Posts Tagged ‘Elcomsoft iOS Forensic Toolkit’

Elcomsoft Phone Breaker 8, New Apple Devices and iOS 11

Thursday, September 14th, 2017

With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.

Out previous article touches the issue of iOS 11 forensic implications. In this article we’ll cover what you can and what you cannot do with an iOS 11 device as a forensic expert. We’ll talk about which acquisition methods still works and which don’t, what you can and cannot extract compared to iOS 10, and what you need to know in order to make the job don’t.

(more…)

iOS 11: jailbreaking, backups, keychain, iCloud – what’s the deal?

Thursday, September 14th, 2017

iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.

Should we expect a jailbreak? Is there still hope for physical acquisition? If not, is logical acquisition affected? Are there any notable changes in iCloud? What would be easier to do: logical or iCloud acquisition, and what are the prerequisites for either method? What do you begin with? How to make sure the suspect does not alter their iCloud storage or wipe their device in the process? Can we actually get more information from the cloud than from the device itself, even with physical, and why?

Spoiler: the short answer to the last question is “yes”. The long answer is a bit complicated. Keep reading.

(more…)

iOS 10 Physical Acquisition with Yalu Jailbreak

Monday, January 30th, 2017

Just a few days ago we updated iOS Forensic Toolkit with iOS 10 support. At that time, no jailbreak was available for iOS 10.2. As a consequence, physical acquisition was impossible.

A working jailbreak materialized much sooner than we could’ve hoped. Luca Todesco released a working Yalu102 jailbreak, allowing enthusiasts to mod their devices and enabling forensic experts perform physical acquisition of select iOS devices.

(more…)

How Can I Break Into a Locked iOS 10 iPhone?

Thursday, January 26th, 2017

Each iteration of iOS is getting more secure. With no jailbreak available for the current version of iOS, what acquisition methods are available for the iPhone 7, 7 Plus and other devices updating to iOS 10? How does the recent update of Elcomsoft iOS Forensic Toolkit help extracting a locked iOS 10 iPhone? Read along to find out!

iOS 10: The Most Secure iOS

When iOS 8 was released, we told you that physical acquisition is dead. Then hackers developed a jailbreak, and we came up with an imaging solution. Then it was iOS 9 that nobody could break for a while. The same thing happened: it was jailbroken, and we made a physical acquisition tool for it. Now it’s time for iOS 10.2 and no jailbreak (again). While eventually it might get a jailbreak, in the meanwhile there is no physical acquisition tool for iOS 10 devices. Considering that iPhone 7 and 7 Plus were released with iOS 10 onboard, your acquisition options for these devices are somewhat limited.

Plan “B”

With no jailbreak available for iOS 10, what are your options? If you have the latest Elcomsoft iOS Forensic Toolkit, use “plan B” instead!

(more…)

iOS Logical Acquisition: The Last Hope For Passcode-Locked Devices?

Thursday, August 11th, 2016

For many months, a working jailbreak was not available for current versions of iOS. In the end of July, Pangu released public jailbreak for iOS 9.2-9.3.3. A few days ago, Apple patched the exploit and started seeding iOS 9.3.4. This was the shortest-living jailbreak in history.

With iOS getting more secure with each generation, the chance of successfully jailbreaking a device running a recent version of iOS are becoming slim. While this may not be the end of all for mobile forensic experts, we felt we need to address the issue in our physical acquisition toolkit.

(more…)

Dealing with a Locked iPhone

Friday, April 15th, 2016

So you’ve got an iPhone, and it’s locked, and you don’t know the passcode. This situation is so common, and the market has so many solutions and “solutions” that we felt a short walkthrough is necessary.

What exactly can be done to the device depends on the following factors:

Hardware Generation

iphone2

From the point of view of mobile forensics, there are three distinct generations:

  1. iPhone 4 and older (acquisition is trivial)
  2. iPhone 4S, 5 and 5C (32-bit devices, no Secure Enclave, jailbreak required, must be able to unlock the device)
  3. iPhone 5S, 6/6S, 6/6S Plus and newer (64-bit devices, Secure Enclave, jailbreak required, passcode must be known and removed in Settings)

(more…)

Physical Acquisition for 64-bit Devices, iOS 9 Support

Wednesday, November 18th, 2015

Big news! iOS Forensic Toolkit receives its first major update. And it’s a big one. Not only does version 2.0 bring support for iOS 9 handys. We also expanded acquisition support for jailbroken devices, enabling limited data extraction from jailbroken devices locked with an unknown passcode.

Last but not least. For the first time ever, we’ve added physical acquisition support for 64-bit devices! We’ve done what was long considered to be impossible. Intrigued? Read along to find out! Can’t wait to see what can be done to 64-bit iDevices? Skip right to that section!

New in EIFT 2.0

  • iOS 9: Full physical acquisition support of jailbroken 32-bit devices running iOS 9
  • 64-bit: Physical acquisition for jailbroken 64-bit devices running any version of iOS
  • Locked: Limited acquisition support for jailbroken 32-bit and 64-bit iOS devices that are locked with an unknown passcode and cannot be unlocked

It’s probably a bit too much for a modest one-digit version bump… we should’ve named this version 3.0! (more…)

Extracting Data from Locked iPhones

Friday, November 13th, 2015

With hardware-backed full-disk encryption and additional protection of sensitive user data located in the keychain, Apple iOS is the most secure mobile operating system out there. Acquisition approaches that are traditional for Android and Windows Phone devices (namely, JTAG, ISP and chip-off) are completely meaningless for iOS devices running even years-old generations of the system. Bypassing screen lock password (passcode) has also been long considered to be useless due to the fact user data stored in the keychain is additionally encrypted with a secure key based on the passcode.

While we can’t do much with the former, our recent research shows that the latter is not entirely true. Bypassing the passcode does reveal quite a bit of information that can be useful for an investigation. And this is not just a theoretical research. We are building this functionality into a ready-to-use commercial tool, iOS Forensic Toolkit, to allow extracting data from locked iDevices – providing they have a jailbreak installed. The tool will allow pull available information from devices locked with an unknown passcode. That includes devices that were powered on (or rebooted) and never unlocked. Naturally, a pre-installed jailbreak is required in order to access the data.

(more…)

Supporting Apple iCloud Drive and Decrypting Keychains from iCloud

Thursday, March 12th, 2015

As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!

Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud. (more…)

Meet all new Learning iOS Forensics practical guide

Wednesday, March 11th, 2015

Learning iOS Forensics

Nowadays, computer data is everywhere around and it’s growing at amazing speeds from hour to hour. It’s really fast, easy and convenient to stay active online day and night. No matter how easy it may be for the user, for computer crime investigators, on the contrary, it is the toughest challenge to collect and decrypt digital evidence. Even more important for them is to be able to evaluate a particular situation and understand what exactly they can collect, where it may be stored, how quickly and effectively they can get hands on it leaving the data intact and authentic in order to keep it still useful and trustworthy in court.

The crime scene has also moved or better to say spread from computers to mobile devices that can not only “carry” but also produce, process and transfer valuable information among other mobile devices or even into the cloud. This introduces another big challenge, which is tracing a connection between various electronic devices, collecting necessary information from them and gathering evidence into one case.

A successful completion of the investigation requires a well thought-out and structured incident response scenario and a whole arsenal of tools, techniques and methods at hand that could be implemented quickly and effectively.

In the book by Mattia Epifani and Pasquale Stirparo you will find answers and guidelines to most of your questions in the field of mobile forensics in a very consistent and explicit manner. It also collects and exemplifies all useful tools on the market, including our key mobile forensics instruments Elcomsoft iOS Forensic Toolkit, Elcomsoft Phone Breaker and Elcomsoft Phone Viewer. We highly recommend Learning iOS Forensics guide with heavy emphasis on its practical side.