Posts Tagged ‘Windows 10’

We’ve just updated Elcomsoft Phone Breaker to version 6.60, adding remote acquisition support for Microsoft Windows 10 phones and desktops. The new build can pull search and Web browsing history, call logs, and location history directly from the user’s Microsoft Account. In this article we’ll have a look at what exactly is available and can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

(more…)

In other blog post, we discussed the updated Elcomsoft Phone Breaker that allows extracting search and browsing history, location data and call logs from users’ Microsoft Accounts. Now let’s talk about the origins of this data and how to enable its collection on different devices – even if they don’t run Microsoft Windows.

(more…)

As you may already know, we’ve released an update to Elcomsoft System Recovery, a tool allowing to reset or recover Windows and Microsoft Account passwords by booting from an external USB drive. The new build allows creating bootable USB drives for devices exclusively relying on UEFI bootloaders. Why was this change needed? Read below for an answer!

UEFI Boot Support

If you need access to Windows protected files (and files containing password hashes are always protected), you will either require administrative privileges or must boot a separate copy of Windows from a separate boot media. Elcomsoft System Recovery has always come with the ability to create such bootable media.

As computers evolved, industry moved to 64-bit computations. During the last decade, CPU manufacturers migrated completely to 64-bit architecture. Some years later, it became obvious that legacy BIOS was no longer relevant in the new age. BIOS was superseded with UEFI.

To maintain compatibility with legacy operating systems, most systems of that time period came with support for legacy boot mode (BIOS emulation, “compatibility mode”) enabled out of the box. As operating systems evolved, manufacturers started gradually phasing out legacy support. Today we have reached the point where many new devices (2013 and newer) come without any sort of BIOS emulation at all.

Elcomsoft System Recovery comes with a customized bootable Windows PE environment. By booting from this media, customers can gain access to existing Windows installations even if they don’t know the correct password. For a long time, Elcomsoft System Recovery was relying on legacy compatibility mode to boot. This is no longer an option. The increased share of devices shipping without BIOS emulation or legacy boot support required us to adapt.

(more…)

BitLocker is a popular full-disk encryption scheme employed in all versions of Windows (but not in every edition) since Windows Vista. BitLocker is used to protect stationary and removable volumes against outside attacks. Since Windows 8, BitLocker is activated by default on compatible devices if the administrative account logs in with Microsoft Account credentials. BitLocker protection is extremely robust, becoming a real roadblock for digital forensics.

Various forensic techniques exist allowing experts overcoming BitLocker protection. Capturing a memory dump of a computer while the encrypted volume is mounted is one of the most frequently used venues of attack. However, acquiring BitLocker-encrypted volumes may become significantly more difficult with the release of Windows 10 November Update. In this article, we’ll explore existing methods of recovering BitLocker volumes, look at what has changed with November Update, and review the remaining acquisition paths.
(more…)

 

The recent update to one of our oldest tools, Elcomsoft System Recovery, brought long-overdue compatibility with Windows systems that sign in with online authentication via Microsoft Account. While the tool can reset Microsoft Account passwords to allow instant logins to otherwise locked accounts, this is not the point. The point is that we have finally laid our hands on something that can help us break into a major online authentication service, the Microsoft Account.

For that to happen, Elcomsoft System Recovery can export the locally cached hash to the user’s Microsoft Account password for offline recovery. Running a GPU-assisted attack on the password (using Elcomsoft Distributed Password Recovery or similar tool) allows quickly enumerating the passwords with a combination of dictionary and brute-force attacks, in many cases resulting in the recovery of the original plain-text password. This isn’t exactly new, since the same thing could be done to local Windows accounts a decade ago. What DOES change though is the types and amounts of information can be accessed with the Microsoft Account password we’ve just recovered. This is one of those cases where a seemingly small change brings a plethora of new possibilities to digital forensics.

(more…)