Posts Tagged ‘EPPB’

The popular unc0ver jailbreak has been updated to v4, and this is quite a big deal. The newest update advertises support for the latest A12 and A13 devices running iOS 13 through 13.3. The current version of iOS is 13.3.1. None of the older versions (including iOS 13.3) are signed, but still there are a lot of A12/A12X/A13 devices floating around. Until now, file system and keychain extraction was a big problem. The newest unc0ver jailbreak makes it possible.

The new build is based on an exploit that is quite reliable by itself. However, jailbreaking is more than just a single exploit; a lot of things (that are outside the scope of this article) have to be done. So the new version of a jailbreak is not a silver bullet, and may still fail on many devices; we have tested a few and received mixed results. Still, if the given device can be jailbroken with unc0ver, it means that we can pull all the data from it, down to the last bit.

ICYMI: iPhones and iPads based on A12/A12X/A13 SoC are not vulnerable to checkm8 exploit, and there is no room for BFU acquisition (if the passcode is not known). That means that jailbreaking them using iOS (not bootrom) exploits is the only way to get all the data, at least for now.

Installing the jailbreak

The jailbreak (curren version: 4.0.2) is available as an IPA file (iOS/iPadOS package). There are several methods of installing it, but they usually require signing the IPA using a third-party certificate, which is not very safe and requires approving the certificate on the device, which in turn means that you have allow the device make an Internet connection. This in turn means that the device can be remotely locked or wiped (and even if Find My is disabled, it may sync and modify the data. The only workaround is to set up the network so that that it can only access the Apple’s servers that take care of certificate approval, but this is not not as easy as it sounds.

The better and safer way is to sign the jailbreak IPA with a developer’s certificate using Cydia Impactor. You will need a developer’s account to do that. If you have one, create an Application-specific password first as Cydia Impactor does not natively support 2FA.

Once the IPA is installed, just run it and press [Jailbreak]. That simple.

Well, not quite. First, you have to press [Settings] in the top-right corner and enable the following options:

  • Re(Install) OpenSSH
  • SSH Only
  • Read-Only RootFS

What is it all about? Install OpenSSH (which is not installed by default); do not install Cydia (not only you won’t need it for the purpose of file system extraction, but removing Cydia after you’re done is a separate headache); do not remount the system partition, making the jailbreak rootless, safer, and with a minimum impact. I would not say “forensically sound”. But very close to that.

Note that the new build of unc0ver is not very reliable yet. If it fails, here is what the jailbreak developers recommend:

To everyone having reliability issues. You must follow those conditions carefully to have the best success:
– reboot
– airplane mode
– lock device
– wait 30 seconds (don’t do anything)
– jailbreak

A better exploitation method is required to avoid this. We’ll try our best.

Data acquisition

iOS Forensic Toolkit is all you need. First, do not miss some basic usage tips:

Ready to go? Extract the keychain and the file system first. Just note that with the keychain extraction, you may get error/warning messages like the following:

[+] memory_size: 3962028032
[-] no offsets for iPad8,1 17C54
[e] error reading kernel @0x0
[-] no kernel_call addresses for iPad8,1 17C54 [e] error reading kernel @0x0 Injecting to trust cache...
Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.
[e] error writing kernel @0x0

Just ignore them for now, we will take care on them later; they don’t seem to affect the keychain acquisition.

As for the file system, please note that if you forget to set the appropriate unc0ver options and install OpenSSH later from Cydia, acquisition will probably fail. The OpenSSH client installed alongside with the jailbreak works fine.

Anything else? Almost everything matters. Including whether you connect the iPhone directly or through a USB hub; the type of the cable (USB-A or USB-C to Lightning); and even the brand of the cable (original or not). Do not ask us why, ask Apple. To our experience, you get the best results when using an original Apple USB-A to Lightning cable connected directly (with no hubs); also, it works better on Macs. Yes, even that matters.

Data analysis

For “quick and dirty” analysis, use Elcomsoft Phone Viewer to browse the data acquired by iOS Forensic Toolkit. Do not underestimate this little tool; it does not parse all the data categories, but you will be surprised by the amount of data it can extract from media files (including deleted ones), locations, Apple Pay, Wallet etc. All the most-critical evidence is there.

Need more, including system databases, building the complete Timeline, defining social links between device contacts and extractions in Social Graph, getting comprehensive data analysis with facial recognition and image categorization, advanced data search and detailed reports? Get Oxygen Forensic Detective.

Did you extract the keychain? That’s a gold mine. Not just all the passwords and tokens (for dozens web sites, social networks, mail accounts and more), but also the encryption keys that will allow you to decrypt WhatsApp and Signal conversations. Use Elcomsoft Phone Breaker to browse it in a very convenient way (well, three ways); there you will be also able to export passwords to a wordlist, allowing you to break other files, documents and systems almost instantly.

We’ve just announced a major update to iOS Forensic Toolkit, now supporting the full range of devices that can be exploited with the unpatchable checkra1n jailbreak.  Why is the checkra1n jailbreak so important for the forensic community, and what new opportunities in acquiring Apple devices does it present to forensic experts? We’ll find out what types of data are available on both AFU (after first unlock) and BFU (before first unlock) devices, discuss the possibilities of acquiring locked iPhones, and provide instructions on installing the checkra1n jailbreak. (more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

We’ve got a few forensic tools for getting data off the cloud, with Apple iCloud and Google Account being the biggest two. Every once in a while, the cloud owners (Google and Apple) make changes to their protocols or authentication mechanisms, or employ additional security measures to prevent third-party access to user accounts. Every time this happens, we try to push a hotfix as soon as possible, sometimes in just a day or two. In this article, we’ll try to address our customers’ major concerns, give detailed explanations on what’s going on with cloud access, and provide our predictions on what could happen in the future.

Update 19/05/2017: what we predicted has just happened. Apple has implemented additional checks just two days ago. This time, the extra checks do not occur during the authentication stage. Instead, the company started blocking pull requests for backup data originating from what appears to Apple as a desktop device (as opposed to being an actual iPhone or iPad). Once again we had to rush a hotfix to our customers, releasing an update just today. Whether or not our solution stands the test of time is hard to tell at this time. It seems this time it’s no longer a game but a war.

This whole Apple blocking third-party clients issue creates numerous problems to our customers who are either legitimate Apple users or law enforcement officials who must have access to critical evidence now as opposed to maybe getting it from Apple in one or two weeks. This time it’s not about security or privacy of Apple customers. After all, accounts protected with two-factor authentication are and have been safe. We’ve had similar experience with Adobe several years ago, and surprisingly, it turned out Adobe had reasons beyond privacy or security of its customers.

(more…)

We’ve just released the first major update to Elcomsoft Phone Viewer, our lightweight forensic tool for glancing over data extracted from mobile devices. Boosting version number to 2.0, we added quite a lot of things, making it a highly recommended update.

So what’s new in Phone Viewer 2.0? Improved compatibility with full support for iOS 9 backups (both local and iCloud). Support for media files (pictures and videos) with thumbnail gallery and built-in viewer. EXIF parsing and filtering with geolocation extraction and mapping. These things greatly enhance usage experience and add the ability to track subject’s coordinates on the map based on location data extracted from the images captured with their smartphone.

(more…)

With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups.

Update 25.07.2019: things have changed! The most up to date information on this topic is now available at:

(more…)

This time, we are updating our bread-and-butter mobile forensic tool, Elcomsoft Phone Password Breaker, to version 3.0 (beta). This new version has many things that are new or have changed. Let’s see what’s new, and why. (more…)

It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.

The new version of Elcomsoft Phone Password Breaker is released! While you can read an official press-release to get an idea of what’s new and updated, you may as well keep reading this blog post to learn not only what is updated, but also why we did it.

Dedicated to iCloud Forensics

This new release is more or less completely dedicated to enhancing support for remote recovery of iOS devices via iCloud. Why do it this way?

Because iCloud analysis remains one of the most convenient ways to acquire iOS devices. You can read more about iCloud analysis in a previous post here. Let’s see what else is available.

(more…)

It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.

Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time. (more…)

Back in 2008, ElcomSoft started using consumer-grade video cards to accelerate password recovery. The abilities of today’s GPU’s to perform massively parallel computations helped us greatly increase the speed of recovering passwords. Users of GPU-accelerated ElcomSoft password recovery tools were able to see the result 10 to 200 times (depending on system configuration) sooner than the users of competing, non-accelerated products.

Today, ElcomSoft introduced support for a new class of acceleration hardware: Field Programmable Gate Arrays (FPGAs) used by Pico Computing in its hardware acceleration modules. Two products have received the update: Elcomsoft Phone Password Breaker and Elcomsoft Wireless Security Auditor, enabling accelerated recovery of Wi-Fi WPA/WPA2 passwords as well as passwords protecting Apple and Blackberry offline backups. In near future, Pico FPGA support will be added to Elcomsoft Distributed Password Recovery.

With FPGA support, ElcomSoft products now support a wide range of hardware acceleration platforms including Pico FPGA’s, OpenCL compliant AMD video cards, Tableau TACC, and NVIDIA CUDA compatible hardware including conventional and enterprise-grade solutions such as Tesla and Fermi.

Hardware Acceleration of Password Recovery
Today, no serious forensic user will use a product relying solely on computer’s CPU. Clusters of GPU-accelerated workstations are employed to crack a wide range of passwords from those protecting office documents and databases to passwords protecting Wi-Fi communications as well as information stored in Apple and BlackBerry smartphones. But can consumer-grade video cards be called the definite ‘best’ solution?

GPU Acceleration: The Other Side of the Coin
Granted, high-end gaming video cards provide the best bang for the buck when it comes to buying teraflops. There’s simply no competition here. A cluster of 4 AMD or NVIDIA video cards installed in a single chassis can provide a computational equivalent of 500 or even 1000 dual-core CPU’s at a small fraction of the price, size and power consumption of similarly powerful workstation equipped only with CPU’s.

However, GPU’s used in video cards, including enterprise-grade solutions such as NVIDIA Tesla, are not optimized for the very specific purpose of recovering passwords. They still do orders of magnitude better than CPU’s, but if one’s looking for a solution that prioritizes absolute performance over price/performance, there are alternatives.

 How Would You Like Your Eggs?
A single top of the line video card such as AMD Radeon 7970 consumes about 300 W at top load. It generates so much heat you can literally fry an egg on it! A cluster of four gaming video cards installed into a single PC will suck power and generate so much heat that cooling becomes a serious issue.

Accelerating Password Recovery with FPGAs
High-performance password cracking can be achieved with other devices. Field Programmable Gate Arrays (FPGAs) will fit the bill just perfectly. A single 4U chassis with a cluster of FPGA’s installed can offer a computational equivalent of over 2,000 dual-core processors.

The power consumption of FPGA-based units is dramatically less than that of consumer video cards. For example, units such as Pico E-101 draw measly 2.5 W. FPGA-based solutions don’t even approach the level of power consumption and heat generation of gaming video cards, running much cooler and comprising a much more stable system.

GPU vs. FPGA Acceleration: The Battle
Both GPU and FPGA acceleration approaches have their pros and contras. The GPU approach offers the best value, delivering optimal price/performance ratio to savvy consumers and occasional users. Heavy users will have to deal with increased power consumption and heat generation of GPU clusters.

FPGA’s definitely cost more per teraflop of performance. However, they are better optimized for applications such as password recovery (as opposed to 3D and video calculations), delivering significantly better performance – in absolute terms – compared to GPU-accelerated systems. FPGA-based systems generate much less heat than GPU clusters, and consume significantly less power. In addition, an FPGA-based system fits perfectly into a single 4U chassis, allowing forensic users building racks stuffed with FPGA-based systems. This is the very reason why many government, intelligence, military and law enforcement agencies are choosing FPGA-based systems.