Vladimir Katalov

Paper Title

Modern smartphone forensics: Apple iCloud (backups, FindMyPhone, document storage); encrypted BlackBerry backups (BB 10 and Olympia Service); Windows Phone 8 (yet another cloud for backups)

Abstract

Apple iCloud Backups: iCloud suggests backing up your iOS device to Apple servers (well, in fact Amazon or Microsoft ones), but there is only one way to access backup data by design - just restoring the backup directly onto devices, and thus, only via Wi-Fi connection. We can show you can download everything onto your PC (provided we have Apple ID and password), or just selected data you want.

The other Apple iCloud service: FindMyPhone, designed to help you track your own iDevices geographically and should be available strictly to the user under his/her own Apple account, however there is a way to get geo-location data having neither Apple device tethered to that account readily available nor access to iCloud website. If location services are switched on, geo-location of the device can be detected by sending a push request, which, in its order, is initiated by sending a request to iCloud (having the Apple ID and password, of course). You can also get the device model, name and battery level.

Apple iCloud storage: apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com web site. However, not all information can be accessed from the site (i.e. no chance for 3rd party application data at all). But we made it possible to access and download *all* information stored there, by sending specific requests to iCloud.

BlackBerry: device backups created with BlackBerry Desktop Software were easy enough to parse and analyse. Password protection was there, but also relatively easy to crack (though in version 6, password verification has been seriously improved, i.e. slowed down). For BB 10 devices, the new software is used: BlackBerry Link. Now there is no device password, but backup is encrypted using BlackBerry ID (and its password), as well as device-specific data, and moreover - some specific data that should be obtained from BlackBerry servers (Olympia Service). By design, it is not possible to restore BB backup to the other device (but only to the same one). But now we know how to decrypt backups made with BlackBerry Link - having, of course, the ID and password, as well as access to the named service. Note: BlackBerry themselves can do that, too, regardless the backup security settings you have ;)

Windows Phone 8: oh well, yet another cloud to analyse. Not all the data from the device is stored there, but still: list of apps installed, call history, accounts you have set up, IE favourites, media files (photos and videos), all settings and some other data. Again, by design, you can only restore from backup to the appropriate device (and obviously, only by Wi-Fi). Not quite convenient for forensics. However, there is a way to pull all of this information by fooling Microsoft servers about the same way we did that for Apple iCloud.

Speaker Bio

Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 he grew up in Moscow, Russia. He studied Applied Mathematics at Moscows Engineering-Physics Institute (State University); from 1987 to 1989 he was a sergeant in the Soviet Army. Vladimir works at ElcomSoft up until now from the very beginning (1990). In 1997, he created the first program the password recovery software line has started from: Advanced ZIP Password Recovery. Now he coordinates the software development process inside the company and constantly calls in question the appearing security tools and services.

Vladimir manages all technical researches and product developments in the company. He regularly presents on various events and also regularly runs security and computer forensics trainings both for foreign and inner (Russian) computer investigative committees and other law enforcement organizations.

Vladimir regularly visits various IT security- related events, conferences and trainings all over the world. He has shared his expertise through dozens of conference sessions. Here is an incomplete list of the events: TechnoSecurity, BlackHat, CEIC, Infosecurity (Europe, Russia, Japan), IT Security Area (it-sa), European Police Congress, e-Crime, Troopers, EuroForensics, FT-Day, China Computer Forensic Conference, CanSecWest, CrimeLab, Forensics Europe Expo, Interpolitex...