Posts Tagged ‘Windows 10 Mobile’

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device. (more…)

We’ve just updated Elcomsoft Phone Breaker to version 6.60, adding remote acquisition support for Microsoft Windows 10 phones and desktops. The new build can pull search and Web browsing history, call logs, and location history directly from the user’s Microsoft Account. In this article we’ll have a look at what exactly is available and can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

(more…)

In other blog post, we discussed the updated Elcomsoft Phone Breaker that allows extracting search and browsing history, location data and call logs from users’ Microsoft Accounts. Now let’s talk about the origins of this data and how to enable its collection on different devices – even if they don’t run Microsoft Windows.

(more…)

Smartphones are frequent theft targets. Manufacturers try to combat smartphone theft by implementing several security measures. The first security measure is “remote kill switch”, a feature allowing legitimate owners to block, disable or erase a smartphone in a case it is stolen. Since Aug 12, 2014, the “kill switch” is mandatory in California in all new smartphones manufactured after July 1, 2015. Other jurisdictions followed, passing legislations with “kill switch” requirements to combat smartphone theft.

Long before legislations, the “remote kill switch” was used by companies to allow remotely erasing the phone’s content. Apple’s Find My iPhone, Microsoft’s Find My Phone, BlackBerry Protect and Android Device Manager allowed locating, ringing, blocking or erasing the phone remotely. However, the “kill switch” was originally designed to only protect the phone owner’s data, but could not help discourage theft. The criminal would simply erase the phone by performing factory reset, and resell the device. IMEI blacklisting aside, a simple factory reset would result in a clean, usable device, continuing to provide incentive for the criminals.

It took manufacturers much longer to implement true anti-theft protection in their core OS. In today’s state, anti-theft protection is a combination of your familiar remote kill switch and factory reset protection.

Factory reset protection is a security method designed to make sure your smartphone becomes useless if the thief wipes your smartphone. If someone wipes and factory resets your device without providing your authentication credentials, a smartphone equipped with factory reset protection would cease to initialize, display a prominent message asking to enter previous owner’s account credentials, and block further initialization attempts.

In theory, this sounds great. The implementation of the “kill switch” helped reduce smartphone theft by as much as 40 per cent. But is smartphone protection as secure as we think? Let’s find out.

(more…)

 

The recent update to one of our oldest tools, Elcomsoft System Recovery, brought long-overdue compatibility with Windows systems that sign in with online authentication via Microsoft Account. While the tool can reset Microsoft Account passwords to allow instant logins to otherwise locked accounts, this is not the point. The point is that we have finally laid our hands on something that can help us break into a major online authentication service, the Microsoft Account.

For that to happen, Elcomsoft System Recovery can export the locally cached hash to the user’s Microsoft Account password for offline recovery. Running a GPU-assisted attack on the password (using Elcomsoft Distributed Password Recovery or similar tool) allows quickly enumerating the passwords with a combination of dictionary and brute-force attacks, in many cases resulting in the recovery of the original plain-text password. This isn’t exactly new, since the same thing could be done to local Windows accounts a decade ago. What DOES change though is the types and amounts of information can be accessed with the Microsoft Account password we’ve just recovered. This is one of those cases where a seemingly small change brings a plethora of new possibilities to digital forensics.

(more…)