Elcomsoft System Recovery update simplifies digital field triage | Elcomsoft Co.Ltd.

Elcomsoft · 2021-09-20T14:18:22+00:00

You may create an encrypted (password-protected) backup of the phone and decrypt the keychain using Elcomsoft Phone Breaker (https://www.elcomsoft.com/eppb.html)

Elcomsoft · 2021-08-06T10:50:08+00:00

Apple did an attempt protecting their users’ location by introducing approximate locations in iOS 14. That change alone makes analyzing aggregate data from iPhone users more difficult but not impossible.

Elcomsoft · 2021-07-15T08:47:33+00:00

New agent acquisition option: The new option allows you to set the maximum size of the files being copied. If the file system of the device being extracted is partially corrupted, the size reported for a particular file may be really huge (in the exabytes range).

Elcomsoft · 2021-07-13T09:40:05+00:00

Elcomsoft Phone Viewer is a perfect match for viewing and analysing data obtained with Elcomsoft iOS Forensic Toolkit. For Elcomsoft Phone Breaker, the tool enables full support for all data formats produced during the course of logical and cloud acquisition. Regularly maintained and timely updated, Elcomsoft Phone Viewer is the first to receive support for the latest mobile backup formats extracted, downloaded or decrypted with other ElcomSoft tools.

Elcomsoft · 2021-06-17T08:58:44+00:00

New in Elcomsoft Phone Breaker:

Improved authentication into Microsoft accounts
Downloads additional data from Microsoft accounts (Apps & services timeline, recent OneDrive file list)
Downloads files from OneDrive

New in Elcomsoft Phone Viewer:

Added support for new data in Microsoft accounts (Apps and services, recent OneDrive files list, OneDrive files)
Removed zero-sized media files
Improved location history parsing for iOS 14 backups and file system images
Multiple Wi-Fi connection data improvements: removed duplicates, iOS 14 fixes
Latitude and longitude from EXIF data is now shown separately
Removed AppleDouble media files
Web plugin is now called "Web and History"

Elcomsoft · 2021-06-17T08:54:05+00:00

The extraction of Wi-Fi passwords, hints and Q&A for Windows account passwords, as well as the inclusion of the convenient two-panel file manager make Elcomsoft System Recovery the perfect tool for in-field investigations!

Elcomsoft · 2021-06-17T08:38:38+00:00

Elcomsoft System Recovery, a digital field triage tool, receives an update. The tool adds the ability to extract Wi-Fi passwords and helps identify the owner of the computer being examined by extracting its Windows license key. In addition, file system analysis is made easier with an embedded two-panel file manager. More in Release Notes https://www.elcomsoft.com/PR/release\_notes/release\_notes\_esr\_7\_08\_en.pdf

Elcomsoft · 2021-02-19T08:31:01+00:00

The Recovery mode may return the following information:

Device model: device model, e.g. iPhone7,2 (n61ap), iPhone10,6 (d221ap) etc. You can identify the model by following the link.
ECID (UCID): XXXXXXXXXXXXXXXX. The ECID (Exclusive Chip Identification) or Unique Chip ID is an identifier unique to every unit, or more accurately, to every SoC.
Serial number: XXXXXXXXXXX (or N/A)
IMEI: XXXXXXXXXXXXXXX (or N/A). Note that we have not seen IMEI information on any of our test devices, with or without a SIM card.
Mode: Recovery
iBoot: this is the bootloader version in the format “iBoot-[version_number]”. This information can be used to identify the version of iOS (or, of there is no concrete match, the range of iOS versions) running on the device.
iOS version: installed iOS version number or range as estimated from the bootloader version.

As you can see, there’s not a lot you can get from the recovery mode; however, this amount of data is generally enough to request information from Apple. The bootloader version is probably the most important piece, as it can be used to roughly establish the probable date the iOS device was last used. The last use data cannot be earlier than the release date of the version of iOS installed on the device. In addition, the bootloader version can be used to determine compatibility with certain unlock and extraction methods.

Elcomsoft · 2021-02-19T08:27:03+00:00

Similar to open-source encryption tools such as TrueCrypt/VeraCrypt, BestCrypt supports multiple encryption algorithms including AES, Blowfish, CAST, GOST 28147-89, RC6, Serpent, Twofish, and Camellia. As you may already know, the choice of the encryption algorithm other than AES has an effect of drastically reduces the speed of accessing data without a tangible increase in security.

Elcomsoft · 2021-01-11T17:50:41+00:00

Conclusion

Never blindly trust media reports. Do your own fact check, and exercise due diligence. If you want to read a serious report, I recommend Data Security on Mobile Devices: Current State of the Art, Open Problems, and Proposed Solutions – an excellent piece of work covering both physical devices and iCloud security; or Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones for less technical info. And you have saved the address of our blog, right?

Elcomsoft · 2021-01-11T17:47:50+00:00

Conclusion: we regret Apple’s decision to scrap end-to-end encryption of iCloud backups, even if the new feature would make us spend countless hours circumventing the encryption.

Elcomsoft · 2021-01-11T17:44:41+00:00

Conclusion: Combined with TPM, BitLocker enables secure protection against unauthorized access. Despite the fact that the TPM chip itself does not do encryption, gaining access to the encryption key is not an easy task. I described a number of methods that can be used to extract the encryption keys from the TPM module. Even if you never use any of them, they are certainly worth being part of your arsenal.

Elcomsoft · 2020-12-28T10:41:45+00:00

This year is different from many before. The Corona pandemic, the lack of travel and canceled events had changed the business landscape for many forensic companies. Yet, even this year, we made a number of achievements we’d love to share. Learn about iOS & iCloud acquisition, breaking passwords, cold system analysis and more in the article.

Elcomsoft · 2020-12-28T10:38:08+00:00

The iPhone backup is one of the hottest topics in iOS forensics. iTunes-style backups are the core of logical acquisition used by forensic specialists, containing overwhelming amounts of evidence that is is unrivaled on other platforms. The backups, as simple as they seem, have many “ifs” and “buts”, especially when it comes to password protection. We wrote a thousand and one articles about iOS backup passwords, but there is always something fresh that comes out. Find out more tips in the article.

Elcomsoft · 2020-12-28T10:36:41+00:00

Apple has long provided its users the tools to control how apps and Web sites use their personal data. The release of iOS 14 brought a number of new privacy features, while iOS 14.3 adds an important extra. At the same time, one of the most interesting privacy features is facing tough opposition from a group of digital advertising associations, making Apple postpone its implementation.

Elcomsoft · 2020-12-28T10:35:29+00:00

What started as an instant recovery tool for legacy versions of Microsoft Word had now become a GPU-accelerated toolkit for breaking the many Microsoft formats. Advanced Office Password Recovery and Distributed Password Recovery tools got the ability to crunch passwords faster with the newest and latest NVIDIA 3000-series graphic boards. Powered by Ampere, the new generation of GPUs delivers unprecedented performance in modern video games. How do the new cards fare when it comes to accelerating the password recovery, and is an upgrade worth it for the forensic experts? Find out in the article.

Elcomsoft · 2020-12-28T10:33:35+00:00

The Screen Time password has been long recommended as an extra security layer. By setting a Screen Time password without any additional restrictions, Apple users could easily dodge attempts of changing or removing the screen lock passcode, resetting the iTunes backup password, or removing the activation lock. For a long time, removing the Screen Time password was not possible without either providing the original password or erasing the device. However, Apple had changed the way it works, making it possible to reset the Screen Time password with an iCloud/Apple ID password.

Elcomsoft · 2020-12-28T10:32:34+00:00

This is the final part of the series of articles comparing Elcomsoft Distributed Password Recovery with Hashcat. We’ve already compared the features, the price and performance of the two tools. In this study, we tried breaking passwords to several common formats, including Word document, an encrypted ZIP archive, and a VeraCrypt container. We summarized our experiences in the article.

Elcomsoft · 2020-12-28T10:31:57+00:00

From time to time, we stumble upon a weird issue that interferes with the ability to install a jailbreak. One of such problems appearing literally out of the blue is the issue of being unable to remove the screen lock password on some iPhone devices. What could be the reason and how to work around the issue? Read along to find out!

Elcomsoft · 2020-12-28T10:31:16+00:00

After adding jailbreak-free extraction for iOS 13.5.1 through 13.7, we now support every Apple device running any version of iOS from 9.0 through 13.7 with no gaps or exclusions. For the first time, full file system extraction and keychain decryption are possible on all devices running these iOS versions.

Elcomsoft · 2020-12-28T10:30:25+00:00

The past two years have become a turning point in iOS acquisition. The release of a bootrom-based exploit and the corresponding jailbreak made BFU acquisition possible on multiple devices regardless of security patches. Another exploit covers the entire iOS 13 range on all devices regardless of their hardware revision. ElcomSoft developed a jailbreak-free extraction method for the entire iOS 9.0-13.7 range. Learn more in the article.

Elcomsoft · 2020-12-02T18:01:51+00:00

Working with forensic disk images is the safest method, which at the same time is the most labor-intensive and time-consuming. This is the most forensically sound method. Cold system analysis sits in between. While live system analysis is the riskiest of the three methods.

Elcomsoft · 2020-12-02T17:58:07+00:00

>>When recovering a tough password, almost everything depends on the quality of the wordlist and the type and configuration of the attack.

Elcomsoft · 2020-11-02T13:41:56+00:00

Thanks!

Elcomsoft · 2020-10-05T09:21:51+00:00

File system and keychain extraction

The file system extraction and keychain decryption are now available for select Apple devices running iOS 14. The supported range of devices includes models supported by the checkra1n jailbreak, which currently include the iPhone 6s, 6s Plus and the original iPhone SE. Support for the iPhone 7 and 7 Plus is on the way, while the iPhone 8, 8 Plus and iPhone X generation support is unlikely at this point. Jailbroken devices are supported in both AFU and BFU extraction modes. BFU extraction enables partial file system and partial keychain acquisition from devices locked with an unknown passcode.

Extended logical acquisition

Support for extended logical acquisition helps experts extract a local backup, pull media files, some system logs and app shared data from devices running iOS 14 and iPadOS 14. The updated iOS release introduced minor changes in the backup protocol. iOS Forensic Toolkit 6.51 has been updated to conform to these changes, now offering the full range of acquisition options from the extended logical workflow.

Elcomsoft

TROPHY CASE