Posts Tagged ‘Elcomsoft Cloud Explorer’

Cloud acquisition is one of the most common ways to obtain valuable evidence. When it comes to Google, the Google Account analysis may return significantly more data compared to the extraction of a physical Android device. However, there is one feature that is often overlooked: the ability to extract data stored in the user’s Google Account without the login and password. Let’s talk about Google authentication tokens and what they bring for the mobile forensics.

We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Dashboard support. The Google Dashboard service is little known among computer forensic specialists since Dashboard data cannot be downloaded from Google or obtained by serving a legal request. Yet, Dashboard aggregates massive amounts of data collected and stored in the user’s Google Account, offering an essential overview of the user’s activities. In this article, we’ll demonstrate how to obtain Dashboard data directly from the user’s Google account.

Geolocation data can provide a wealth of evidence to various government agencies. Law enforcement agencies use location data to help place suspects near a crime scene in a given time frame. However, the use of location is not limited to criminal or civil investigations. Emergency response services use geolocation to locate persons, taxi and delivery services use location to improve service. There are many more examples where location evidence is vital. Recently, governments have started using (or are considering using) geolocation data to help identify and isolate infected citizens. Where does the location evidence come from and how one can extract it?

We have updated Elcomsoft Cloud Explorer, our Google Account extraction tool, with Google Fit support. Google Fit is a relatively little known Google service aimed at tracking the user’s health and physical activities. In line with pretty much every other Google service, Google Fit synchronizes massive amounts of data with the user’s Google Account, storing activity-related information collected by all of the user’s devices in a single place. When extracting these data, we discovered massive amounts of location points stored alongside with information related to the user’s physical activities. Learn what is stored in Google Fit and how to extract it from the cloud!

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Cloud acquisition is arguably the future of mobile forensics. Even today, cloud services by Apple and Google often contain more information than any single device – mostly due to the fact that cloud data is collected from multiple sources.

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

Even before we released Elcomsoft Cloud Explorer, you’ve been able to download users’ location data from Google. What you would get then was a JSON file containing timestamped geolocation coordinates. While this is an industry-standard open data format, it provides little insight on which places the user actually visits. A full JSON journal filled with location data hardly provides anything more than timestamped geographic coordinates. Even if you pin those coordinates to a map, you’ll still have to scrutinize the history to find out which place the user has actually gone to.