Dear friends,

It really takes willpower to control our excitement about the surprises we prepared for you these pre-holiday days.  We arranged three ultra-appealing bundles and we can’t hide them any loger, so here they are:

1. EPPB + EBBE = take two at the price of one!
2. EPPB + EBBE + EIFT = get EBBE & EPPB for free!
3. EPRB Forensic = special NY 2012 price! (twice less!!)

 Check out more info on our website:

http://www.elcomsoft.com/happy-new-year-2012.html

Experience Elcomsoft Password Recovery Bundle which breaks all barriers, twice cheaper throughout December 2011. There is no substitute. 

Don’t rush, take your time… till December 31.

When developing the iOS 5 compatible version of iOS Forensic Toolkit, we found the freshened encryption to be only tweaked up a bit, with the exception of keychain encryption. The encryption algorithm protecting keychain items such as Web site and email passwords has been changed completely. In addition, escrow keybag now becomes useless to a forensic specialist. Without knowing the original device passcode, escrow keys remain inaccessible even if they are physically available.

What does enhanced security mean for the user? With iOS 5, they are getting a bit more security. Their keychain items such as Web site, email and certain application passwords will remain secure even if their phone falls into the hands of a forensic specialist. That, of course, will only last till the moment investigators obtain the original device passcode, which is only a matter of time if a tool such as iOS Forensic Toolkit is used to recover one.

What does this mean for the forensics? Bad news first: without knowing or recovering the original device passcode, some of the keychain items will not be decryptable. These items include Web site passwords stored in Safari browser, email passwords, and some application passwords.

Now the good news: iOS Forensic Toolkit can still recover the original plain-text device passcode, and it is still possible to obtain escrow keys from any iTunes equipped computer the iOS device in question has been ever synced or connected to. Once the passcode is recovered, iOS Forensic Toolkit will decrypt everything from the keychain. If there’s no time to recover the passcode or escrow keys, the Toolkit will still do its best and decrypt some of the keychain items.

Faster Operation

Besides adding support for the latest iOS 5, Elcomsoft iOS Forensic Toolkit becomes 2 to 2.5 times faster to acquire iOS devices. When it required 40 to 60 minutes before, the new version will take only 20 minutes. For example, the updated iOS Forensic Toolkit can acquire a 16-Gb iPhone 4 in about 20 minutes, or a 32-Gb version in 40 minutes.

Today we are releasing a new version of Phone Password Breaker, this time adding the ability to recover security passwords protecting BlackBerry handsets. Yes, that is the very password used to lock and unlock the device. And yes, no one has done that before (well, at least not publicly).

Before you get too excited, there is a catch. The new feature requires Media Card encryption to be switched on and set to either “Security Password” or “Device Password” mode. If this condition is met, EPPB will be able to run password recovery against device security password. What is also important and rather exciting is that you don’t need the BlackBerry device itself. All that is needed is a media card that was used in that device. Actually, we only need one specific file from that media card, so yes, the recovery can be off-loaded and the password can be recovered offline.

So how does this feature work? It’s pretty straightforward: launch Elcomsoft Phone Password Breaker, click Open and specify that you want to recover a BlackBerry security password. After that, you’ll need to navigate to the info.mkf file from the encrypted media card. It is located in BlackBerry/system directory on the media card, and is marked as hidden. Once you open the file (and only if the file comes from the card encrypted using the “Security Password” or “Device Password” option) you will be able to start the recovery as usual. The good news is that recovery rate is amazingly fast by today’s standards: it tries several million passwords per second on a modern multi-core CPU equipped with AES-NI instructions. With Intel i7-970, I am getting 1.8 million passwords per second in wordlist mode, and about 5.9 million passwords per second in bruteforce mode. Compare that to iPhone passcode recovery rate of less than six passcodes per second for iPhone 4, and try to think hard about BlackBerry having better security.

Among other changes in this version is preliminary support for iOS 5 backups. As Apple readies its newest and most advanced mobile OS yet, we have updated EPPB to make it compatible with backups produced by the latest beta of iOS 5. All the usual features (password recovery, backup decryption, and Keychain explorer) are available for iOS 5 backups.

Speaking of iOS backup decryption, we added another option demanded by our customers. EPPB can now recover original file names when decrypting a backup. That means you will get a directory structure and meaningful file names, making it easier to explore and analyze backup contents.

I really hope you will enjoy the new features.

RIM BlackBerry smartphones have been deemed the most secure smartphones on the market for a long, long time. They indeed are quite secure devices, especially when it comes to extracting information from the device you have physical access to (i.e. mobile phone forensics). It is unfortunate, however, that a great deal of that acclaimed security is achieved by “security through obscurity”, i.e. by not disclosing in-depth technical information on security mechanisms and/or their implementation. The idea is to make it more difficult for third parties to analyze. Some of us here at Elcomsoft are BlackBerry owners ourselves, and we are not quite comfortable with unsubstantiated statements about our devices’ security and blurry “technical” documentation provided by RIM. So we dig.

Our first two targets are the apps providing secure storage of sensitive data: BlackBerry Password Keeper and BlackBerry Wallet. These applications are provided by RIM for free; Password Keeper is even included with each installation of BlackBerry OS. The two apps are the recommended way to store login credentials and other sensitive data such as credit card numbers. The data stored in those two apps could also be a wealth of information for investigators. According to RIM, all data is securely encrypted with AES-256. The encryption key is derived from user-specified master password, which can be different from device password. Password Keeper and Wallet master passwords can also be different.

Another notable fact is that Password Keeper and Wallet databases are included in the backup produced by BlackBerry Desktop Software. This means that, as a mobile forensics investigator, you can access those databases (containing encrypted data at this point) by either connecting suspects’ handset and running Desktop Software (if there is no password protection on the device) or by looking for stored device backups on suspects’ computer(s). And even if the backup you’ve been able to get a hold of is encrypted, our Elcomsoft Phone Password Breaker can recover the password for it .

Once you’ve got the (unencrypted) backup, Password Keeper and Wallet databases are accessible. The problem is that their data are still encrypted. And this is exactly what today’s EPPB release is about: recovering master passwords for Password Keeper and Wallet databases. Now you can load a BlackBerry device backup into EPPB and run password recovery against Password Keeper and Wallet databases. And what’s really good about this is that password recovery rate is great – hundreds of thousands and up to several millions passwords per second on modern CPU, depending on BlackBerry OS version. To the best of our knowledge, there were no tools capable of doing this until now, so we're proud to be the world’s first again, offering our customers unique functionality that’s not available in other vendors’ products.

So, you were able to discover the master password, what's next? Right now you have two options:

• Use BlackBerry Simulator, restore the backup to it, and use the recovered master password(s) to enter Password Keeper and/or Wallet. Access stored data as usual.
• Use Elcomsoft BlackBerry Backup Explorer, which can now show Password Keeper and Wallet data (as of version 9.61 being released today).

The third option to view Password Keeper and Wallet data within EPPB itself will be probably added with the next update. Speaking of updates, I'd like to tell you that this BlackBerry-related addition is really small compared to what's in the queue. If things go well, we hope to release "the next big thing" within 1-1.5 months from now. You're going to love it, I promise .

P.S. For those technically inclined out there, here’s a brief summary:

BlackBerry Password Keeper database format and protection is the same for OS 5, OS 6, and OS7. Per-item encryption key is derived by computing 3 (three) iterations of PBKDF2-SHA1 with master password and per-item salt.

Wallet database format and protection differs between OS 5 and OS 6/7.

For Wallet in OS 5, per-item encryption key is derived by computing 3 (three) iterations of PBKDF2-SHA1 with SHA-256 hash of master password and per-item salt.

For Wallet in OS 6 and OS 7, per-item encryption key is derived by computing a random number of iterations (between 50 and 100) of PBKDF2-SHA1 with SHA-512 hash of master password and per-item salt.

Encryption in all above formats is AES-256 in ECB (!) mode, SHA-1 hash of the data is appended before encrypting; data is padded as per PKCS #5.

In my opinion, should RIM have opted to be more open about their security mechanisms, someone (maybe even someone from their own team) could possibly point out that the level of protection against password recovery attacks is not sufficient for 2011.

At Black Hat Andrey made his presentation about iOS encryption and as you may guess it was not the only one talk about iOS on the conference, as the topic is quite popular now.

Later guys visited our partners’ booths and were interviewed by Ira_Victor from the CyberJungle in a not-so-easily-found quiet corner, which resulted in one article and one podcast. 

After Black Hat we moved to DefCon where the most pleasant thing was meeting a professional of social engineering and security expert Kevin Mitnick. Kevin showed real interest in our iOS Forensic Toolkit, so we gladly shared our achievements and demonstrated how it works.

We also got his new book Ghost in the Wires signed by the author. I’ve almost finished the book. It’s really exciting to learn how it all started for an insatiable phone addict like Kevin

After all meetings a business trip of the two turned into sessions of sightseeing and relaxing outdoors visiting Utah, Arizona, and other States and flying…a helicopter.

In its next part about iTunes Backups Kiel touches upon Elcomsoft Phone Password Breaker which virtually crunches backup passwords at speed of 35000 passwords per second (with AMD Radeon HD 5970) using both brute force and dictionary attacks, here are some benchmarks.

It seems the paper does not miss out on any nuance about iOS 4 and provides practical advice to either avoid or prevent from the depressing outcomes, such as loss of data. Closer to the end of the paper you will also find several sagacious tips for using the devices within organizations, including passcode management, a so called “first line of defense” which according Kiel’s view “can be matched to existing password policies”, however he inclines to use passwords instead of 4 digit passcodes.

And in conclusion the author discovers that smartphone and tablet security measurements resemble the ones of laptops, because they all belong to mobile devices.  Find out more details in the source itself: http://www.sans.org/reading_room/whitepapers/pda/security-implications-ios_33724
 

At Techno Security it seemed like we were the only newcomers (maybe partly due to this fact we were so warmly welcomed), as practically everybody knew each other (even visitors) and the whole situation resembled an alumni party in a very positive and friendly atmosphere.

We had a literally overloaded lecture-room during Andrey’s talk, people were even standing along the walls. Actually, at first I was really happy with this fact. Our talk was about locating disk decryption keys in memory which was announced and printed in event agenda. It’s something new for our company, but it’s no breakthrough in the industry, and so we didn’t expect too many people to come. However, against all my expectations, during the speech listeners were taking notes, typing something in their laptops, and looking angrily at me when I was trying to take some pictures producing though very little noise, – I gave up quite soon.

Interestingly, after Andrey’s speech most visitors that came up to the booth had questions about our new iPhone toolkit or sometimes about Elcomsoft Blackberry Backup Extractor and very few had a disk decryption or key mining related questions. I suppose some of listeners were probably hoping Andrey would touch upon iPhone toolkit as well. I’m so sorry we had to choose the topic of our speech so in advance that we couldn’t fix it later. But we did our best to answer all your questions and demo the software at our booth, if you still have any, feel free to ask right here!

You can find more pictures in our facebook.

UPDATE: Here is Andrey's presentation 'Faster Password Recovery with Modern GPUs' in PDF and video format.

The Onion News Network has a news webcast about Facebook program and its use in acquiring information during federal investigations and how greatly this project can save federal expenses:

CIA's 'Facebook' Program Dramatically Cut Agency's Costs

Joking aside, although Facebook was not presupposed to carry out any federal mission like this, the fact is that Feds can very well use Facebook to gather more details of people they are looking for. The question is: how can they do this (if, of course, that’s not the ‘special project’ itself)? One of possible ways to get necessary data would be to set an account and make friends with the suspect, however there are some hidden rocks in it. First, the suspect might not like to make friends with “camouflaged” feds; second, even if you managed to get friends, your access to suspects’ details can be restricted.  Obviously, this is not an easy way to chase a criminal, on the other hand it provides an opportunity to establish and initiate personal contact with the suspect if that’s required.

What else can be done? Well, getting access to suspects’ computer is not a bad idea and most probably this would be point number one. There are many ways to seize and arrest suspects’ computers and as soon as it is accessible computer specialists start scrutinizing its content in search of any evidence. Here all ElcomSoft password recovery tools come into action and now also Facebook Password Extractor designed exclusively for Facebook accounts. 

The new utility gets Facebook account passwords saved in Web browsers on the local computer.  Pleasant thing is that ElcomSoft decided to help saving federal costs as well and made the software free of charge: “This is our duty!”, says unnamed ElcomSoft representative. The main Facebook Passwords Extractor features:

• The utility is absolutely free
• Easy exploitation – you simply start the program and it takes over the rest of work
• Supports all popular Web browsers and their versions: Internet Explorer till v. 9, Mozilla Firefox till v. 4, Opera till v. 11.10, Google Chrome till v. 11, Apple Safari till v. 5
• Works almost instantly
• Finds unlimited (i.e. all) number of logins and passwords stored in Web browsers on local computer.
• Does not matter how long and complex the passwords are and what languages they're in

N.B. Passwords stored in Mozilla Firefox and Opera protected with master password, cannot be recovered with this tool. For the first one (Firefox), however, we do have the solution: Elcomsoft Distributed Password Recovery. Let us know if you're interested in Opera master password recovery, too!

Working with it is quite simple. Right after you start Facebook Password Extractor, it searches Web browsers installed in the system and analyses data stored in every of the installed browsers, local databases, and cache. This allows finding all account information (login – password) that has ever been saved in Web browsers as autocomplete and/or authentication data. All found passwords to Facebook accounts are being decrypted and displayed in convenient form.

There is one “problem” with Facebook Password Extractor, though. It works with Facebook only  . If you need to reveal passwords to other social networks, get the Elcomsoft Internet Password Breaker instead. It is not free, but you always get what you paid for – not just [saved] passwords to social networks, but also the contents of ‘autocomplete’ fields (an extremely good source of information, including passwords), Windows Live Mail credentials and more.

When it comes to obtaining the contents of iPhone’s file system, mobile forensic specialists usually mention the following three opportunities:

1. One can 'mount' the device, mapping it as a drive letter and copy data file after file. In this mode, I/O requests are served by the file system driver on the device that’s supposed to ‘know’ the encryption keys for all files. Essentially, this means that analyst receives file data that is already decrypted during the transfer. The ‘mounting’ in this case is achieved by using undocumented interfaces provided by Apple iTunes, which makes the researcher rely on something that’s a) undocumented, and b) involuntarily provided by the manufacturer. The amount of data available depends on whether the device is booted into a so-called "jailbroken" state or not. Devices that are not booted into a "jailbroken" state allow access to significantly less information. In "jailbroken" state, all information stored on the device may be available.

It is worth mentioning that booting a device into a "jailbroken" state does not necessarily require a permanent "jailbreak" modification of the device, and can be performed without modifying data stored on the device, i.e. without violating read-only principle so important in computer forensics.

While relatively simple, the file-based approach has numerous limitations that make it less than ideal for forensic purposes. Since the transfer is done file-by file, the case quickly becomes difficult to manage. Typical file system contains tens of thousands of files so it might be quite a challenge to even store them in forensically sound way (i.e. making sure that no files are added, deleted, or modified after acquisition is complete). Another problem is that some files may be locked by running processes, may require additional privileges, symbolic links may interfere with the host system, etc.

2. The second option would be to decrypt file system as a part of acquisition process so that its result is a decrypted file system.

3. Finally, one can do a physical acquisition of the encrypted file system and decrypt the data off-line. This would require an additional step of extracting required keys off the device.

The last two options are indeed very similar. In both cases, I/O requests are served by storage driver (as opposed to file system driver in the first case), effectively bypassing proprietary file system drivers and avoiding all types of file locks and access permission problems. Both methods require the device to be in "jailbroken" state.

Although those last two acquisition approaches are similar and first one might seem more attractive on the first sight, we decided to go with the last one. In our eyes, there are numerous important benefits to doing the physical acquisition in a ‘raw’ way.

1. We believe that physical acquisition should be as close to the original device data as possible. The first method (mounting the device) relies on the file system driver to deliver decrypted file data. If we wanted to implement similar on-the-fly decryption during the physical acquisition process, the resulting image won’t be a bit-to-bit physical copy at all. Instead, we can do those actions off-line, and produce a decrypted image out of a precise bit copy.

2. Some device secrets such as the passcode or escrow keys might not be known at acquisition time. Without knowing those secrets, some files can not be decrypted. Off-line processing allows capturing and storing the original encrypted image while postponing the decryption to a later moment. An analyst can return to the original image if more secrets become available (e.g. escrow keys are discovered on suspects’ desktop computer) without having to re-acquire data from the physical device.

3. Analysts may have a backlog of cases. Re-doing the acquisition with a new tool might not be what they’re looking for. With off-line approach, one can obtain the keys from the device, which takes much less time than re-imaging it.

4. Forensics often already have a favorite (or the only approved) tool to do device imaging. For those who don’t, ElcomSoft can provide a basic one that just works. As long as the tool is capable of producing raw (dd-style) images, the analysts can continue using it.

5. Finally, the tools are not bug-free. The acquisition must be as simple and as straightforward as possible. Having to re-acquire the contents of a 64 Gb iPad because of a glitch in the imaging tool could be extremely frustrating and time-consuming. By performing the decryption as a separate process, one can reduce the risk of this happening.

The Toolkit

Elcomsoft Phone Password Breaker is available to general public. We will also provide eligible parties with additional acquisition Toolkit to use on devices running iOS 4.x. We’ll also provide detailed instructions. The Toolkit will allow the following:

• Extract hardware-dependent keys, file system keys and escrow keys from the device;
• Recover the passcode (subject to passcode length and complexity);
• Obtain bit-to-bit copy of device storage.

After obtaining an image of the device storage area accompanied by device-specific keys, analysts will be able to run Elcomsoft Phone Password Breaker to decrypt the acquired image and then analyze the decrypted image with the forensic tool of their choice.

iPhone User Data: What’s Inside

Let’s make it very clear: no privacy purist should ever use an iPhone (or any other smartphone, probably). iPhone devices store or cache humungous amounts of information about how, when, and where the device has been used. The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, emails and text messages included deleted ones, calls placed and received are just a few things to mention. A comprehensive history of user’s locations complete with geographic coordinates and timestamps. Google maps and routes ever accessed. Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device.

It’s Not About iPhone Backups Any More

Some, but not all, of that information makes its way into iPhone backups produced with Apple iTunes. Protected iPhone backups can be broken into with Elcomsoft Phone Password Breaker; once decrypted, information stored in these backups can be viewed by many commercial products. However, the amount of information that these backups contain is reasonably limited. Analyzing actual iPhone device could provide forensic access to much more data.

Adequate Protection

The amount and nature of information accumulated by iPhone devices called for adequate protection. Starting with iPhone 3GS, Apple was including a hardware encryption chip in all subsequent devices. With iOS 4, the company introduced a feature called Data Protection that enabled hardware-based encryption of all user data stored in iPhone 3GS and subsequent models (iPhone 4, all models of iPad, and latest generations of iPod Touch). Using industry-standard AES-256 encryption, the protection was considered to be adequate against even the best equipped adversaries, including forensic analysts and law enforcement agencies.

Implementation of iPhone File System Encryption

If you’re not interested in technical detail on how Apple iOS 4 protects user data in iPhone devices, you can skip this chapter. Reading it will, however, help you understand and appreciate what was done by ElcomSoft researchers. iPhone, iPod Touch and iPad (referred hereafter as iOS devices) are quite popular with all types of users. Due to their popularity and considering the amount of information about the history of user’s behavior, iOS devices are common subjects to forensic analysis. The most comprehensive technique for iOS forensics is physical acquisition that allows to obtain a bit-to-bit snapshot of iOS devices’ file system. In a way, this is similar to making an image of a disk or dumping a CD or DVD into an ISO file.

The technique worked great until the release of iOS 4. Before that, file system images obtained from iPhone and other iOS devices were perfectly readable with all user data being readily accessible. On iOS 4.x, however, those file system images obtained from the devices were pretty much useless for forensic analysis because the contents of each file were securely encrypted. File system seemed to be intact, though, and it was still possible to get list of files and some of their attributes.

To make things even more complicated for a security researcher, every file is encrypted with its own unique encryption key tied to particular iOS device. Furthermore, certain files are protected with encryption keys tied to both the device and the user’s passcode, meaning that those files can be only decrypted when the device is unlocked by the user. Most notable examples are e-mail files maintained by built-in Mail app.

Breaking the Encryption

Explaining what we did to break this encryption is not exactly easy. In a word, we found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools such as Guidance EnCase or AccessData FTK (or any other tool which supports raw drive images and HFS+ file system). Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition. In particular, those keys include:

• Keys computed from the unique device key (UID), which is believed to be embedded in the hardware and is not extractable (so-called keys 0×835 and 0x89B);
• User passcode key which is derived from users’ passcode using the unique device key (UID);
• Escrow key(s) which are derived from escrow pairing records using the unique device key (UID);
• Effaceable storage area which stores number of encryption keys.

Once we've got those keys, we're good to go. File decryption is instant and is only subject to the availability of corresponding content protection key. Some files can be encrypted with keys tied to user’s passcode and to decrypt those you will need the correct passcode or the escrow keys (see below). ElcomSoft provides a tool to brute-force the passcode. The vast majority of files, however, can be decrypted without knowing the passcode.

By default (with “Simple passcode” option enabled), passcodes consists of only four digits, meaning that only 10,000 possibilities exist. Having to enter their passcode pretty often most users keep their passcodes to the default length of only four digits for the sake of usability.

Ten thousand combinations do not sound like much. On a PC, breaking a passcode of this length would only take a few moments. Unfortunately, passcodes can only be bruteforced on the device itself. With iPhone 4, the maximum time of breaking a 4-digit passcode is therefore about 40 minutes, while taking about 20 minutes on average. iPhone 3GS is slower, and it takes a bit longer to break a passcode there. In fact, phones running iPhoneOS 3.x can be broken without knowing the passcode by simply removing it; with iOS 4.x, a valid passcode is required to gain full access.

It is possible to overcome the requirement of having the correct passcode by using escrow keys. Escrow keys are created and stored by the iTunes when you first plug an iOS device to the computer. Having a set of escrow keys collected from a computer to which an iOS device was once connected gives the same powers as knowing the passcode (except that you can’t deduce the passcode itself).

The last thing standing is the keychain. The keychain is a system-wide storage area for application secrets such as user account details, usernames and passwords. While Elcomsoft Phone Password Breaker already has the ability to display the contents of the keychain area, it could only read the keychain from iOS backups. As it turns out, not all data from the system keychain is exported into the backup. For example, the backup password itself is present in the system keychain but is never exported to the backup. Application developers utilizing Keychain can choose whether records stored by their application should go to the backup or not. That said, the complete Keychain including items not included wit the backup can be read and decrypted using the same set of keys obtained from the device.

Another World’s First

So far, ElcomSoft is the first company to offer a complete, all-in-one commercial solution for performing physical acquisition analysis of iOS 4.x devices. ElcomSoft did another “World’s first” here.

What This Means for You

By breaking the protection system of Apple iPhone 3GS and later devices running iOS 4, ElcomSoft opens the possibility of an extremely comprehensive forensic analysis of affected iOS devices. While this is a big achievement in cryptographic terms, iPhone backups produced with Apple iTunes software already contained a lot of sensitive information, including keychains. ElcomSoft makes forensic analysis easier, faster (the extraction of file system encryption keys is nearly instant as opposed to lengthy dictionary or brute force attacks which are required to obtain a password to an iPhone backup) and more comprehensive.

The toolkit we're offering includes updated Elcomsoft Phone Password Breaker which was fitted with new function to decrypt iOS 4.x file system images, as well as an optional tools to obtain filesystem images of the iOS 4.x devices, extract keys required for image decryption, and brute-force passcode.

To make sure those tools do not fall into the wrong hands, we decided to offer them only to established law enforcement, forensic and intelligence agencies as well as select government organizations.

Affected Apple Devices

All Apple devices starting with iPhone 3GS and running iOS 4 are affected, including iPhone, iPod and iPad devices.

Next part: Extracting the File System from iPhone/iPad/iPod Touch Devices