July 23, 2014

New Version of ElcomSoft iOS Forensic Toolkit Released: Supports iOS Keychain Decryption

(LiveHacking.Com) – ElcomSoft has released a major update of its iOS Forensic Toolkit, an all-in-one toolkit for iOS acquisition on both Windows and Mac.

ElcomSoft iOS Forensic Toolkit provides easy access to perform physical evidence acquisition to encrypted information stored in iOS base devices. This toolkit offers investigators the ability to access protected file system dumps extracted from iPhone and iPad devices even if the data has been encrypted by iOS 4.

According to the Elcomsoft blog, the decryption capability is unique and allows investigators to obtain a fully usable image of the device’s file system with the contElcomSoft iOS Forensic Toolkitents of each and every file decrypted and available for analysis.

New Features at a Glance:

  • The ability to decrypt contents of the device keychain
  • The ability to perform logical acquisition of the device
  • Logging of all operations performed within Toolkit
  • Support for iPhone 3G
  • Support for iOS 3.x on compatible devices
  • Support for iOS 4.3.4 (iOS 4.2.9 for iPhone 4 CDMA)

The new version of iOS Forensic Toolkit has the ability to extract and decrypt keychain data from iOS devices running iOS 3.x and 4.x. The keychain is a system-wide storage for users’ data to store sensitive information in protected mode.

Another new feature in this version is the audit trail capability. Unique log file will be created by the toolkit to keep the tracks of the activities and help the investigators for the integrity of their investigation.

More technical information is available at ElcomSoft Blog.

ElcomSoft Breaks iOS 4 Encryption – Offers New Forensic Service

ElcomSoft have succeeded in decrypting the iPhone’s encrypted file system under iOS 4 and are making it available exclusively to law enforcement, forensic and intelligence agencies.

This is a major feat as since the launch of the iPhone 3GS, Apple have included hardware encryption in all of its devices (including the iPhone 4 and iPad). iOS 4 enabled this hardware-based encryption to encrypt all user data stored using AES-256. This encryption was thought to be strong enough to resist even the best equipped adversaries, including forensic analysts and law enforcement agencies.

ElcomSoft have found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools. But decryption is only possible with the actual device available because the decryption relies on getting the keys that are stored on it.

Analysis
What is interesting (and worrying) is what ElcomSoft found stored inside the iPhone. According to them “iPhone devices store or cache humungous amounts of information about how, when, and where the device has been used. The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, emails and text messages included deleted ones, calls placed and received are just a few things to mention. A comprehensive history of user’s locations complete with geographic coordinates and timestamps. Google maps and routes ever accessed. Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device.”