ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Posts Tagged ‘Elcomsoft Phone Viewer’

The iOS File System: TAR and Aggregated Locations Analysis

Thursday, June 7th, 2018

Finally, TAR support is there! Using Elcomsoft iOS Forensic Toolkit to pull TAR images out of jailbroken iOS devices? You’ll no longer be left on your own with the resulting TAR file! Elcomsoft Phone Viewer 3.70 can now open the TAR images obtained with Elcomsoft iOS Forensic Toolkit or GrayKey and help you analyse evidence in that file. In addition, we added an aggregated view for location data extracted from multiple sources – such as the system logs or geotags found in media files.

What Are These TAR Files Anyway?

While TAR is just an uncompressed file archive used in UNIX-based operating systems, this speaks little of its importance for the mobile forensic specialist.

Since the introduction of the iPhone 5s, Apple’s first 64-bit iPhone, physical acquisition has never been the same. For all iPhone and iPad devices equipped with Apple’s 64-bit processors, physical acquisition is exclusively available via file system extraction because of full-disk encryption. Even with a jailbreak, you must run the tarball command on the device itself in order to bypass the encryption. Since the file system image is captured and packed by iOS, you’ll get exactly the same TAR file regardless of the tool performing physical acquisition. Whether you use iOS Forensic Toolkit or GrayKey, you’ll receive exactly the same TAR archive containing an image of the device’s file system. (more…)

Apple iCloud Keeps More Real-Time Data Than You Can Imagine

Thursday, February 8th, 2018

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)

Meet iOS 11.3: Apple to Make It Harder for Law Enforcement to Extract iPhone Data

Thursday, January 25th, 2018

Forget battery issues. Yes, Apple issued an apology for slowing down the iPhone and promised to add better battery management in future versions of iOS, but that’s not the point in iOS 11.3. Neither are ARKit improvements or AirPlay 2 support. There is something much more important, and it is gong to affect everyone.

Apple iOS is (and always was) the most secure mobile OS. FBI forensic expert called Apple “evil genius” because of that. Full disk encryption (since iOS 4), very reliable factory reset protection, Secure Enclave, convenient two-factor authentication are just a few things to mention. Starting with iOS 8, Apple itself cannot break into the locked iPhone. While in theory they are technically capable of creating (and signing, as they hold the keys) a special firmware image to boot the device, its encryption is not based on a hardware-specific key alone (as was the case for iOS 7 and older, and still the case for most Androids). Instead, the encryption key is also based on the user’s passcode, which is now 6 digits by default. Cracking of the passcode is not possible at all, thanks to Secure Enclave. Still, in come cases, Apple may help law enforcement personnel, and they at least provide some trainings to FBI and local police.

(more…)

iOS 11 Horror Story: the Rise and Fall of iOS Security

Wednesday, November 29th, 2017

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.

Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user’s life easier (as in “more convenience”), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.

The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

(more…)

Obtaining Detailed Information about iOS Installed Apps

Tuesday, October 3rd, 2017

Accessing the list of apps installed on an iOS device can give valuable insight into which apps the user had, which social networks they use, and which messaging tools they communicate with. While manually reviewing the apps by examining the device itself is possible by scrolling a potentially long list, we offer a better option. Elcomsoft Phone Viewer can not just display the list of apps installed on a given device, but provide information about the app’s version, date and time of acquisition (first download for free apps and date and time of purchase for paid apps), as well as the Apple ID that was used to acquire the app. While some of that data is part of iOS system backups, data on app’s acquisition time must be obtained separately by making a request to Apple servers. Elcomsoft Phone Viewer automates such requests, seamlessly displaying the most comprehensive information about the apps obtained from multiple sources.

In this how-to guide, we’ll cover the steps required to access the list of apps installed on an iOS device. (more…)

Accessing iOS Saved Wi-Fi Networks and Hotspot Passwords

Thursday, September 28th, 2017

In this how-to guide, we’ll cover the steps required to access the list of saved wireless networks along with their passwords.

Step 1: Make a password-protected backup

In order to extract the list of Wi-Fi networks from an iOS device, you must first create a password-protected local backup of the iOS device (iPhone, iPad or iPod Touch). While we recommend using Elcomsoft iOS Forensic Toolkit for making the backup (use the “B – Backup” option in the main menu), Apple iTunes can be also used to make the backup. Make sure to configure a backup password if one is not enabled; otherwise you will be unable to access Wi-Fi passwords. (more…)

Extracting Unread Notifications from iOS Backups

Thursday, March 2nd, 2017

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation! (more…)

Extracting Calls, Contacts, Calendars and Web Browsing Activities from iOS Devices in Real Time

Wednesday, December 21st, 2016

Cloud acquisition has been available for several years. iPhones and iPads running recent versions of iOS can store snapshots of their data in the cloud. Cloud backups are created automatically on a daily basis provided that the device is charging while connected to a known Wi-Fi network. While iCloud backups are great for investigations, there is one thing that might be missing, and that’s up-to-date information about user activities that occurred after the moment the backup was created. In this article, we’ll discuss an alternative cloud acquisition option available for iOS devices and compare it to the more traditional acquisition of iCloud backups.

(more…)

Acquisition of a Locked iPhone with a Lockdown Record

Monday, November 28th, 2016

The previous article was about the theory. In this part we’ll go directly to practice. If you possess a turned on and locked iOS device and have no means of unlocking it with either Touch ID or passcode, you may still be able to obtain a backup via the process called logical acquisition. While logical acquisition may return somewhat less information compared to the more advanced physical acquisition, it must be noted that physical acquisition may not be available at all on a given device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device was unlocked with a passcode at least once after booting. For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do not allow it to power off or completely discharge by connecting it to a charger (a portable power pack inside a Faraday bag works great until you transfer the device to a lab). This will give you time to searching user’s computers for a lockdown record.

(more…)

iOS Call Syncing: How It Works

Thursday, November 17th, 2016

In our previous article, we figured that iPhone call logs are synced with iCloud. We performed multiple additional tests to try to understand exactly how it works, and are trying to guess why. (more…)