic analysis in the three major cloud platforms: Apple iCloud, Google Account and Microsoft Account.

Acquisition Tools

For the purpose of this article, we will use ElcomSoft-developed cloud extraction tools.

(more…)

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

(more…)

Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.

Google has changed that by introducing several mapping services running on top of location history. With its multi-million user base and an extremely comprehensive set of POI, Google can easily make educated guesses on which place the user has actually visited. Google knows (or makes a very good guess) when you eat or drink, stay at a hotel, go shopping or do other activities based on your exact location and the time you spent there. This extra information is also stored in your Google account – at least if you use an Android handset and have Location History turned on.

Elcomsoft Cloud Explorer 1.30 can now process Google’s enhanced location data, which means we can now correctly identify, extract and process user’s routes and display places they visited (based on Google’s POI). This significantly improves readability of location data, providing a list of places (such as restaurants, landmarks or shops) instead of plain numbers representing geolocation coordinates. In this article, we’ll figure out how to obtain that data and how to analyze it. (more…)

Google is pushing Android to make it a truly secure mobile OS. Mandatory encryption and secure boot make physical acquisition of new Android devices a dead end.

While securing physical devices against all types of attacks, Google continues moving stuff into the cloud. Interestingly, these activities no longer coincide with Android releases; Google can add cloud features later in the production cycle by updating Google Services on the user’s Android device. One such updated added the ability to sync call logs between Android devices by uploading data into the user’s Google Drive account. We researched the protocol and added the ability to extract synced call logs to Elcomsoft Cloud Explorer 1.20. This cloud acquisition could be the only way to extract call logs since all Android devices since Android 6.0 are shipped with full-disk encryption out of the box.

(more…)

In today’s thoroughly connected world, everyone shares at least some of their personal information with, well, strangers. Voluntarily or not, people using personal computers or mobile devices have some of their information transmitted to, processed, stored and used by multiple online service providers.

Took a selfie shot? Your face (and possibly your friends’ faces) will be marked, and the photo will be uploaded to one or another cloud storage provider on your behalf. Used your phone to look up a place to eat? Your search will be remembered and used later on to push you suggestions next time when you’re around. Emails and messages that you write, persons you communicate with, your comprehensive location history and all the photos you shoot (accompanied with appropriate geotags) are carefully collected, processed and stored. Web sites you visit along with logins and passwords, your complete browsing history and pretty much everything you do with your phone can and probably will be recorded and used on you to “enhance your experience”.

Some service providers collect more information than others. Google appears to be the absolute champion in this regard. Being a major service provider penetrating into every area of our lives, Google collects, stores and processes overwhelming amounts of data.

(more…)