Posts Tagged ‘Microsoft Account’

We’ve just updated Elcomsoft Phone Breaker to version 6.60, adding remote acquisition support for Microsoft Windows 10 phones and desktops. The new build can pull search and Web browsing history, call logs, and location history directly from the user’s Microsoft Account. In this article we’ll have a look at what exactly is available and can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

(more…)

Smartphones are frequent theft targets. Manufacturers try to combat smartphone theft by implementing several security measures. The first security measure is “remote kill switch”, a feature allowing legitimate owners to block, disable or erase a smartphone in a case it is stolen. Since Aug 12, 2014, the “kill switch” is mandatory in California in all new smartphones manufactured after July 1, 2015. Other jurisdictions followed, passing legislations with “kill switch” requirements to combat smartphone theft.

Long before legislations, the “remote kill switch” was used by companies to allow remotely erasing the phone’s content. Apple’s Find My iPhone, Microsoft’s Find My Phone, BlackBerry Protect and Android Device Manager allowed locating, ringing, blocking or erasing the phone remotely. However, the “kill switch” was originally designed to only protect the phone owner’s data, but could not help discourage theft. The criminal would simply erase the phone by performing factory reset, and resell the device. IMEI blacklisting aside, a simple factory reset would result in a clean, usable device, continuing to provide incentive for the criminals.

It took manufacturers much longer to implement true anti-theft protection in their core OS. In today’s state, anti-theft protection is a combination of your familiar remote kill switch and factory reset protection.

Factory reset protection is a security method designed to make sure your smartphone becomes useless if the thief wipes your smartphone. If someone wipes and factory resets your device without providing your authentication credentials, a smartphone equipped with factory reset protection would cease to initialize, display a prominent message asking to enter previous owner’s account credentials, and block further initialization attempts.

In theory, this sounds great. The implementation of the “kill switch” helped reduce smartphone theft by as much as 40 per cent. But is smartphone protection as secure as we think? Let’s find out.

(more…)

BitLocker is a popular full-disk encryption scheme employed in all versions of Windows (but not in every edition) since Windows Vista. BitLocker is used to protect stationary and removable volumes against outside attacks. Since Windows 8, BitLocker is activated by default on compatible devices if the administrative account logs in with Microsoft Account credentials. BitLocker protection is extremely robust, becoming a real roadblock for digital forensics.

Various forensic techniques exist allowing experts overcoming BitLocker protection. Capturing a memory dump of a computer while the encrypted volume is mounted is one of the most frequently used venues of attack. However, acquiring BitLocker-encrypted volumes may become significantly more difficult with the release of Windows 10 November Update. In this article, we’ll explore existing methods of recovering BitLocker volumes, look at what has changed with November Update, and review the remaining acquisition paths.
(more…)

 

The recent update to one of our oldest tools, Elcomsoft System Recovery, brought long-overdue compatibility with Windows systems that sign in with online authentication via Microsoft Account. While the tool can reset Microsoft Account passwords to allow instant logins to otherwise locked accounts, this is not the point. The point is that we have finally laid our hands on something that can help us break into a major online authentication service, the Microsoft Account.

For that to happen, Elcomsoft System Recovery can export the locally cached hash to the user’s Microsoft Account password for offline recovery. Running a GPU-assisted attack on the password (using Elcomsoft Distributed Password Recovery or similar tool) allows quickly enumerating the passwords with a combination of dictionary and brute-force attacks, in many cases resulting in the recovery of the original plain-text password. This isn’t exactly new, since the same thing could be done to local Windows accounts a decade ago. What DOES change though is the types and amounts of information can be accessed with the Microsoft Account password we’ve just recovered. This is one of those cases where a seemingly small change brings a plethora of new possibilities to digital forensics.

(more…)