Forensic Blogs

An aggregator for digital forensics blogs

by

Elcomsoft Tool Evaluation Blog 2

First evaluations!

Our Elcomsoft Tool Evaluation team started out the next sprint by setting off to evaluate the tools relating to phones, computers, and office products. To catch up on the beginning of our process, read our first blog post here. The new tools we evaluated included Advanced Office Password Recovery, Advanced WordPerfect Office Password Recovery, Elcomsoft Phone Viewer, Elcomsoft eXplorer for WhatsApp, and Elcomsoft Password Digger.

We used the following scoring system to evaluate the tools:

1- Beginner: user can navigate the program without any prior knowledge

3- Novice: user requires basic knowledge of the program and how it works

5- Intermediate: user needs some previous experience working with the program

8- Advanced: user must have a lot of experience working with the program

13- Superior: user must be an expert on the program and capable of  teaching others how to use it

Advanced Office Password Recovery

Advanced Office Password Recovery proved to be an extremely useful tool. The program opens with an interface that is simple and easy to understand. This interface includes a log window so the user can see what is processing as they are using the tool. There’s also a help tab with an instruction manual that’s found right inside the program for new users. Another advantage is that it accepts different document file types so the user doesn’t have to worry about any conversions.

The interface of Advanced Office Password Recovery

When the user wants to start an attack, they will have many different options ranging from a bruteforce attack to combination and hybrid attacks (these can all be read about in the manual). This gives the user many different options depending on the type of encryption they are dealing with. When the user selects the type of attack they want, a window will pop-up allowing them to enter specifications for the encryption that can allow the tool to work faster, e.g. password size, character parameters.

AOPR takes a good amount of time to decipher the password based on size and the type of attack. As the process is running, the tool will let the user know the passwords that are being tried and how many passwords are being tried per second. This is nice for the user so they can see how efficient the program is working and make sure they entered the right parameters so the tool can find the right password. In order to test the tool’s capabilities, we tested a range of different passwords that varied in complexity from six characters with only English characters, twelve characters that included numbers, and eighteen characters that included numbers and symbols.

Overall, this tool earns a 3 because only limited experience required in order to operate most of the processes. The part that requires the most knowledge is deciding which attack to use for a specific password. Although the password apprehension process might take a long time, it is functional and can recover any password, no matter the complexity.

Elcomsoft Phone Viewer

After using the Elcomsoft Phone Viewer, we would rate it a score of 3, or novice. The program gives multiple options to access backup information from an iPhone, BlackBerry, and Microsoft account data. The need for basic understanding comes in when trying to figure out which backup works best with the tool. The process we are using for the tool is an iTunes backup. We downloaded iTunes onto the desktop and synced the phone to the computer. Once complete, we clicked on iTunes backup and chose the iPhone 8 device. Then we allowed access to all information from the iPhone. After typing in the encrypted passcode, it took only twenty-seven seconds to download the iTunes backup and get access to the main interface of the tool. The time can vary due to the size of the backup.

The interface of Elcomsoft Phone Viewer

The main interface is very user-friendly. With only some knowledge on these devices, our team had an easy time evaluating this tool. It shows the iPhone user, the type of phone, iOS version, Serial Number, GUID, IMEI, Unique Identifier, and last backup date. The Elcomsoft Phone Viewer gives us access to the applications, calendar, calls, contacts, locations, media, messages, notes, notifications, Wallet, Web and Wi-Fi. Within each category, it goes into depth with information that can be filtered to find more exact information. For example, in applications, the user can search for a specific app without looking through the list. This allows the tool to be efficient in finding the information the user wants.  This tool also has a help option that explains the tool in great detail that is understandable for anyone with limited knowledge.

Advanced WordPerfect Office Password Recovery

Advanced WordPerfect Office Password Recovery is an extremely simple yet useful tool. When first opened, the tool presents an interface with only four options that include: open file, help contents, about, and quit. For convenience, there is an instruction manual under the help contents section if the user needs. In order to recover a password, all the user has to do is open a WordPerfect file and the tool will do the rest. There were multiple documents tested with passwords varying in complexity and the tool was still able to decipher the passwords in a matter of seconds. The complexity of the passwords included six characters with only English characters, twelve characters that included numbers, and eighteen characters that included numbers and symbols.

The interface of Advanced WordPerfect Office Password Recovery

Not only does the tool output the password of the document but it also shows the equivalent in hexadecimal which is a nice addition. The status window only shows what is absolutely necessary and doesn’t overstimulate the user with too many statistics. Our only objection with the program is that it only accepts WordPerfect files and it doesn’t convert other documents for the user. However, his really isn’t an issue with the tool as its purpose is only to decipher WordPerfect files.

We would rank this tool a 1. The tool does everything as promised and is extremely simple and user-friendly. It works very fast and efficiently and can be navigated without any knowledge of the tool or password recovery in general.

Elcomsoft eXplorer for WhatsApp

After using the Elcomsoft eXplorer for WhatsApp, we would rank this tool a 3, or novice. The tool gives multiple ways to access the WhatsApp account for Apple and Android users. Depending on the device, the user needs some knowledge of the device and the best way to download the accounts. For the Elcomsoft eXplorer for WhatsApp, we used the iTunes backup. We have found this to be the most useful way to access the information for the tools involving Apple. In the tool, we clicked on the Apple icon and pressed the option to load the iTunes/iCloud backup. We clicked on the iPhone 8 device and entered the password for the encrypted backup. It took about thirty-two seconds to download, but it can vary due to the size of the download.

The interface of Elcomsoft eXplorer for WhatsApp

The main interface is very user-friendly and the main purpose of the tool is easily conveyed. Our team found our way around the tool with the basic knowledge we learned from the videos on Elcomsoft’s website. The built-in viewer gives great information that is easy to follow. It shows the account’s phone number and when the account was created. It also includes information about the device, product type, full user name, client version, and the size of the information used on the account. The tool gives access to WhatsApp calls, contacts, media, and messages and we could easily search for information with the filtering application. If there are questions, there is a help button with clear instructions that are easy to follow.

Advanced Office Password Breaker

We found Advanced Office Password Breaker to be an efficient and useful tool would recommend it to certain users. Upon opening the tool, the user will be greeted with a simplistic design. This includes a way to select the encrypted file the user wishes to crack, an area allowing the user to choose where the info about the process can be saved after it is completed, and a box that tells the user the remaining time left. In order to be able to understand the entirety of the interface as well as all the features of the application, a user will have to read through the available manual l and spend some time getting to know it  better.

The interface of Advanced Office Password Breaker

Documents with different passwords were tested in this tool. These passwords ranged in complexity from six lowercase characters all the way to eighteen characters with uppercase characters, numbers, and symbols. The tool was able to break into all the documents regardless of the password. It should be noted that the longer and more complex the password, the longer the tests took. On the upside of this, the program does notify the user the estimated time remaining which is a nice feature.

After this program had been put through its tests, we decided to give it a score of 5. The tool is very useful and by all means accomplishes all the features it promises in the description. However, it does require a fair amount of experience to use to its full capabilities. This can be achieved by reading through the manual or by trial and error testing in the program. Whatever the case, this program will need a user who knows  what they are doing to operate the tool as well as understand everything on the interface.

Elcomsoft Password Digger

After using the Elcomsoft Password Digger, we would rate this a 3, or novice. Our team had a basic understanding of the tool and learned more as we used it. In order to extract the passwords from Mac OS X, we had to gain access to the user keychain file of the computer. In order to test this tool, we had access to a Mac computer and download the keychain file onto a USB. Along with access to the file, we needed the password to the computer. Next, we extracted the user keychain file. It had twenty user keychains, no decryption results, and processed twenty passcodes. We exported the passwords to an XML file. Our team decided where we would save the document and then pressed new task. The XMl file opened in Internet Explorer and accessed the passwords.

Keychain extraction of the encrypted XML file with important information blocked off

The Password Digger’s main interface is very straight forward. The tool meets all the requirements and provides information on how to use the tool if needed. Elcomsoft Password Digger was able to extract, decrypt, and export the content of the keychains. The file created can be used to build a custom dictionary attack with the user’s real passwords to improve password recovery attacks. Also, the tool was able to export full keychain data into an encrypted XML file.

Elcomsoft Phone Breaker

One obstacle that our team came across was using the Elcomsoft Phone Breaker. Unfortunately, we could not rate this tool since we could not evaluate its use. The issue we ran into was the iCloud backups had been temporarily disabled. The tool is able to sign in to the iCloud account, but cannot download the information into the tool. Elcomsoft explains that:

“Apple is instantly improving access and download protocols for backups. Our research and develop teams do their best to fix this problem as soon as possible. Please ensure that you have the latest version of Elcomsoft Phone Breaker and feel free to contact our support team if you have any questions.”

The interface of Elcomsoft Phone Breaker

With the access that we do have to the tool, the interface is easy to understand. There are two tabs that show up; the Password Recovery Wizard and Tools. The tool is designed to break passwords and decrypt iOS backups, decrypt iCloud Keychain and Messages with media files and documents from iCloud, obtain synchronized data from Apple and Microsoft accounts, and download iCloud backups and synced data with or without Apple ID passwords. Testing the iCloud backup is where our issue occurred. When working properly, this tool is great when used with Elcomsoft’s other password recovery tools.  

Conclusion

Our team learned a lot about Elcomsoft’s tools from our evaluation. Each tool has its own unique functions that can help users in many ways. So far, these tools are user-friendly and meet the requirements set forth by Elcomsoft. Our team had a basic understanding of how to use these tools, which made evaluating them much easier. For the future, our team will continue to evaluate the Advanced Archive Password Recovery, Advanced PDF Password Recovery, Distributed Password Recovery, Elcomsoft Cloud eXplorer, Elcomsoft Internet Password Breaker, Proactive System Password Recovery, and Elcomsoft System Recovery. We will continue to produce comprehensive results for the LCDI and Elcomsoft.

 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our evaluations!

The post Elcomsoft Tool Evaluation Blog 2 appeared first on The Leahy Center for Digital Investigation.

by

Elcomsoft Tool Evaluation Blog 1

Welcome to Our Blog

Welcome to the blog of the Elcomsoft Tool Evaluation Team! This semester, the LCDI has the honor of exploring and investigating the different tools Elcomsoft has to offer. Established in 1990, Elcomsoft is headquartered in Moscow, Russia and they focus on creating forensic toolkits for law enforcement, businesses, and individual users alike. These tools are vital in retrieving the contents of damaged or misplaced files. Elcomsoft’s tools are always under development so they stay up to date with modern technology.

The tools our team get to work with are all part of the Password Recovery Bundle. This comes with twenty-eight different tools which we’ll test over the course of the semester. These tools can recover passwords from programs ranging from Microsoft Office all the way to Facebook and Blackberrys. In other words, the main focus of the computer security programs are on password and system recovery software. The company offers a range of mobile and computer forensics tools, corporate security solutions, and tools for IT security audits.

Why Evaluate Elcomsoft?

Above all, we at the LCDI pride ourselves on creating credible evaluations and educational resources surrounding digital investigations. Our hope for this project is to provide an accurate and definitive assessment for the Elcomsoft tools we test that anyone can use. In terms of the field of digital forensics, it’s important investigators fully understand the capabilities and limitations of the tools they use. For instance, it can be difficult to look through a bunch of information and not know what’s important to look at. Knowing how effective a tool can be makes it easier for the user to implement said tool for practical use. This project will help to show if the tool can be user friendly depending on the level of knowledge someone may have.

Our Evaluation Process

Office tools we will be looking at: Advanced Lotus Password Recovery, Advanced Office Password Breaker, Advanced Office Password Recovery, Advanced WordPerfect Office Password

Phone tools we will be looking at: Elcomsoft Phone Breaker, Phone Viewer, Password Digger, eXplorer for WhatsApp

So far, our team has spent two weeks researching the different tools we have access to. Each tool has benefits and features that make it unique. Fortunately for us, we were able to find videos on the Elcomsoft website that show how the tools operate. With all this information, our team can start testing and evaluating the tools.

In order to stay organized, we created a spreadsheet with all the tools listed and split them up into categories. This will make it easier for each of us to work on specific tools. Before we start evaluating, there will be a list of what the tool should be able to do. Once testing is completed, we’ll write an evaluation of how well the device performed the tasks and it’s user-friendliness. After that, we’ll give scores based on the above specified criteria on a scale of 1-10 (10 being the most functional/user friendly and 1 being the least functional/user friendly). Readers can see our evaluations and decide for themselves if they should search for other options.

Conclusion

Ultimately, our goal is to examine tools from Elcomsoft, a renowned software company specializing in utility applications for businesses and users as well as Windows productivity. We’ll test the tools and score them based on two criteria: functionality and user-friendliness. We’ll test a couple of tools and report on them in our next blog. This will include our scores and evaluations for the tools we’ve tested as well as any updates. We are eager to get started on this process and  produce comprehensive results for the LCDI and Elcomsoft. Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our progress!

The post Elcomsoft Tool Evaluation Blog 1 appeared first on The Leahy Center for Digital Investigation.

by

Mobile App Forensics Final Update

Introduction

During this semester, the Mobile Forensics team analyzed social media apps such as Snapchat, Telegram, and LinkedIn. 

Snapchat

As for a conclusion on our Snapchat analysis, we couldn’t find much outside of prior research within the community. A big concern we had was how much data would remain on a device  twenty-four hours after it was generated. An immediate pull from the device yielded evidence of what stories the user viewed and also a log of messages exchanged with other users (but not the content of the message). This log showed who sent and received the message and the timestamp of the event. The text of messages was only viewable if either user had saved the message. Some pictures were also recovered that had the contents of stories that were viewed. This could provide some information on the interests of a user, but nothing incriminating. An interesting artifact found on the device that could not be decoded was location data found in  /data/data/com.snapchat.android/cache. We could not parse these files and believe they may related to ArcGIS.

We aquired Snapchat after a few days to see what information would still be available. Logs of conversations were not deleted and remained on the device. However, there were still no contents of the conversation again with the exception of any messages that either user saved. It appears Snapchat does not store data from the user directly on the phone, it may simply be processed and erased while in memory. There was little evidence of user activity.

Telegram

When testing Telegram we did two pulls of the tablets. We first did a pull with all three of the members and then a pull with just two members on the different operating systems. When we did the first pull, the data between the group was very easy to analyze, but the solo data was very confusing, so we did the second pull. When we tested Telegram, we were interested in the secret chats the most to see if we could find any information about them. Telegram advertises that the messages are encrypted and we were interested to see if we could verify this. The only chats that were encrypted were messages in a secret chat. This is definitely a note for a forensic investigator. When we did the pull, we could see each message in the chat log as well as any pictures and images. The one thing we could not find was any videos or voice messages that did not get saved.

LinkedIn

While analyzing LinkedIn, we once again didn’t find all the data we were looking for. We had hoped to be able to find the user’s whole work profile but that was not the case. We were able to pull and reconstruct all their chat messages, a summary of their profile, and users they connected with, but we couldn’t find any search history, viewed articles, or viewed jobs. Even when looking in the chat, we didn’t find images or voice messages in the same location as the other chats. We had some temporary files for images, but we weren’t able to confirm what the images were. They could have been images from the chat logs or they could have been images from an articles or profile.

Versions

Readers of previous blog posts may note that we were comparing differences in Android operating system versions. There has been little to no evidence found that the version of the OS has an impact on our examined applications. The only major change we found was occasionally an app on Android 6 would generate a few extra folders, but they were always empty. However, it is important to note the biggest changes would be found with differing application versions.

 

Different operating systems don’t affect the data we pulled because OS updates focus more on new features and security fixes rather than how app data is stored on the device. If we looked into different versions of the application then there would be differences in the pulls. The updates of the apps will have bug fixes as well as security fixes that make the app more secure. If we could test an older version of one of the apps to the most current update then we would find different data.

 

This is clear in the below screenshots:

Snapchat on Android 6

Snapchat on Android 7

As you can see the files may be slightly different. Any files that were not common between the two extractions were empty.

Conclusion

Our work this semester has been a good test of our examined applications to ensure that they work as advertised. One may believe that mainstream applications are secure because of their size and amount of users. Previous reports, which can be found here and here, have shown that Snapchat has been less secure in the past, and we have seen clear improvements in the amount of data that is stored on the device. With Telegram, the application works as it should and doesn’t store data on the phone to be viewed later on. However, this was only the case when using “secure messaging” and is not on by default. With LinkedIn there was little data we were able to recover from the phone. That by no means infers that LinkedIn is not storing your personal data. This simply means that that data is not stored on the device.

 

There has been a lot of hands on with tools such as ADB and Cellebrite to find efficient ways to examine these phones, and one should always question the applications they use every day with their private information. We are glad to have formed a plan of analysis for these apps, and look forward to seeing what research will be performed on the apps we use every day. As always, stay up to date with the LCDI on our social media.  Follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile App Forensics Final Update appeared first on The Leahy Center for Digital Investigation.