Posts Tagged ‘Mobile forensics’

What can possibly go wrong with that iPhone? I’ll have a look (oh, it’s locked!), then switch it off, eject the SIM card and pass it on to the expert. Well, you’ve just made three of the five most common mistakes making subsequent unlock and extraction attempts significantly more difficult. Learn about the most common mistakes and their consequences.

Power off

The first and probably the most important step (or at least one of) is data preservation, to make sure that the device content does not change, device will not discharge, will not be remotely locked or wiped etc. We made some introduction to the process in our The Art of iPhone Acquisition article, but you know what many forensic “experts” (sorry for the quotes) do first, instead of turning the airplane mode on or placing the device into Faraday bag?

They turn it off.

Granted, a powered-off device won’t make an accidental connection or self-discharge rapidly. However, if the device is powered off, you’re making the device switch from the forensic-friendly AFU* mode into the locked-down BFU* mode. As a result, several things happen.

  • The encryption keys are wiped from the device RAM (no instant AFU extraction possible)
  • Passcode recovery attack falls to BFU speeds (much slower than AFU attacks)
  • Biometric authentication becomes impossible
  • Lockdown records become useless; logical acquisition impossible
  • Extremely limited BFU extraction

AFU: After First Unlock; the condition in which the device has been unlocked with a passcode at least once after being powered on or rebooted.

BFU: Before First Unlock; the condition in which the device rebooted or powered on and has never been unlocked.

Ejecting SIM card

What’s the next most common mistake in mobile forensics? It’s removing the SIM card, usually just to make sure that device does not make an accidental connection to a mobile network. I would not say it is fatal, but here is what happens, at least when the device is running iOS 11, 12 or 13:

  • The phone locks immediately
  • Biometric unlock disabled (until unlocked with the passcode)
  • USB restricted mode activated

More on biometric authentication: Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12; on USB restricted mode: USB Restricted Mode Inside Out (updates: iOS 12 Enhances USB Restricted Mode and USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two).

I believe no further explanation is needed. In short, you may completely lose an opportunity to unlock or further analyze the device.

“Don’t hold it that way”

Steve Jobs was never wrong. If you hold a modern iPhone equipped with Face ID, you’re likely to waste one or more attempts to unlock the device by pointing it towards the suspect. Why? This YouTube clip shows what happened during the iPhone X announcement.

As to the iPhones with Touch ID, make sure to never touch the fingerprint sensor. Otherwise you’ll just lose one of the five biometric unlock attempts.

Resetting backup password

In most cases (unless the device can be jailbroken or vulnerable to the checkm8 exploit), an iTunes backup is the main source of data. iPhone backups, however, are really special (see

The Most Unusual Things about iPhone Backups for details).

If the backup is password-protected, it could be a problem. Starting with iOS 10.1, brute-force password recovery is virtually impossible (though we can try, and have the software for that). However, as you know, iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password.

The problem is that all passwords in Apple ecosystem are connected to each other (Four and a Half Apple Passwords). And if you reset the backup password (as it was done recently by FTI Consulting when investigating the hack of Jeff Bezos’ Phone, see the report), then the iPhone passcode is also reset. And that has bad, really bad consequences. First, you are going to lose the saved Wi-Fi passwords, Apple Pay transaction history, downloaded Exchange mail and some other data. Second (and this is critical), you lose all the things you could do with the passcode. Like what things? See iOS 11 Horror Story: the Rise and Fall of iOS Security and Protecting Your Data and Apple Account If They Know Your iPhone Passcode. This includes (but not limited to) access to end-to-end encrypted data in iCloud including the iCloud keychain, synced messages, Health data etc.

iOS logical acquisition

In fact, logical acquisition is not as simple as it sounds. Just create iTunes-styles backup and that’s it, right? Not quite. Several things can go wrong.

Creating a backup with iTunes. This is acceptable in general; all forensic packages create exactly the same backups as iTunes. In fact, backups are made by the service running on the iPhone itself, and not by desktop software. However, if you forget to disable iTunes sync in advance (before connecting the iPhone to the computer), the content on the device may change.

Making a passwordless backup. A backup without a password is easier to analyze, right? Yes, it is, but the devil is in the details. Backups without a password contain less data than password-protected backups. You will not get the keychain, Health data, Safari browsing history and call logs (at least).

Miss something. Well, actually a lot. Proper logical acquisition is not limited to backups. In fact, backups are just the beginning. You can also obtain media files (and not just files but also a metadata, sometimes even on deleted files), app shared data (including but not limited to media players, office packages and even some password managers), crash and diagnostic logs (the ultimate source of data that could really help building the timeline). All of that regardless of whether or not the user has a backup password. This, by the way, can be done for Apple Watch and Apple TV devices, thanks to Elcomsoft iOS Forensic Toolkit.

Conclusion

I just listed the most common mistakes made by the law enforcement and forensic experts. We’ve seen many more of those, albeit less frequently. Strictly following the correct workflow, documenting your every step, ensuring that your steps are repeatable and results verifiable, cross-matching the results and proper reporting are essential. Just using a “tool” is not nearly enough, even if it’s the best tool on the market. The environment is always changing, and you either keep up, or fall behind. Taking a training course is one of the better ways to keep up with the ever changing mobile forensic and computer forensic environment.

Challenges in Computer and Mobile Forensics: What to Expect in 2020

The past two years introduced a number of challenges forensic experts have never faced before. In 2018, Apple made it more difficult for the police to safely transport a seized iPhone to the lab by locking the USB port with USB restricted mode, making data preservation a challenge. The release of the A12 platform, also in 2018, made it difficult to unlock iOS devices protected with an unknown password, while this year’s release of iOS 13 rendered unlock boxes useless on iPhones based on the two most recent platforms.

On desktop and especially laptop computers, the widespread use of SSD drives made it impossible to access deleted data due to trim and garbage collection mechanisms. The users’ vastly increased reliance on cloud services and mass migration off the forensically transparent SMS platform towards the use of end-to-end encrypted messaging apps made communications more difficult to intercept and analyze.

Sheer amounts of data are greater than ever, making users rely more on external (attached) storage compared to using internal hard drives. Many attached storage devices are using secure encryption, some of them without even prompting the user. Extracting data from such devices becomes a challenge, while analyzing the huge amounts of information now requires significantly more time and effort.

The number of online accounts used by an average consumer grows steadily year over year. While password reuse and the use of cloud services to store and synchronize passwords makes experts’ jobs easier, the spread of secure, encrypted password management services is turning into a new challenge.

Knowing everyday challenges in desktop and mobile forensics, we can now peek into the future. (more…)

When it comes to mobile forensics, experts are analyzing the smartphone itself with possible access to cloud data. However, extending the search to the user’s desktop and laptop computers may (and possibly will) help accessing information stored both in the physical smartphone and in the cloud. In this article we’ll list all relevant artefacts that can shed light to smartphone data. The information applies to Apple iOS devices as well as smartphones running Google Android.

Mobile Artefacts on Desktops and Laptops

Due to the sheer capacity, computer storage may contain significantly more evidence than a smartphone. However, that would be a different kind of evidence compared to timestamped and geotagged usage data we’ve come to expect from modern smartphones.

How can the user’s PC or Mac help mobile forensic experts? There several types of evidence that can help us retrieve data from the phone or the cloud.

  1. iTunes backups. While this type of evidence is iPhone-specific (or, rather, Apple-specific), a local backup discovered on the user’s computer can become an invaluable source of evidence.
  2. Saved passwords. By instantly extracting passwords stored in the user’s Web browser (Chrome, Edge, IE or Safari), one can build a custom dictionary for breaking encryption. More importantly, one can use stored credentials for signing in to the user’s iCloud or Google Account and performing a cloud extraction.
  3. Email account. An email account can be used to reset a password to the user’s Apple or Google account (with subsequent cloud extraction using the new credentials).
  4. Authentication tokens. These can be used to access synchronized data in the user’s iCloud account (tokens must be used on the user’s computer; on macOS, transferable unrestricted tokens may be extracted). There are also tokens for Google Drive (can be used to access files in the user’s Google Drive account) and Google Account (can be used to extract a lot of data from the user’s Google Account). The computer itself is also an artefact as certain authentication tokens are “pinned” to a particular piece of hardware and cannot be transferred to another device. If the computer is a “trusted” device, it can be used for bypassing two-factor authentication.

(more…)

If you are working in the area of digital forensics, you might have wondered about one particular thing in the marketing of many forensic solutions. While most manufacturers are claiming that their tools are easy to use and to learn, those very same manufacturers offer training courses with prices often exceeding the cost of the actual tools. Are these trainings necessary at all if the tools are as easy to use as the marketing claims?

We believe so. A “digital” investigation is not something you can “fire and forget” by connecting a phone to a PC, running your favorite tool and pushing the button. Dealing with encrypted media, the most straightforward approach of brute-forcing your way is not always the best.

(more…)

We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).

Today, we’ll discuss the main challenges of iOS forensics, look at some of the most interesting solutions available to law enforcement, and share our experience gaining access to some of the most securely protected evidence stored in Apple iOS devices. (more…)

We were attending the DFRWS EU forum in beautiful Florence, and held a workshop on iOS forensics. During the workshop, an attendee tweeted a photo of the first slide of our workshop, and the first response was from… one of our competitors. He said “Looking forward to the “Accessing a locked device” slide”. You can follow our conversation on Twitter, it is worth reading.

No, we cannot break the iPhone passcode. Still, sometimes we can get the data out of a locked device. The most important point is: we never keep our methods secret. We always provide full disclosure about what we do, how our software works, what the limitations are, and what exactly you can expect if you use this and that tool. Speaking of Apple iCloud, we even reveal technical information about Apple’s network and authentication protocols, data storage formats and encryption. If we cannot do something, we steer our customers to other companies (including competitors) who could help. Such companies include Oxygen Forensics (the provider of one of the best mobile forensic products) and Passware (the developer of excellent password cracking tools and our direct competitor).

Let’s start with “Logical acquisition”. We posted about it more than once, but it never hurts to go over it again. By “Logical acquisition”, vendors usually mean nothing more than making an iTunes-style backup of the phone, full stop.

Then, there is that “advanced logical” advertised by some forensic companies. There’s that “method 2” acquisition technique and things with similarly cryptic names. What is that all about?

I am not the one to tell you how other software works (not because I don’t know, but because I don’t feel it would be ethical), but I’ll share information on how we do it with our software: the methods we use, the limitations, and the expected outcome.

(more…)

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device. (more…)

According to Jim Baker, FBI General Counsel, the bureau can access information on most smartphones they are dealing with, even if encryption is enabled. In this article, we tried to find out which devices they can and cannot unlock, and why.

The FBI Can Unlock 87% Mobile Devices

According to Jim Baker, the agency can unlock some 87% of mobile devices, and get access to the data. So which devices they can and cannot unlock, exactly? Before we start crunching the numbers, please have a look at the following infographics:

(more…)

Fingerprint Unlock Security: Google Android and Microsoft Hello

Using one’s fingerprint to unlock a mobile device with a touch is fast and convenient. But does it provide sufficient security? More importantly, does biometric unlock provide a level of security comparable to that of the more traditional PIN or passcode? As we found in the first article, Apple has managed to develop a comprehensive fingerprint unlock system that provides just enough security while offering a much greater convenience compared to traditional unlock methods. What’s up with that in the other camp?

Google Android 4.x through 5.1.1: No Fingerprint API

There is no lack of Android smartphones (but no tablets) that come with integrated fingerprint scanners. Samsung Galaxy S5, S6, S7, Motorola Moto Z, SONY Xperia Z5, LG G5, Huawei Ascend Mate 7 and newer flagships, Meizu Pro 5 and a plethora of other devices are using fingerprint scanners without proper support on the native API level.

(more…)

This is the second part of Elcomsoft Phone Password Breaker Enhances iCloud Forensics and Speeds Up Investigations article.

Extracting the content of an iPhone is only half the job. Recovering meaningful information from raw data is yet another matter. The good news is there are plenty of powerful tools providing iOS analytics. The bad news? You’re about to spend a lot of time analyzing the files and documenting the findings. Depending on the purpose of your investigation, your budget and your level of expertise using forensic tools, you may want using one tool or the other. Let’s see what’s available.

(more…)