Obtaining Critical Real-Time Evidence From The Cloud

Vladimir Katalov presents his research at DFRWS EU 2018.

Vladimir: Thank you for coming. Special thanks to all competitors from Cellebrite [chuckles] for being there. [You probably won’t learn anything here.] Anyway, I’m working for ElcomSoft. The company is based in Moscow, Russia, and we’re providing the software, mostly for enforcement, for doing some things like desktop, mobile, and cloud [acquisition]. Here is some of our customers. [You may guess…] but in total, there is over 300,000 of them.

Is there anybody here who attended our workshop on Wednesday? Yeah? Here we’ll be speaking about something absolutely different. There, on the workshop, we were telling about the physical acquisition of the iPhone, and now I will talk about the cloud acquisition only. Unfortunately, I don’t have much time. I was thinking that I will have about an hour; I will have only 20 minutes, so I will have to be fast.

There is quite a lot of information on the smartphone, that’s probably the most available source now for all the data, including the private data, business data, a lot of [passwords], documents, mails, and everything else. And we have to find a way how to get that effectively and fast.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

There are several methods acquiring the data from the smartphones. There are some that work well on a lowest level, through JTAG or chip-off, when I just read the memory from the device. That method, unfortunately, doesn’t work for most modern devices, because all the data is encrypted there or there is simply no debug port or there is a full-disk encryption there.

There is physical method, which is probably the most effective and implemented in many packages as well. It doesn’t always work, unfortunately too, also because of the encryption. And encryption is based on the passcode, and it’s not so easy to break the passcode, especially on the iPhones. There are only two companies that claim that can do that. And also, there are some limitations on the speed of course.

There is a logical acquisition, which is usually just creating the backup of the device, and not all the data is there and available by the logical. And there is the cloud acquisition that is absolutely different from any methods mentioned before. In most cases, it doesn’t allow to get everything, but sometimes, the reverse is also true – we can get more than available in the phone itself.

What are the issues? There are three major mobile platforms, from Apple, Google, and Microsoft. There are also quite a lot of vendor-specific clouds, especially in China. There is also a lot of third-party cloud services, just used as document storage. And one of the major problems is in order to get there and to download the data from the cloud, you need the proper credentials – password or authentication token.

But there are also a lot of profits from that approach, and benefits. You don’t need to have the physical access to the device. It can be performed silently. And also, it allows to get the real-time data of the suspect. But the main profit is that it is almost [pull out] from independent … for example, for Google, there are tens of thousands of devices, and cloud works for all of them.

It is really important to understand that cloud is not something just [huge] … there are several methods of keeping the data in the cloud. Devices may create backups, either full or just partial backups. Devices also sync some information between the cloud and across all the devices, or the cloud can be used just as a document storage and a file storage.

As I said, there are three major ecosystems. Apple iOS and Apple iCloud, it allows to create complete device backups, there is nothing comparable to them in the other platforms. There is also synchronization mechanisms that sync the data between the device and the cloud. Speaking of Google, also kind of backups from the Android devices are being created in the cloud, but they don’t contain [real] available information. And Google mostly use their sync approach. Windows phone and Windows Mobile platform, I would say it is dead. But still Microsoft Cloud is there, and now it’s being used for syncing information between the desktop and the Microsoft Cloud services.

So, what is inside, what we can get from the cloud? Basically, almost everything that is also stored on the device, especially the internet activities, the call logs, the SMS messages, the internet browsing history, the pictures and videos, and the location history as well.

Full device backups are not always available, and you know that most of the people, because of the security and privacy reasons, are disabling the cloud backups and creating only the local ones. Also, cloud backups don’t always contain the information from particular applications there. Backups are usually created not so frequent, so it may be once a day, it may be more, rarely. There is no [standard] method to get the information from the cloud. The vendors don’t provide that, so you’ll have to use the third-party software. And the data stored on different third-party services, with usually slow access, and it takes a lot of time to download everything from there.

With synchronized information, the situation is much more interesting. Actually, you get less than in the device, but that information is being synced almost in real-time. We can get the search and browsing history, we can get passwords and [07:30] complete data from most browsers, like Chrome, Edge, and Apple Safari. We can get mail, contacts, SMS messages, but all these three platforms work differently, the different way when speaking of syncing the data.

I will say that most data is available at Google, from [08:00] devices, but Apple is actually moving forward and keeps more and more data in the cloud, and starting with iOS 11.3 that is going to be available in two weeks, three weeks or so. It will be also able to keep the messages in the cloud. Also, at Apple, and also Microsoft, there are recovery keys for encrypted drives. It’s extremely hard to break the password on BitLocker or FileVault, but if you get access to the cloud storage, there are very good chances to find the recovery key there. Also, at Apple iCloud, we can get the iCloud keychain.

Cloud acquisition really helps in the situations already mentioned, when the device has the passcode set, and that passcode is strong and can be cracked in a reasonable time. It also helps with the encryption, and also, if the device is broken or wiped or locked and in other situations like that, but cloud may still contain the data you’re mostly interested in.

Let’s compare the three major services, from Apple, Google, and Microsoft. Here is some information about the backups. Apple backups are complete; Microsoft are almost complete, I would say. And for different features, it depends on the version of iOS or Android installed. For example, Google started to keep SMS messages in the cloud only starting with Android version 8.0.

For the internet activities, we have Safari at Apple, Chrome at Google, and Edge at Microsoft. However, Chrome browser of course can be used on Microsoft platform and on Apple platform as well. We also have location data. At Apple we can only get if we have the credentials, only the current and last location, and it doesn’t have location history. Until you use Apple Maps. Here we can get some information directly from Apple Maps services. There is some other information, interesting, like at Apple, it is health data. It is more strongly encrypted. There is wallet data, with boarding passes, tickets, discount cards, and so on. And with Microsoft we have, for example, Skype conversations and Cortana data.

Speaking of passwords, which is probably the most valuable information available in the cloud, Apple, by means of using the iCloud keychain, keeps almost everything. That’s a fun fact, that in the official documentation, they say that iCloud keychain only keeps the passwords, but not the tokens. It’s not actually true. There is quite a lot of tokens saved in the cloud keychain, and they can be used for accessing some social networks and some other data.

Now let’s go to Amazon. It’s probably not really popular in other countries, except the US, but in the United States, [11:55] are just cloud. Now, with the help of Alexa, more and more households installing the Amazon devices. There is quite a lot of data there. If you are Alexa, all your voice comments are stored at Amazon services, and if the voice is recognized, we can get the plaintext records from there. And if not, we can get the recordings in the form of MP3 files.

Some other vendors have their own clouds too, including Samsung, Xiaomi. There are some Chinese services as well, and WeChat and QQ clouds have more users than all the other vendors, like Apple and Microsoft and Google together. There is also some cloud services from Huawei.

And there are … many of other applications have their own … , but anyway, services where the data is stored somewhere remotely. For example, it’s not possible to intercept and decrypt the WhatsApp and Telegram applications, and Telegram data is really hard to get even from the iPhone, because it’s not included in backup and [13:26] only this physical. But if you have the proper credentials, you can get the Telegram conversations directly from their services.

Let’s start with Apple iCloud. I don’t have much time, but I will try. It’s now up to 2TB storage and includes complete device backups. It can be used also to store the media files [by a] cloud photo library. There is the iCloud keychain, and there is also document storage there.

Acquisition of the Apple iCloud data is not really easy. The protocols of course are being kept in secret, there is no way to … there are no libraries, no APIs, and so on. All the data in the cloud is encrypted, but the encryption keys are also available together with the data. But the data itself is stored on different third-party services, now it’s mostly Google. And the encryption keys are usually stored at Apple’s own servers, except for China.

Apple is doing its best to block access to the iCloud by third-party software. They are changing protocols from time to time, changing the authentication. And once they detect that the data is downloaded, not during the normal restore process but by the third-party software, they prevent us from doing that. We are always in something like cat-and-mouse game.

Also, two-factor authentication effectively protects the data in the cloud, and there is not enough to have just login and password. You also need to have the second factor, which could be an actual device, trusted device, or just the phone number to receive SMS. About syncing, it’s easy actually to get the synchronized data, and the data there, as I said, is synchronized in almost real time.

What are the advantages of getting the synced data? Most of the people, even those who disable iCloud backups, they still keep their synchronizing the other data, and now there is more and more data stored in [the] cloud by means of sync, and you probably haven’t noticed that there is no option on the iPhone settings to disable synching the call log – there is no such option there. But still, all the call logs are synced to the cloud until you disable the iCloud completely.

iCloud photo library is also an excellent storage of the information that’s not only about the media itself. Most of the pictures taken with the smartphone camera contain EXIF data. And there, there is also location data, with the exact GPS, latitude and longitude. And if you manage to get into the iCloud keychain, you can get much more – you can get passwords to the other services the person used, and access to credit cards and everything else. You also have the data in the cloud. There’s Wi-Fi access point information with Mac addresses, [valid] data, maps, and everything about the internet activities in Safari.

What we were not able to get yet but soon we will, that’s Apple health data, which may be also critical, for example, to see the heart rate of the suspect at the particular time. The data on the Apple home devices, created with the home kit support, Apple Mail, and starting with OS 11.3 also iMessage and SMS. By the way, storing the message in the cloud will be available, only the account has the two-factor authentication enabled. We just cannot get the [seeded] data. It’s like write-only.

Okay, we’ll have to skip.

How to deal with two-factor authentication if you don’t have the second factor. The alternative approach of obtaining the data from the cloud [18:33] enable this using the authentication tokens. They’re always available in the device itself. If we manage to perform a logical or physical acquisition, and in most cases, they’re also available on the computer, Mac or Windows PC that is connected to the same cloud account. And if you manage to get the token, that’s actually … it has more value than the login and password itself, because there is nothing else we need. There is no need for second factor anymore.

Also, there is quite a lot of data on the iCloud drive, and that’s not just the file and document storage. Many applications are using the iCloud drive intensively. And there is, for example, one password data, and some other passwords … mangers, there are backups created by WhatsApp, and some other applications as well.

The iCloud keychain is probably the hardest way to get. It uses the additional encryption, and it’s not even enough to have the login and password, and the second factor. iCloud keychain can be accessed only by the trusted devices. If you don’t have the trusted device, the only way to access it is you will have to provide the passcode or the login password to one of the other trusted devices. That way, we were able to create something like a virtual device in the circle of trust that [the official name at Apple]. And once we’re there, we can extract all the iCloud keychain data.

iCloud keychain is somehow different from the normal keychain at the backup created by iTunes, and it contains usually less information, but still, as I said, there are some encryption keys and tokens there that can be used to access the social network data.

Host: [20:50] over the time.

Vladimir: Sorry?

Host: You are over time. It’s 25 minutes…

Vladimir: Okay. [chuckles] I also have some information about the Google acquisition, and we are also able to extract more from Google than is available from Google Takeout, because some data is not included there. And it really helps in a hard situation when you cannot break into the Android smartphone.

Okay, I will skip that. Okay, here is an example of data that can be obtained from the Google Dashboard. That information is available online, but you won’t be able to get it with Google Takeout, and there is quite a lot.

I will share the slides, no problem.

There is Chrome syncing with internet history and searches. There are Android device backups. And actually, now our target was to download from Google everything that is available there, and I would say that we are at 99% or so.

And finally, that’s the last thing, [chuckles] I promise, about Microsoft. Microsoft platform is dead. I would say that Microsoft Cloud is being used by many desktops, and there is an Edge browsing history and search history in being … location history as well. Some Cortana data. Passwords in Edge, they’re extremely hard to get, because of the additional encryption. And we can get the Skype conversations, they are stored there for not more than 30 days. And the other thing is the BitLocker recovery key.

Okay. I will only say that the most important question, how to get into the cloud if you don’t have the password. There are several methods, from the court order and social engineering, extracting the tokens from the computer, and you [probably noticed the last item], that is still being used in some countries.

Okay, that’s it.

Host: Thank you so much.

Vladimir: Thank you very much.


End of transcript

Leave a Comment

Latest Articles