Happy Friday everyone. After my post last week, I was in touch with several vendors about what was occurring, my thoughts and how they intended to fix the problem when it comes to accessing the backup file data. Since then, two vendors (Cellebrite and Elcomsoft) reached out with an updated solution. I tested these tools over the last two days and want to share my results. I used Cellebrite Physical Analyzer v 5.3.5.10 (soon to be released), Elcomsoft v6.10 and iTunes 12.5.1 as well as the previous iTunes version to be thorough.

What changed since the last blog?

First, if an iOS10 backup file was encrypted with iTunes, you do not need to assume you cannot get into that data. (This was the case in my previous blog. Even if the password was known, the tools were choking on the data).  If you can crack the password, Cellebrite’s UFED Physical Analyzer will properly decrypt this data. I bet you are now wondering how I cracked the encrypted iOS 10 backup files? I used  Elcomsoft Phone Breaker v 6.10.

Cracking an encrypted iOS10 backup file

I set three different passwords to test. The first was 0000 and Elcomsoft laughed at this and provided the password before I could even sit back in my chair to watch. I then updated iTunes and changed my password to “hank” – this password didn’t even take a full second to crack.

Maybe their claims are true that they will crack a passcode the fastest due to a vulnerability they found in the hashing of the passcode.

http://thenextweb.com/insider/2016/09/23/researchers-say-ios-10-backups-can-cracked-2500-times-faster

I then set a more difficult password “Heather1” and backed up my data using iTunes. Elcomsoft is saying that there is 87 years remaining for a brute force attack, so I am not going to wait. What should you do here? Try a dictionary attack! It’s much more effective with passwords such as “Heather1” when compared to Brute Force. When I changed to dictionary attack, this password was crack in less than 1 second! As a side note, I relied on the English dictionary and did not create anything custom for this test.

So, we have the password, what about the encrypted databases?

I was able to successfully parse all of the iOS10 backup files that I created over the last two days, containing various backup passwords, as well as the ones that were created for my previous blog post. As long as Physical Analyzer had the password, the data was decrypted and parsed. Make sure you are using Physical Analyzer v5.3.5.10 or later (assuming you have tested and validated the latest versions).

When attempting an Advanced Logical in Physical Analyzer, the option to encrypt the backup is provided if the backup has not been encrypted via iTunes by the user. You should select this option. If not, you will not get the data protected by the keychain. I selected to Encrypt my backup as shown below.

As stated in my last post, this was not an option with iOS10. Cellebrite has fixed this issue and all of the data will be parsed and decrypted. Additionally, if you are prompted for the users iTunes backup file password (the one you cracked with Elcomsoft), Physical Analyzer will parse the data when the password is correctly entered whether you selected an Advanced Logical Extraction or to add an iTunes backup file into the tool for analysis.

To be thorough, I tested the following in physical analyzer:

It seems like I am asked this question at least twice a month via email. This week, I was asked 4 times. Instead of telling people the same thing over and over, I figured I would write a blog and refer the next person to it. Having said that, if you have positive experiences to add, please do so in the comments. Remember, we all needed to get our start somewhere. The biggest mistake we can make is not helping those who want to do what we do every single day!

I am often asked, “how did you get into this field and how did you get where you are today?” My response, “I was in the right place at the right time.” I graduated with a BS in Forensic and Investigative Science from WVU and could not get a job in Bloodstain Pattern Analysis, as I had planned. Remember, this was 2002, before CSI! Yes, I am older than 24… hard to believe. 😉 I applied and interviewed with several Government agencies and Police Departments. Nobody would hire a grad with no experience and the Forensic degree was a new thing. I was one of the first 4 with this degree in the United States. This makes me feel old…

So how did I get from here (I actually did this in college):   

To this?????              

This is where the Air Force helped me. I joined the Air National Guard to pay my tuition so I could get my degree. On my way to a drill weekend, flying in the back of a C-130, I met an IT guy from ManTech. He told me he could put me in touch with someone hiring an evidence technician. And the rest was history. Well, not really – they didn’t want to hire me because I didn’t understand digital evidence as my experience was in physical evidence. However, I made them see that it is really the same. How we handle it is the same. They took a chance and my career in Digital Forensics began. I was lucky to have a great boss who was willing to teach me how the tools worked and no just press buttons. Without him (nickname: Lancer), I have no idea where I would be today. I showed the interest and he took the time to teach me.

So, how can you meet your Lancer, you ask? You need to meet people to introduce you to opportunities. You need to network! Emailing someone on LinkedIn is not fully networking.  You need to get out there and go to conferences where these people thrive. Don’t be afraid to introduce yourself and ask for help. There is always someone who will help you. If you get turned away, you haven’t found your Lancer. Keep looking and don’t give up.

When I am approached for help, I ask a few things?

1. What is your background?
2. What do you want to do? Most people don’t know, so I point them to webcasts and blogs to see what sparks their interest (see below).
3. Can you get a clearance?
4. Are you willing to move?

You need to take the initiative to show your interest. By this, I mean take any training you can. Not all training is cheap and the courses I teach are expensive, but are worth the money. If you cannot pay for training, take free training, watch free webcasts, read forensic blogs and books and practice on your own. This will give show you are trying, show you are passionate about the field and give you some cool stories to share at your interviews.

Your best bet is to pay and attend a forensic conference to meet people who are in the field. My favorite is the SANS DFIR Summit, for the sole reason that examiners present – not vendors. So you are getting a glimpse of different careers, the tools and methods they use and how they fill the gaps that the tools cannot meet. It’s amazing and it’s the best networking experience of the year. But, it’s not free! Can’t afford it, ask a speaker to sponsor you as their guest! Again – back to that networking thing. You have to jump out of your shell and ask! Other conferences that may be helpful (and there are so many) EnFuse, HTCIA, BlackHat, DEFCON, Mobile Forensics World, Paraben and others. Before attending one, I recommend you look at the agenda, the speakers and determine if this is what you want to spend your time and money attending. Each offers something different and all have a target audience.

Take forensic training. It’s that simple. Learn the trade. Some courses are free and some cost a good chunk of change! Again, take what you can and remember it’s better to start somewhere vs. never getting started. Here is a list you can refer to: http://www.forensicswiki.org/wiki/Training_Courses_and_Providers

Shameless plug: I author and teach for the SANS Institute. I recommend FOR585 Advanced Smartphone Forensics. Why? Because it’s fun, cutting edge, vendor neutral and it’s my baby. 🙂 Plus, who doesn’t have a phone? May as well learn how to forensicate it.

Books to read (just Google them – you can buy them in several placed):

These are the books that helped me get into this field and still help me during my investigations:

File System Forensic Analysis – Brian Carrier

Handbook of Digital Forensics and Investigations – Eoghan Casey

Harlan Carvey’s books on Windows and Registry Forensics

Practical Mobile Forensics 2nd Edition – Mahalik and Tamma (again shameless plug…)

These books are necessarily something you would read cover to cover, but they are great reference material. Will show you how to examine your own computer and phones and will get you some hands on experience! Most suggest free and commercial tools, so you can access what we use on a daily basis. There are several others out there, but these are general enough and have helped me.

Blogs:

This is a great place to start because it’s free and you can hop around as you wish. Clearly you are here on my blog, but others I recommend are:

Cheeky4n6monkey –Learning about digital forensics

Az4n6blog – Another Forensics Blog

Mac4n6blog – Mac Forensics (iOS too)

SANS – DFIR Blog

Gillware – Murphy’s Laws of Digital Forensics

https://www.gillware.com/forensics/blog

Webcasts:

The SANS institute sponsors and hosts webcasts, where professionals give you a glimpse of topics they care about, courses they teach and developments in forensics. Check it out! It’s free and you can refer back to archives and get tons of free training. https://www.sans.org/webcasts/

If you have done all of these things and you are ready to break into forensics, let’s talk. I hope to meet you at a SANS event or conference soon. Good luck and never let anyone tell you it’s to hard to get into. It’s not always what you know, but who you know and how hard you are willing to work!

This offer is only good through the New Year! Enjoy Practical Mobile Forensics for $5. A great guide to get your mobile forensic practices in place. Stay tuned for the second edition this summer!

http://bit.ly/1YlSBfa

Back by request, here is another coupon code offering 50% off the eBook of Practical Mobile Forensics. This code is only valid until October 2nd and is for the eBook directly from our publisher’s site.

To order, click the link below and enter the Discount code prior to checkout.

Unique link: http://bit.ly/1Qvf018

Discount code: PMF50

We hope this book helps you get the most bang for your buck in mobile forensics. We aimed to include as many open source solutions as possible to conduct mobile device forensics.

Happy Reading!

All,

I know that training is expensive. Here is a way to attend FOR585 for half the price! Next up:

Tysons Corner, VA

Prague (Cindy Murphy)

Ft. Lauderdale

Hey everyone,

Figured I would do a quick blog to see what your greatest issues are when dealing with the smartphones in your investigations:

– Locked devices? If so, which ones?

-Encryption (device level or application level)?

-Parsing the plethora of 3rd party apps found on devices?

Let me know your thoughts. Looking into my next research area and thought I would question the community first to see what is needed.

Have a great afternoon!

Good morning everyone! I try to keep the calendar on this website updated with links to register for events where I will be teaching and speaking. I am still determining my conferences for the year, but here are my planned SANS FOR585 Advanced Smartphone Forensics Courses for 2015 (so far…let’s be honest, they always end up adding more).  The entire schedule can be viewed here. Keep in mind not all courses are posted. If you want to do FOR585 on your own, look into OnDemand.

Heather Mahalik will be teaching the following courses:

March 9-14 – Reston, VA – FOR585 Advanced Smartphone Forensics (New labs being released!!!)

May 5 – 10 – San Diego, CA (Who doesn’t want to go to sunny San Diego?)

June 15-20 – SANSFIRE Baltimore, MD (Right at the baseball stadium!)

August 11 – Sept 17 – vLive (online, in your house, in your jammies training)

September 14-19 – NS 2015 Las Vegas, NV (What happens in Vegas stays in Vegas..but not what you learn in FOR585!)

November 3-8 – Ft. Lauderdale (Again, it will be freezing in most places, warm up with me!)

Cindy Murphy will be teaching the following courses:

April 11 – 18 – SANS 2015 Orlando, Fl (Bring your family to Disney!)

May 11 – 16 Amsterdam, Netherlands (Taking FOR585 overseas!)

Boston and Prague – dates to be announced!

I hope to see you in a course in 2015. We are working on a certification and you can help by attending the course. Once you have taken the course, you can take the cert when it’s released.  There are a lot of smartphone courses out there and I believe that trying to replicate FOR585 is the best form of flattery. However, the real thing is the best! Come to the class and see for yourself.

Good morning everyone! I know it’s that crazy time of year with the Holidays right around the corner, but some of us are still working… unfortunate, right? Cindy Murphy, my co-author of FOR585 and good friend, took the time to write up her testing and research on the IP-BOX.  You can get your own IP-BOX from Teel Technology.  Check out their site: http://www.teeltech.com/

IP Box documentation 12-2014

In summary, the IP-BOX can be used to defeat simple 4 digit PINS on iOS devices.  This includes devices running iOS1 – iOS8.  While newer iOS device require additional steps, the good news is that this magical black box may work at bypassing that lock!

If this issue is of interest to you, I would sign up for the SANS FOR585 Advanced Smartphone Forensics course where we discuss the IP-BOX and other methods for dealing with locked smartphones.  Until then, please enjoy the paper that Detective Cindy Murphy tool the time to write.

IP Box documentation-rev1 by Cindy Murphy.

Happy Holidays!

Due to the vast amount of responses we got for our Smartphone Forensic Challenge, the winner was just determined.  The rules states that the winner must answer 4 of the 6 questions correctly, and the lucky winner answered all 6 questions correctly.  Congratulations Shawna Denson, you are the lucky winner!!!!

Thank you to everyone who submitted. FOR585 Advanced Smartphone Forensics is currently being held onDemand, at Network Security 2014 (Las Vegas), and  DFIRCON East (Ft. Lauderdale).  Cindy Murphy and I hope to see you in the classroom soon!

Stay tuned for Webcasts featuring cutting edge material on iOS8, Windows Phone Forensics and more!

http://www.sans.org/course/advanced-smartphone-mobile-device-forensics

The answers for the Challenge are listed below.

1. What third-party applications have been granted access to device camera photos?

Facebook and DropBox

2. What third-party applications have been granted access to the device address book?

Waze

3. Which websites that were visited had requested the iPhone’s geolocation information for optimal browsing and were granted access?

Simply Hired and StubHub

4. What permissions does the application MysteryApp.apk NOT have on the device?
5.    Record audio
6.    Read contacts
7.    Send sms
8.    Record video
9.    Mount  & unmount files

5. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?

Either answer is acceptable:

SHA1 (value within file) = DDpyDrYdc24hVh6aqWBmpHcfD3A=

SHA 1 (value of entire file)= 0c3a720eb61d736e21561e9aa96066a4771f0f70

3.  What foreign language word(s) are found within the MysteryApp.apk application?

未接来电 – Missed Calls