In this article, I would like to lift a little the veil of mystery that shrouds a science called forensics. Forensics collects digital evidence and analyzes it. Naturally, we will consider this through the prism of the Apple universe, or rather, in relation to the iPhone. We will start with an interview with representatives of the company that made a name for itself on the software for this - Elcomsoft.
To begin with, I’ll tell you how I decided to make a material on this topic.
Few of the Russian-speaking representatives of the IT community do not know the now deceased Computerra magazine. I will not spend a lot of time singing praises, since one article would not be enough for this, all the more, we will talk about, perhaps, the most odious of the columnists of this magazine - Sergei Mikhailovich Golubitsky. It was his note on the website of the late publication (he writes there regularly) that became Starting point this article. I encourage you to read it to understand what is going on.
Since I clearly fall into the category that Sergei Mikhailovich affectionately calls "goblins", perhaps I will emphasize that I respect his work and in many ways consider him my teacher and inspirer. But with regard to his note mentioned above, I will still take the position of disagreement.
I don’t know if intentionally or out of ignorance, but the note is too exaggerated over Apple’s security issues. In his characteristic biting sarcasm, the author ridicules "Apple's attempts to enter the corporate market", alluding to the fact that a lot of holes were found in their security, and recently, oh horror, a freshly discovered huge security hole, which Elcomsoft's product called Phone will help to exploit. Password Breaker. At the same time, allegedly in a manner typical of large corporations, Apple completely ignores the problems of users, which is called the biting word "arrogance" in the title of the article. The article is supplemented by stories about other successes of Elcomsoft (really the largest experts in recovering passwords from anything) and a discussion of how anyone can easily delve into your data.
In depicting the horrors of leaky iCloud, I was confused minimum requirement, which consists only ... in the need to know the login and password from iCloud. Of course, this is a huge and critical gap in the security system, which affects 99% of online services, and which allows, knowing the username and password, to find out all the user's data. Frightened by the horror of the prospects that opened up, I decided to turn to the source: Elcomsoft, whose representatives were super-kind and not only told us everything about Phone Password Breaker, but also allowed us to try it out with our own hands, which we took advantage of.
But we will start, of course, with an interview.
Please tell us about Phone Password Breaker: who needs this program and what can be done with it?
Elcomsoft Phone Password Breaker allows law enforcement experts to access password-protected backups for smartphones and portable devices based on the RIM platform and Apple iOS. The utility supports all Blackberry smartphones and all portable devices on the Apple iOS platform, including iPhone, iPad and iPod Touch all generations and versions, including iPhone 4S and iOS 4.x and iOS 5.x.
The program provides the ability to restore access to backup copies of Apple and BlackBerry devices, which may contain address books, call logs, SMS archives, calendars, to-do lists, photos, voice mail and account settings Email, third-party applications, a history of visited web pages and the contents of these pages stored in the cache.
In addition, the program can use hardware acceleration of password cracking using AMD and NVIDIA video cards, which allows you to increase the decryption speed by 20-40 times compared to algorithms that use only the computer's central processor. The brute-force technology for graphic cards was developed and patented by ElcomSoft in the USA. At the moment, many software companies use this technology, as it allows you to get the computing power of a supercomputer at the price of a home graphics card.
The new version of EPPB is also capable of remotely retrieving information from the Apple iCloud online storage with a login (Apple ID) and user password. Access to the device itself is not required.
Does EPPB use brute-force passwords? Or are there some "holes" that allow you to do without it?
For backups created on a computer (offline), the program uses password brute force, involving various professional tricks such as rearranging or replacing characters, the so-called mask attacks, dictionary attacks, combined or hybrid attacks, when several dictionaries are used at once. A complete list of attacks is available. Unfortunately (or fortunately, for someone like - ed. note), encryption of offline backups in the iOS system is quite strong, so only graphic acceleration of brute force and the strength of the password itself can affect the quick password recovery, that is, the simpler the password, the he is faster.
As for the new iCloud access feature - do I understand correctly that everything is not as scary as they say on the Internet? After all, almost any online service will give access if the username and password for it are known (the same Gmail is also insecure), and PPB simply simplifies access, or is there something deeper?
Everything is not as simple and not as scary as it seems at first glance. Of course, you can access anything if you have a username and password, but in the case of iCloud, the data comes encrypted. In addition, the only "official" way to use your Apple ID and password to download an iCloud backup is to restore the device (new or after Firmware restore) from iCloud. Just logging in to icloud.com and downloading a backup will not work - Apple does not provide such an opportunity.
And although there is encryption in iCloud, the encryption key comes with a backup, which greatly simplifies the entire decryption process. In other words, the backup encryption settings that you can set in iTunes only apply to traditional offline backups and do not apply to iCloud backups. Data is sent to the cloud in virtually unencrypted form, regardless of the encryption settings (although the data transmission channel is securely protected). When we discovered such a security hole when examining online backups, it certainly surprised us, since Apple always cares about the safety of its users, but there are obviously technical reasons for this.
Our program can download backups from iCloud online storage, decrypt these backups and convert them to the usual iTunes format, although you can also use special software for data analysis, since there are plenty of such tools on the market now.
Are there ways to protect yourself from Phone Password Breaker? Or at least complicate the task of hacking?
In this case, only a strong Apple ID password can be good protection, which cannot be quickly guessed by examining some information about the user. In principle, all the requirements of the password security policy are relevant here. In addition, it is necessary to use the password very carefully so as not to leave fraudsters the opportunity to find it, say, in an iPhone stolen and not protected by a strong password, or, for example, in a computer left with open access, because the registration data can be simply saved in a web browser, through which you visited the iCloud page. There can be many options for data leakage, which is why it is always better to limit physical access to all the devices that you use, which in the case of remote data storage in the cloud is a little more complicated. In the case of using iCloud, you need to clearly understand that your Apple ID password is the only barrier between attackers and all your data stored online. Alternatively, you can simply not store data in iCloud at all, but only locally on your computer.
Are there versions of your software for OS X?
Unfortunately, we do not have a version of Elcomsoft Phone Password Breaker for OS X, the program works only under Windows. But Elcomsoft iOS Forensic Toolkit works on both PC and Mac, moreover, the program was originally written for Mac, which is not typical for us.
What other Elcomsoft programs might be of interest to users of the Apple ecosystem?
We also have a wonderful product Elcomsoft iOS Forensic Toolkit (EIFT) specially designed for forensic investigations of iPhone, iPad, iPod Touch devices based on Apple iOS. FROM using iOS Forensic Toolkit allows you to pick up a password for the device (if the password is a 4-digit passcode, the search lasts no more than half an hour) and take an exact image of the file system and, in general, all the data on the device. The product ensures the integrity and immutability of the researched data. Using the iOS Forensic Toolkit, specialists can access the decrypted image of the device's file system, decrypt codes, passwords, and other protected information.
Here is such an interesting and informative story. Before drawing conclusions, I will demonstrate how this very Phone Password Breaker looks like at work. Since the program is available only for Windows, I would like to separately thank Parallels - in the 7th version of Parallels Desktop Elcomsoft Phone Password Breaker works quite well (although, of course, if you are going to collect data on a professional level, you should definitely take care of installing Windows) .
The program, in addition to recovering passwords for a backup copy of iOS devices, also allows you to work with Blackberry (and very well), and although this is beyond the scope of our article, I cannot help but note this fact. Another important feature of Elcomsoft Phone Password Breaker is the ability to decrypt the Keychain stored in a backup with a password (it is encrypted separately from the backup itself, but I won't go into details now).
By the way, Phone Password Breaker can be useful not only for employees of internal organs or intruders. The fact is that if you choose the option to protect the backup with a password and by negligence forget this password, you will not be able to turn off this option without knowing this password, which will make all backups useless. And making another “passwordless” copy will no longer work. In this case, Apple recommends doing a full reset of the device and setting it up again completely from scratch. If your data is dear to you, you can try using PPB as an alternative solution to the problem.
Elcomsoft Phone Password Breaker is installed, like most programs for Windows, with a simple wizard (during the installation, I experienced a powerful attack of nostalgia, I haven't done this for a long time).
The program interface is very simple. We select the backup file, configure the types of attack of interest (this is described in more detail on the Elcomsoft website) and run the enumeration. If you're lucky, cracking the password won't take long, especially if the password is a dictionary word, some variation on the theme, or if the password is short.
I was more interested in trying to restore from an iCloud copy. To do this, you need to enter the username and password of the account (of course, I used my own).
A few seconds of waiting, and we see all the devices that have backed up to iCloud. Select the checkboxes you need.
After that, taking care of the user's convenience, PPB will offer us to restore the "understandable" file names and decompose the information into folders. Naturally, this offer is better to accept if you are going to disassemble the "booty" yourself. If you use additional software for analysis, the backup copy should be left as is.
Immediately after that, the process of downloading your data from iCloud will start. It took me about 10 minutes for two devices.
The result will be files saved in the specified folder, extracted from the backup copy of your device, including even very critical ones.
There are no problems with SMS, logins, passwords, and a lot of other valuable data.
Of course, data analysis with the help of specialized software is much easier and more convenient, but for "domestic purposes" such a manual review will be more than enough.
Initially, I was a little confused by the need to use Windows, but thanks - this problem is perfectly masked.
This is how it all works, what conclusions can be drawn? The main conclusion is that there is no sensational security hole in iCloud, no need to buy into the methods of yellow journalism. If your username and password in iCloud are not compromised, there will be no access to data in the cloud, and picking up a password for your iCloud account remotely is an unrealistic task. If you want to protect yourself use complex password in iCloud, and do not "shine" it on untrusted networks (in the case of public WiFi hotspots I highly recommend using a VPN). Even better - do not trust the Internet with important data at all, store it only locally and with a good password (if it is long enough - it will not be a trivial task to crack it, even for such a powerful tool as PPB). Even better, just don't do anything that might draw the attention of forensic experts to you, because the "elusive Joe" principle from the joke works just fine in this case.
In conclusion, I want to say that forensics is an interesting and extensive topic, so if this article is of interest to readers, we will try to reveal it in more depth and talk about its various aspects, show the software used, and maybe even talk with experts in this field.
P.S. If, for one reason or another, the topic of forensics interests you practically, I can recommend a good (and in fact the only one in Russian) free textbook by Nikolai Nikolaevich Fedotov, which will be equally useful for both lawyers and IT specialists.
Elcomsoft Phone Breaker is a universal tool for extracting data from backups and iCloud cloud storage of mobile devices managed by all iOS versions. The tool allows law enforcement experts to access password-protected backups or download data from iCloud. The utility supports all portable devices on the Apple iOS platform, including iPhone, iPad and iPod Touch of all generations.
The utility allows you to recover passwords for backup copies of Apple devices using advanced attacks and hardware acceleration using AMD and NVIDIA video cards. Backups may contain address books, call logs, archives SMS messages, calendars, to-do lists, photos, voice mail and e-mail account settings, third-party applications, a history of web pages visited and the contents of these pages stored in the cache.
Extracting data from the "cloud" iCloud
iOS device users have several options for backing up the contents of their devices. You can back up your information and store it locally on your computer using Apple iTunes. An alternative is to automatically back up data in Apple's iCloud cloud storage. Introduced in June 2011, iCloud allows users to store their device data on remote servers and use it across multiple devices. In addition, iCloud can be used to sync email, contacts, events, bookmarks, photos, and other information.
iCloud backups are incremental. If the device is set up to use iCloud, the device automatically creates a backup every time it connects to a wireless network and a power source.
With Elcomsoft Phone Breaker, you can extract directly from the "cloud", even without the device itself on hand. All that is required to access iCloud Online Archives is the user's Apple ID and password, or a binary authentication token retrieved from the user's computer. Data can be accessed without the user's consent, making Elcomsoft Phone Breaker an ideal solution for law enforcement and intelligence organizations.
From the "cloud" storage are retrieved as backup copies of these devices under iOS control, and other files stored in iCloud:
- iWork documents (Pages, Numbers, Keynote) - if saving to the cloud is configured
- documents of third-party applications (game saves, password databases, copies of WhatsApp correspondence, etc.)
- some system files, including user dictionaries
- iCloud Keychain
- SMS and iMessage messages including attachments
From the "cloud" storage, both backup copies of these devices running iOS and other files stored in iCloud or iCloud Drive.
iCloud Keychain
Using Elcomsoft Phone Breaker, it is possible to remotely retrieve saved passwords, credit card data and other protected information from Apple's cloud service for storing and synchronizing passwords iCloud Keychain ("iCloud Keychain"). Elcomsoft Phone Breaker is the only product on the market that provides access to iCloud Keychain.
Health data, messages and attachments from iCloud
The latest versions of iOS sync the user's health data (Apple Health), SMS messages and iMessage with the "cloud" service iCloud. Elcomsoft Phone Breaker allows you to retrieve synchronized Apple Health data, messages and attachments from the cloud, including media files and documents. To access data, in addition to the login, password and secondary authentication factor, you will need to specify a password or PIN from one of the registered devices.
Selective Access
Loading a large amount of data for the first time can take several hours. Subsequent updates are much faster because an incremental update storage system is used. If download speed is more important than data completeness, Elcomsoft Phone Breaker can quickly get the information you need and skip less important data that takes the longest to download (such as music or videos). Messages, attachments, phone settings, call logs, address books, notes and attachments, calendar, email account settings, photos, videos and more can be pre-selected and downloaded in minutes, providing real-time access to important information.
Access to synchronized data
Starting with iOS 9, iPhone automatically syncs certain types of data to the cloud. Data goes to iCloud independently of the main backups, and can be retrieved even when iCloud backups are disabled. Unlike backups that are created once a day, this data is synchronized with the user's account automatically and gets into the "cloud" with minimal delay.
Using Elcomsoft Phone Breaker, both synchronized call logs and other information are retrieved: contacts, calendars, notes and attachments (including deleted ones) and the history of user actions in the Safari browser (including deleted entries). The full list of retrieved synced data includes:
- Safari browser (history, bookmarks, open tabs)
- Calendars, notes, contacts, recordings of Voice Recorder app
- Cloud Keychain and Screen Time passwords
- Detailed call history
- Apple Maps (Routes, Searches, Marked Places)
- Wi-Fi (access point information, MAC addresses, date and device added from)
- Wallet (except for payment cards)
- Information about the user (address, phones, name) and his devices (including serial numbers and OS version)
- iBooks (Documents and PDFs added by the user)
Accessing deleted photos from iCloud Photo Library
Newer versions of iOS and Mac OS X have added the ability to store photos separately from backups in iCloud Photo Library. iCloud Photo Library uses a new API to access files, and the photos themselves are no longer stored in "cloud" device backups.
Elcomsoft Phone Breaker retrieves files from iCloud Photo Library, including photos that have been deleted by the user. With Elcomsoft Phone Breaker, you can retrieve photos that have been deleted within the last 30 days. Selective access by user albums is available.
Decrypting FileVault 2 Volumes
New versions of Mac OS X use a built-in data encryption mechanism, the FileVault 2 cryptocontainer. Elcomsoft Phone Breaker extracts escrowed encryption keys to encrypted volumes from an Apple ID account and decrypts FileVault 2 volumes without using a frontal attack.
Available to users of the Forensic edition. APFS volumes are currently not supported.
Two-factor authentication
Last Apple time is constantly working to improve the security of its mobile platform. An increasing number of Apple mobile device users are protecting access to information using two-factor authentication. Now, to access data from the "cloud" from a new device, you need to go through an additional authentication step: get an access code for a trusted device or enter a special backup access key.
Elcomsoft Phone Breaker supports all relevant two-factor authentication methods, which will allow experts to work with thus protected "cloud" data. To extract data from an account that uses two-factor authentication, the examiner will need to use an authorized device to obtain a one-time access code or enter a special key.
When working with two-factor authentication in Elcomsoft Phone Breaker, a one-time passcode or special key will only need to be entered once. Subsequent requests, both in the current session and in subsequent sessions, will be processed without additional checks.
Available to users of Professional and Forensic editions
Extract information from iCloud without login and password
The ability to access data from iCloud without using a login and password is a unique feature of Elcomsoft Phone Breaker. If the user account password is unknown, a special authentication token extracted from the user's computer can be used to access the "cloud" data. Using a binary token does not require a login with a password or secondary authentication.
Authentication tokens are generated by iTunes and stored on the hard drive of the computer that accesses iCloud. With the help of authentication tokens, it is possible to access data from iCloud without even having information about the user's login and password. You can retrieve an authentication token either directly from the user's computer or from hard drive or its binary image, which is especially important when using the product in forensic laboratories and in conditions where only a hard disk or its image extracted from the computer under investigation is available. To extract tokens, Elcomsoft Phone Breaker has an integrated functionality for searching and extracting authentication tokens from a computer's hard drive or its image.
The set of data available through an authentication token depends on many factors: the version of iOS and the iCloud panel on the user's computer, the presence or absence of two-factor authentication in the account, and others.
Extract files from iCloud
In addition to backups, files such as user documents and spreadsheets, application data, WhatsApp backups, Passbook data, and more can be retrieved from the iCloud cloud. While some types of data (mostly documents) can be retrieved using the iCloud app for Windows/macOS, the bulk of the data can only be accessed using Elcomsoft Phone Breaker. Important point- no notification of the user by e-mail when downloading files from the "cloud". Both classic iCloud and new iCloud Drive accounts are supported.
Available to users of the Forensic edition
Windows Phone 8 & Windows 10 Mobile: Retrieving Data from Cloud Storage
Device data backups Windows control Phone 8/8.1 and Windows 10 Mobile are created and supported exclusively in the cloud, for which Microsoft allocates space in its own OneDrive cloud storage.
Elcomsoft Phone Breaker provides the ability to remotely access data from the Microsoft cloud service, which contains backup copies of data from devices running Windows Phone 8. Extracting data from the Microsoft service significantly expands the possibilities available to forensic investigators when examining mobile devices. To gain access, you must specify a username and password from a Microsoft Account user account.
Extract data from Apple iPhone, iPad and iPod Touch backups
Historically, Elcomsoft Phone Breaker was developed as a product for extracting user data from password-protected backups of iOS devices. Elcomsoft Phone Breaker is the first program of its kind on the market to access secure backups of iPhone, iPod and iPad and the only utility capable of reading and decrypting the contents of the system storage (keychain) containing encryption keys, passwords for email accounts, websites and third party applications. These operations are possible if the password is known or recovered.
To decrypt the data stored in the backup, you must restore the original text password. For the fastest possible password cracking, ElcomSoft programmers developed a number of technologies that distinguish the product from competitors.
Program features
Hardware acceleration
In order to greatly increase the speed of enumeration, the product uses a technology developed by the company to accelerate using graphics cards. Using hardware accelerated password brute force with gaming graphics cards AMD and NVIDIA can increase the decryption speed by 20-40 times compared to algorithms that have the computing resources of only the central processor. The brute force technology on graphics cards allows you to get the computing power of a supercomputer at the price of an average graphics card.
Elcomsoft Phone Breaker is able to simultaneously use an unlimited number of video cards installed in the computer, even if the devices belong to different generations, use different architectures and are released by different manufacturers. Thanks to this feature, Elcomsoft Phone Breaker users do not have to get rid of old devices when updating the system. If, instead of replacing the video card, simply adding a new adapter to the computer, Elcomsoft Phone Breaker can use the computing resources of all devices installed in the system to achieve top speed brute-force passwords.
"Smart" attacks
The use of "smart" attacks and dictionary attacks allow recovering a password much faster. Elcomsoft Phone Breaker supports powerful dictionary attacks using various dictionary mutations and combinations. According to many studies, most users create meaningful passwords from commonly used words that are easier for them to remember. Elcomsoft Phone Breaker can quickly recover such passwords and their variations in any language. The product supports many dictionary mutations and combinations, trying hundreds of options for each word from the dictionary in order not to miss the opportunity to guess the right password as soon as possible.
Extracting and decrypting stored passwords
In Apple devices iPhone passwords to email accounts, websites and various applications are stored in the system storage (keychain) in encrypted form, and the hardware encryption keys are unique for each specific device. Prior to the release of the iOS 4 operating system, data in the vault was always encrypted using unique device keys only, but with the release of Apple iOS 4, it became possible to create backups in which the contents of the vault will be encrypted with a master key that depends on the user's password. Elcomsoft Phone Breaker allows you to instantly read (and decrypt) all data from such storage, including passwords, if the master password is known or recovered using the attacks mentioned above.
Compatibility
| Home (win) |
Pro (Win/Mac) |
Forensic (Win/Mac) |
|||
|---|---|---|---|---|---|
| Support for all iOS versions from 3 to iOS 13.x and iPadOS | ✓ | ✓ | ✓ | ||
| Support for all iPhone models | ✓ | ✓ | ✓ | ||
| iPod touch and iPad support | ✓ | ✓ | ✓ | ||
| Support for all BlackBerry devices (except PlayBook) | ✓ | ✓ | ✓ | ||
| Recover passwords for device backups in iTunes | ✓ | ✓/- | ✓/- | ||
| Number of processors supported | 2 | 32/- | 32/- | ||
| Number of supported graphics adapters | 1 | 8/- | 8/- | ||
| Extract and decrypt data in iOS Keychain | - | ✓ | ✓ | ||
| Extract and decrypt data in iCloud Keychain | - | - | ✓ | ||
| Decrypt iTunes backups (with known password) | - | ✓ | ✓ | ||
| Password recovery for BlackBerry 6/7 backups | - | ✓/- | ✓/- | ||
| BlackBerry 6/7 backup decryption (with known password) | - | ✓ | ✓ | ||
| BlackBerry Password Keeper password recovery (up to BB 10) | - | ✓/- | ✓/- | ||
| Password recovery for BlackBerry Wallet | - | ✓/- | ✓/- | ||
| Password recovery on a Blackberry device | - | ✓/- | ✓/- | ||
| Decryption of SD memory card for Blackberry 6/7 | - | ✓ | ✓ | ||
| Extract and decrypt iCloud Password Bundle (iCloud Keychain) | - | - | ✓ | ||
| Retrieve Messages, Attachments, Apple Health app data | - | - | ✓ | ||
| Download iCloud backup with Apple ID and password | - | ✓ | ✓ | ||
| Uploading an iCloud backup for iOS 11.2+ with two-factor authentication active | - | - | ✓ | ||
| Retrieve synced data from iCloud with Apple ID and password | - | ✓ | - | ✓ | ✓ |
| iCloud Access with Tokens (Authentication Tokens) | - | - | ✓ | ||
| Support for iCloud accounts with two-factor authentication | - | - | ✓ | ||
| Download more data from iCloud (Drive) | - | - | ✓ | ||
| Extracting data from the Windows Phone cloud (login and password required) | - | ✓ | ✓ | ||
| Blackberry 10 backup data decryption (requires BB ID and password) | - | - | ✓ | ||
| Extract FileVault Recovery Key from iCloud and Decrypt Drive | - | - | ✓ |
The ability to recover passwords (for iOS and BlackBerry backups, BlackBerry devices) is only available in the Windows version
Elcomsoft Phone Breaker works on computers running Windows 7, Windows 8/8.1/10 and Windows Server 2008/2012/2016/2019 with x32 and x64 architecture. Supports password-protected backups from the original Apple iPhone before latest models inclusive; iPad of all generations, including Pro, iPad Mini and iPod Touch of all generations.
Please note that Elcomsoft Phone Breaker CANNOT unlock iPhone in any way, bypass Activation Lock, modify iPhone, or remove/change PIN code for SIM cards. The program is intended only for recovering passwords for backups and for accessing data and backups in iCloud. For getting detailed information Please refer to the Help Guide or FAQ for Phone Password Breaker (in English).
When downloading iOS 11.2 and newer backups from iCloud accounts with two-factor authentication, the account may be temporarily locked out, requiring a password reset.
If the option to encrypt the memory card with a password is enabled (before BlackBerry 10)
Several hundred thousand passwords per second, depending on the power of the computer
In the case of using hardware acceleration with NVIDIA or AMD video cards, we recommend installing the most fresh versions drivers for these video cards. For configurations consisting of several video cards, we recommend as an operating Windows systems 7.
It is desirable to encrypt data on a laptop, even a home one, in extreme cases, the user needs a strong authentication mechanism with a strong password. Until recently, I, like many others, believed that my home computer few people are interested. Yes, I need a strong password at work, but what should I hide at home? And from whom? However, I had to change my mind. What happened? Everything is simple. I received the latest version of Elcomsoft Phone Password Breaker. With the help of this software you can copy the contents of your backup iPhone devices to any computer without knowing the password and Apple ID. The only thing that pleases is that all this can be done only in the EPPB Forensic version. Let's look at the features of the program in more detail.
Hack in iCloud: password no longer needed!
I have already talked about downloading iPhone (iPad) data from iCloud (in an article published in Windows IT Pro/RE #2 2014). This article talked about the fact that the researcher could access "cloud" backups. However, this time we will look at accessing iCloud data without any password. I note that this feature is intended primarily for law enforcement, since copying data without passwords to iCloud requires a binary authentication token, which must be obtained from the suspect's computer. To date, EPPB is the only product that can do this. However, it is worth emphasizing that in order to use this method of extracting data, you need physical access to the suspect's computer, which must also have the iCloud control panel installed.
What is iCloud Control Panel
To create an account iCloud entries you need an iPhone, iPad, or iPod touch with iOS 5 or later, or a Mac with OS X Lion 10.7.5 or later. Access to email, contacts, and calendars requires Microsoft Outlook 2007 or later, or the latest browser. To sync bookmarks with Firefox browser or Google Chrome needs the iCloud Bookmarks extension.
The iCloud Control Panel (shown in Figure 1) is an integral part of iTunes, but it requires separate installation on a Windows computer. On a computer running Mac OS this program already installed.
Get an iCloud authentication token
To obtain an authentication token, you need the suspect's computer (Windows or Mac OS) that has the iCloud Control Panel installed on which the suspect is registered, as well as the EPPB Forensic program.
Most users open the iCloud control panel to sync contacts, passwords (iCloud Keychain) and other data, and remain connected to the "cloud". In other words, the expert has a high chance of getting an authentication token from this computer. Next, you must use the command line tools provided by Elcomsoft Phone Password Breaker to find and extract the authentication tokens. Note that you will be able to extract all tokens belonging to all users of the system under study, including domain users (if you have their username and password to log into the system). After extracting the authentication tokens, save them to a USB flash drive, then run Elcomsoft Phone Password Breaker on your computer and enable iCloud data collection. When you do this, instead of entering your iCloud name and password, enter the authentication token token. All! You no longer need a username and password for authentication.
The tools used to extract authentication tokens are ATEX (Authentication Marker Extract): atex.exe (for Windows) or atex.dmg (for MacOS X). The file can be launched in any folder. In particular, I recommend running this file from a USB stick. As a result, you will receive a text file containing an authentication token.
In the Windows Command Prompt window, you can enter the following options:
>atex.exe -h // Shows help message -l // Shows system users with iCloud tokens -t // Get auth token for specified userTo retrieve the token of a cloud-connected user on Windows, you can run atex.exe without parameters. You will get results like in Figure 2.
To get a list of users who have authentication tokens on this computer, run ATEX with the "-1" parameter. If you want to get a token for another Windows user, you need to know his name and password
Atex - t name password
You need to have administrator rights to get another user's token on this computer.
macOS X
On MacOS X, ATEX has the extension . DMG with 'atex' appended (executable Mac program). To extract the executable (atex without extension), just double click on the DMG file to mount it (on MacOS X). You can copy the executable file to a USB flash drive. Or you can run atex from any folder on this Mac.
Using ATEX on Mac systems is similar to using it on Windows. The differences will be quite subtle. On Windows, if you want to retrieve another user's token, you will set the password in command line. On a Mac, the password is requested by the system interactively. Also, in Mac environments, you will enter the "-u" switch in front of the username. The final difference is in the output format. On Windows you get a plain text file, on a Mac you get a file. plist(XML).
The correct way to run ATEX on a Mac is as follows. Start the console, change the current folder ('cd') to the one where 'atex' is saved, and then start APEX.
Using an authentication token
So we've got an authentication token. How to use it? Launch EPPB Forensic Edition, see Figure 4.
Select from the menu Tools, Apple item Download backup from iCloud. In the Token line, enter the previously received token, see screen 5. The further process is no different from downloading a backup using an Apple ID and password. However, the following must be taken into account:
- It is impossible to recover a password using a token.
- If the password is removed from the iCloud control panel, EPPB will not be able to recover it.
- A new token is created each time the user launches the iCloud control panel with their username and password. However, previous authentication tokens can still be used to access your iCloud backup.
- If the user opens the iCloud Control Panel on a different computer (but using the same Apple ID), the tokens will be different, but either one will work with EPPB.
- At the same time, markers have a finite “lifetime”. I don't know the exact time for today.
- If the user changes the password, the old tokens will no longer work.
- You can use ATEX from a USB flash drive without installation. The markers will be saved to the same flash memory card.
.jpg) |
In conclusion, I want to say that, on the one hand, I am proud of Russian developers, on the other hand, I understand that this program opens another Pandora's box. Why? Yes, because there is another way to steal information from mobile phones. And since our management is used to the fact that a fashion smartphone is an Apple smartphone, additional risks arise. For example, do you always trust customer service? And always able to control an employee who is doing something on your computer? Launching the utility is a matter of a few seconds, and you can analyze backups at home.
A smartphone stores information about you not just a lot, but a lot. And the most interesting, in my opinion, are passwords from mail, Skype, and much more. What to do? Tips are standard. Encrypt your hard drive, set a strong account password, change it in time, and remember to lock your computer. Yes, the same applies to the tablet! After all, there is no difference. In short, learn to protect your privacy. Even a bit.
Genre: Password RecoveryDeveloper: Elcomsoft Co. Ltd.
Developer site: http://www.elcomsoft.com
Interface language: English
Platform: Windows 98, XP, XP x64, 2003, Vista, Vista x64, 2008, 7, 7 x64
System requirements:
About 6 MB of free space on hard disk
Modern CPU with SSE2 instruction set support
manifest.plist file from iPhone/iPod/iPad backup d by iTunes (or complete backup to read keychain data)
One or more of supported NVIDIA or ATI cards, or Tableau TACC1441 (recommended for hardware acceleration)
Description: Elcomsoft Phone Password Breaker - allows law enforcement experts to access password-protected backups for smartphones and portable devices based on the RIM BlackBerry platform and Apple iOS. The utility supports all Blackberry smartphones and all portable devices based on the Apple iOS platform, including iPhone, iPad and iPod Touch of all generations and versions, including iPhone 4 and iOS 4.1.
Access password-protected backups on Apple and BlackBerry devices
The utility allows you to recover passwords for backup copies of Apple and BlackBerry devices. Backups may include address books, call logs, SMS archives, calendars, to-do lists, photos, voicemail and email account settings, third-party applications, web browsing history, and the contents of these pages stored in the cache.
Click to close spoiler: Accessing password-protected backups on Apple and BlackBerry devices
Acceleration with graphics cards
To multiply the speed of password brute force for backups stored on Apple devices, the utility uses the company's technology to accelerate using graphics cards. Elcomsoft Phone Password Breaker is the first software of its kind on the market to access secure iPhone/iPod backups and the only utility capable of reading and decrypting system storage (keychain) containing encryption keys, passwords for email accounts, websites and third party applications. These operations are possible if the password is known or recovered.
Click to close spoiler: Acceleration with graphics cards
Hardware acceleration
Elcomsoft Phone Password Breaker uses ATI and NVIDIA graphics cards to speed up password brute force. Using a dictionary attack allows you to recover a password much faster than with a normal brute force attack. With password cracking technology on graphic cards, you get the computing power of a supercomputer for the price of a "home" graphic card.
Elcomsoft Phone Password Breaker is the first software on the market that uses the processing power of graphics adapters to recover passwords for iPhone, iPad and iPod backups! When you install regular "home" graphics cards from ATI and NVIDIA, you will get the processing power of a supercomputer: the speed of password brute force increases tenfold compared to brute force on the central processor. Currently, up to 8 ATI and NVIDIA graphics adapters are supported, including NVIDIA GeForce 8, 9, 100, 200, 400 and GTX 580 series and ATI RADEON 4800, 5000 and HD 6970 series.
Click to close spoiler: Hardware acceleration
Powerful attacks
Elcomsoft Phone Password Breaker supports powerful dictionary attacks using various dictionary mutations and combinations. According to many studies, most users create meaningful passwords from commonly used words that are easier for them to remember. Elcomsoft Phone Password Breaker can quickly recover such passwords and their variations in any language. Elcomsoft Phone Password Breaker supports many dictionary mutations and combinations, trying hundreds of options for each word in the dictionary to ensure you never miss the opportunity to guess the right password as soon as possible.
Click to close spoiler: Powerful attacks
Extracting and decrypting stored passwords
In Apple iPhone devices, passwords for email accounts, websites and various applications are stored in the system storage (keychain) in encrypted form, and the hardware encryption keys are unique for each specific device. Before the release of the iOS 4 operating system, data in the vault was always encrypted only with unique device keys, but with the release of Apple iOS4, it became possible to create backups in which the contents of the vault will be encrypted with a master key that depends on the user's password. Elcomsoft Phone Password Breaker allows you to instantly read (and decrypt) all data from such storage, including passwords, if the master password is known or recovered using the attacks mentioned above.
Click to close spoiler: Extracting and decrypting stored passwords
Offline work
Elcomsoft Phone Password Breaker does not use Apple iTunes or BlackBerry Desktop Software, so there is no need to install these programs. All password guessing operations are performed offline.
Click to close spoiler: Work offline
Program features
Access information stored in password-protected iPhone, iPad, and iPod Touch backups
Access information stored in password-protected backups of BlackBerry smartphones
Recovering passwords for backup copies of any BlackBerry smartphones
Reading and decrypting data in the system storage (keychain) (passwords for email accounts, passwords for accessing Wi-Fi networks and passwords for accessing websites and third-party applications)
Acceleration with multiple low cost ATI or NVIDIA* graphics adapters installed in the system*
Hardware acceleration using Tableau TACC1441
Dictionary attacks using various dictionary mutations and combinations
The program works completely offline and does not require the installation of Apple iTunes or BlackBerry Desktop Software
Recovering backup passwords for original and ‘modified’ iPhones, iPhone 3G, iPhone 3GS, iPhone 4, iPad and iPod Touch (up to and including 4th generation)
Compatible with all versions of iTunes (including 10.0), iOS operating system (3 and 4, including 4.1) and BlackBerry Desktop Software
Decryption of backup iPhone copies by known password
Using AES-NI instructions to speed up BlackBerry backup password brute force
Support for AMD Radeon HD 6970 and NVIDIA GTX 580
Click to close spoiler: Program Features
The first program on the market to access protected backups iPhone, iPod, iPad and BlackBerry(in short - remote hacking) and the only utility capable of reading and decrypting the contents of the system storage (keychain) containing encryption keys, passwords for email accounts, websites and third-party applications. These operations are possible if the password is known or recovered.
Elcomsoft Phone Password Breaker allows you to recover passwords for backups, access password-protected backups for smartphones and portable devices based on the platform RIM BlackBerry and Apple iOS. The utility supports all smartphones blackberry and all portable devices on the platform Apple iOS, including iPhone, iPad and iPod Touch all generations and versions, including iPhone 5 and iOS 6.
The utility allows you to recover passwords for backup copies of Apple and BlackBerry devices. Backups may include address books, call logs, SMS archives, calendars, to-do lists, photos, voicemail and email account settings, third-party applications, web browsing history, and the contents of these pages stored in the cache.
To multiply the speed of password brute force for backups stored on Apple devices, the utility uses the company's technology to accelerate using graphics cards.
Program features
. Access information stored in password-protected iPhone, iPad, and iPod Touch backups
. Access information stored in password-protected backups of BlackBerry smartphones
. Recover backup passwords for original and 'modified' iPhones, iPhone 3G, iPhone 3GS, iPhone 4, iPad and iPod Touch.
. Recovering passwords for backup copies of any BlackBerry smartphones
. Reading and decrypting data in the system storage (keychain) (passwords for email accounts, passwords for accessing Wi-Fi networks and passwords for accessing websites and third-party applications)
. Acceleration with multiple low cost graphics cards installed in the system ATI or NVIDIA
Hardware acceleration using Tableau TACC1441
. Dictionary attacks using various dictionary mutations and combinations
. The program works completely offline and does not require the installation of Apple iTunes or BlackBerry Desktop Software
. Recovering Backup Passwords for Original and ‘Modified’ iPhones, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 5, iPad and iPod Touch
. Compatible with all versions of iTunes (including 11.0), iOS operating system (including 6) and BlackBerry Desktop Software
. Decrypt iPhone backups with a known password
. Using Instructions AES-NI to speed up password brute force for BlackBerry backups
. Support AMD Radeon HD 6970 and NVIDIA GTX 580
EPPB allows you to access the user's iPhone and iPad cloud data from a Windows PC without his knowledge.
AT latest versions application, it became possible to access backup copies of personal data stored on Apple servers through a cloud service iCloud. ID must be known to gain access Apple ID and the corresponding password. Access to the device itself is not required, and the data goes directly to the "researcher's" computer, the developer's press service reports.
If you have a mobile phone itself or a PC synchronized with it, EPPB able to extract passwords both from the gadget and from iTunes. When using the same ID to register multiple devices, information can be retrieved from all registered devices.
"There are a number of technological limitations," commented Dmitry Sklyarov, lead developer at ElcomSoft. Apple ID and the user's password, which is quite a lot in itself. In addition, a number of conditions must be met. The user must enable synchronization with the service in the device iCloud, and the synchronization itself should be carried out from time to time. The positive side is that there is no need to confiscate the user's phone, computer, moreover, he will not even notice that he is being monitored."
Backups contain information about received and made calls, letters, notes, text messages, as well as photos and videos, browser bookmarks, account information and information from various installed applications.
Synchronize mobile device data with storage content iCloud carried out every time the device is in range home network wifi, explained to the company. This fact allows not only to receive all user data at once, but also to track changes (new calls, letters, notes, photos, etc.) with minimal delay.
EPPB does not use in his work Apple iTunes or BlackBerry Desktop Software, that is, there is no need to install these programs. All password guessing operations are performed offline.
Elcomsoft Phone Password Breaker enables forensic access to password-protected backups for smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms. The password recovery tool supports all Blackberry smartphones as well as Apple devices running iOS including iPhone, iPad and iPod Touch devices of all generations released to date, including the iPhone 5 and iOS 6.
The new tool recovers the original plain-text passwords protecting encrypted backups for Apple and BlackBerry devices. The backups contain address books, call logs, SMS archives, calendars and other organizer data, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache.
Features and Benefits
. Gain access to information stored in password-protected iPhone, iPad and iPod Touch backups
. iPhone and BlackBerry backup decryption using known password
. Recover passwords to BlaclBerry Password Keeper and Wallet applications
. Recover BlackBerry device password***
. Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)
. Save time with cost-efficient GPU acceleration when one or several AMD or NVIDIA video cards are installed*
. Hardware acceleration on Tableau TACC1441 hardware
. Perform advanced dictionary attacks with highly customizable permutations
. Perform offline attacks without Apple iTunes or BlackBerry Desktop Software installed
. Recover passwords to backups for original and ‘jailbroken’ iPhone (all models up to iPhone 5), iPad(all generations incl. iPad Mini), and iPod Touch (all generations) devices
. Recover passwords to all BlackBerry smartphones released to date
. Compatible with all versions of iTunes (incl. 11) and iOS (up to 4/5/6, incl. the latest 6.1.3) and BlackBerry Desktop Software
. Using AES-NI instructions to speed up BlackBerry backups" password recovery
. AMD Radeon HD 7000 series and NVIDIA GTX 600 series support
Interface: English
Supported operating systems: Windows 2000, 7, Server 2003/2008, Vista, XP