Posts Tagged ‘WhatsApp’

For us, this year has been extremely replete with all sorts of developments in desktop, mobile and cloud forensics. We are proud with our achievements and want to share with you. Let’s have a quick look at what we’ve achieved in the year 2019.

Mobile Forensics: iOS File System Imaging

We started this year by updating Elcomsoft iOS Forensic Toolkit, and by a twist of a fate it became our most developed tool in 2019. The developments went through a number of iterations. The release of unc0ver and Electra jailbreaks enabled Elcomsoft iOS Forensic Toolkit to support physical acquisition for iOS 11.4 and 11.4.1 devices, allowing it to produce file system extraction via jailbreak.

In the meanwhile, we updated Elcomsoft Phone Viewer with support for file system images produced by GrayKey, a popular forensic solution for iOS physical extraction. Analysing GrayKey output with Elcomsoft Phone Viewer became faster and more convenient.

Later in February, Elcomsoft iOS Forensic Toolkit received a major update, adding support for physical acquisition of Apple devices running iOS 12. The tool became capable of extracting the content of the file system and decrypting passwords and authentication credentials stored in the iOS keychain. For the first time, iOS Forensic Toolkit made use of a rootless jailbreak with significantly smaller footprint compared to traditional jailbreaks.

Not long ago, Elcomsoft iOS Forensic Toolkit 5.20 was updated with file system extraction support for select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Making use of the new future-proof bootrom exploit built into the checkra1n jailbreak, EIFT is able to extract the full file system image, decrypt passwords and authentication credentials stored in the iOS keychain. And finally, the sensational version 5.21 raised a storm of headlines talking about iOS Forensic Toolkit as the ‘New Apple iOS 13.3 Security Threat’. Why? We made the tool support the extraction of iOS keychain from locked and disabled devices in the BPU-mode (Before-first-unlock). The extraction is available on Apple devices built with A7 through A11 generation SoC via the checkra1n jailbreak.

Mobile Forensics: Logical Acquisition

Later on, Elcomsoft Phone Viewer was further updated to recover and display Restrictions and Screen Time passwords when analysing iOS local backups. In addition, version 4.60 became capable of decrypting and displaying conversation histories in Signal, one of the world’s most secure messaging apps. Experts became able to decrypt and analyse Signal communication histories when analysing the results of iOS file system acquisition.

Desktop Forensics and Trainings

In 2019 we’ve also updated Advanced PDF Password Recovery with a new Device Manager, and added support for NVIDIA CUDA 10 and OpenCL graphic cards to Advanced Office Password Recovery. Advanced Intuit Password Recovery added support for Quicken and QuickBooks 2018-2019 covering the changes in data formats and encryption of newest Intuit applications. In addition, the tool enabled GPU acceleration on the latest generation of NVIDIA boards via CUDA 10.

We are proud to say that the many changes we implemented in Elcomsoft Distributed Password Recovery are based on the users’ feedback we received by email and in person, during and after the training sessions. We had several trainings this year in the UK, Northern Ireland and Canada. “Fantastic. Time well spent on the training and on software that will be very useful on cases in the future”, commented Computer Forensic Examiner.

Cloud Forensics

We learned how to extract and decrypt Apple Health data from the cloud – something that Apple won’t provide to the law enforcement when serving legal requests. Health data can serve as essential evidence during investigations. The updated Elcomsoft Phone Viewer can show Apple Health data extracted with Elcomsoft Phone Breaker or available in iOS local backups and file system images.

Very soon Elcomsoft Phone Breaker 9.20 expanded the list of supported data categories, adding iOS Screen Time and Voice Memos. Screen Time passwords and some additional information can be extracted from iCloud along with other synchronized data, while Voice Memos can be extracted from local and cloud backups and iCloud synchronized data.

Skype anyone? In December, Elcomsoft Phone Viewer and Elcomsoft Phone Breaker were updated to extract and display Skype conversation histories.

Desktop Forensics: Disk Encryption

Elcomsoft System Recovery received a major update with enhanced full-disk encryption support. The update made it easy to process full-disk encryption by simply booting from a flash drive. The tool automatically detects full-disk encryption, extracting and saving information required to brute-force passwords to encrypted volumes. In addition, the tool became capable of saving the system’s hibernation file to the flash drive for subsequent extraction of decryption keys for accessing encrypted volumes.

Cloud Forensics: iOS 13 & Authentication Tokens

Elcomsoft Phone Breaker 9.15 added the ability to download iCloud backups created with iPhone and iPad devices running iOS 13 and iPadOS. In addition, the tool became able to extract fully-featured iCloud authentication tokens from macOS computers.

Following this, Elcomsoft Phone Breaker 9.30 delivered a new iCloud downloading engine and low-level access to iCloud Drive data. Thanks to the new iCloud engine, the tool became capable of downloading backups produced by devices running all versions of iOS up to iOS 13.2. While advanced iCloud Drive structure analysis allows users to enable deep, low-level analysis of iCloud Drive secure containers.

Cloud Forensics: Google

Elcomsoft Cloud Explorer 2.20 boosted the number of data types available for acquisition, allowing experts to additionally download a bunch of new types of data. This includes data sources in the Visited tree, Web pages opened on Android devices, requests to Google Assistant in Voice search, Google Lens in Search history, Google Play Books and Google Play Movies & TV.

WhatsApp remains one of the most popular instant messengers. With more than 1.5 billion users and about half billion daily active users, WhatsApp sends over 100 billion messages per day. WhatsApp is secure thanks to end-to-end encryption to make intercepted messages impossible to decrypt. While this is great news to consumers and privacy advocates, it is also bad news for the law enforcement. Once an expert accepts to access the suspect’s WhatsApp communication history, they will struggle with the encryption and demand for a vendor-provided backdoor (WhatsApp: The Bad Guys’ Secret Weapon).

Are there any other options to access WhatsApp conversations? We know of at least two. The first option is capturing the message database directly from the device of either party. The other option is going through the cloud. WhatsApp does not have its own native cloud service such as Telegram. All it has is a messaging relay service, which does not store messages for any longer than required to pass them along. In other words, any message that passes through WhatsApp servers is immediately deleted once it’s delivered (and it would be of no use to forensic experts anyway due to end-to-end encryption). It is important to note that WhatsApp accounts cannot be used on more than one device.

Let’s review WhatApp recovery/decryption options for both Android and iOS, and see what is new in Elcomsoft eXplorer for WhatsApp (EXWA).

(more…)

Starting with version 2.40, Elcomsoft Extractor for WhatsApp supports physical and cloud acquisition of WhatsApp Business. The physical extraction method requires root access, while cloud acquisition requires authenticating into the user’s Google Drive account with proper authentication credential. In addition, a verification code received from WhatsApp as an SMS must be provided to decrypt the backup downloaded from Google Drive. In this guide, we’ll describe all the steps required to perform physical and cloud acquisition of WhatsApp Business. (more…)

With over 1.3 billion monthly users, WhatsApp is the most popular instant messaging tool worldwide, and Android is the most popular mobile operating system by far. This makes WhatsApp acquisition from Android devices essential for the law enforcement. Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories stored in Google Drive. If you have access to the user’s trusted phone number or their physical SIM card (to receive a verification code from WhatsApp), you can now use Elcomsoft Explorer for WhatsApp to download, decrypt and display WhatsApp communication histories backed up into the user’s Google Account. Surprisingly, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.

WhatsApp Encryption

All recent versions of WhatsApp encrypt their backups with a cryptographic key unique per WhatsApp account. Without access to that cryptographic key, the only things Elcomsoft Explorer for WhatsApp could extract from the user’s Google Account are contacts and media files sent and received by the WhatsApp user. The main communication history is securely encrypted with AES-256. To make things even more complicated, the different builds of WhatsApp were using different encryption algorithms, making an all-in-one decryption tool a bit complicated to build. Elcomsoft Explorer for WhatsApp 2.30 solves all of these issues by automatically downloading and decrypting the backup from the user’s Google Account. The cryptographic key is generated automatically based on the authentication code received as a text message and delivered to the user’s trusted phone number.

(more…)

Facebook-owned WhatsApp is the most popular instant messaging tool worldwide. Due to its point-to-point encryption, WhatsApp is an extremely tough target to extract.

As we already wrote in yesterday’s article, WhatsApp decryption is essential for the law enforcement since due to its popularity and extremely tough security it is a common choice among the criminals. However, the need for WhatsApp decryption is not limited to law enforcement. Us mere mortals may need access to our own communications when re-installing WhatsApp, changing devices or extracting conversations occurred on a device we no longer possess. Since WhatsApp data is not always available in iOS system backups, using WhatsApp’ own stand-alone cloud backup system is the more reliable choice compared to pretty much everything else.

Elcomsoft Explorer for WhatsApp can now access iPhone users’ encrypted WhatsApp communication histories stored in Apple iCloud Drive. If you have access to the user’s SIM card with a verified phone number, you can now use Elcomsoft Explorer for WhatsApp to circumvent the encryption and gain access to iCloud-stored encrypted messages. In this article, we’ll tell you how it works, and provide a step-by-step guide to extracting and decrypting WhatsApp backups from iCloud Drive.

(more…)

WhatsApp is one of the most secure messengers with full end-to-end encryption. Messages exchanged between WhatsApp users are using an encrypted point-to-point communication protocol rendering man-in-the-middle attacks useless. WhatsApp communications are never stored or backed up on WhatsApp servers. All this makes government snooping on WhatsApp users increasingly difficult.

WhatsApp has more than a billion users. WhatsApp makes use of the Open Whisper Signal communication protocol to secure communications with end-to-end encryption. WhatsApp users rely on that security to freely exchange messages, discuss sensitive things and, with limited success, avoid religious and political oppression in certain countries. Today, some governments attempt to criminalize WhatsApp protection measures, ban end-to-end encryption and do everything in their power to undermining trust in secure communication tools. What is it all about, and how to find the right balance between public safety and security is the topic of this article.

(more…)

As you may already know, we’ve added Android support to our WhatsApp acquisition tool, Elcomsoft Explorer for WhatsApp. While the updated tool can now extract WhatsApp communication histories directly from Android smartphones with or without root access, how do you actually use it, and how does it work? In this blog post we’ll be looking into the technical detail and learn how to use the tool.

(more…)

We have recently released a brand new product, Elcomsoft Explorer for WhatsApp. Targeted at home users and forensic experts along, this Windows-based, iOS-centric tool offers a bunch of extraction options for WhatsApp databases. Why the new tool, and how is it different from other extraction options offered by Elsomsoft’s mobile forensic tools? Before we move on to that, let’s have a look at the current state of WhatsApp.

(more…)