The majority of mobile devices today are encrypted throughout, making extractions difficult or even impossible for major platforms. Traditional attack vectors are becoming a thing of the past with encryption being moved into dedicated security chips, and encryption keys generated on first unlock based on the user’s screen lock passwords. Cloud forensics is a great alternative, often returning as much or even more data compared to what is stored on the device itself.
The challenges of device forensics
The past years introduced a number of challenges to mobile forensic experts. It’s been a while since device encryption killed chip-off analysis, but there are more challenges than that. A few years back, Apple introduced USB restrictions, making data preservation a challenge. The release of the A12 platform patched the very effective checkm8 acquisition and made device unlocks more difficult.
In the land of Android, Google had finalized the move from the less-secure Full Disk Encryption (FDE) to the much more robust File-Based Encryption (FBE) that uses an encryption key based on the user’s screen lock password, rendering EDL extractions nearly useless without knowing the correct passcode. In many cases, experts could work around the FDE; however, the newer FBE encryption is a real challenge.
With passcode unlocks becoming more difficult with each generation of mobile devices, device forensics become more and more difficult year over year.
The benefits of cloud forensics
Cloud forensics overcomes most of the challenges associated with analyzing physical devices, while adding a share of other challenges. Compared to analyzing a single device, cloud forensics offers the following benefits:
The challenges of cloud forensics
Just like device forensics, cloud forensics has challenges on its own. The obvious challenge is the password: you won’t be able to authenticate into a cloud account without proper credentials. The password, however, may be obtained from one of the many sources, such as:
Two-factor authentication has been a major part of the authentication process for a long time. In recent years, Apple requires the use of two-factor authentication with all newly created Apple IDs (an exception is made for children accounts). In our experience, real-world use of two-factor authentication for Apple account has reached 90%. Overcoming the challenge of two-factor authentication may be as easy as pulling a trusted SIM card or as difficult as attempting to unlock a device or searching for a trusted FIDO U2F security key.
Then comes encryption. Zero-knowledge end-to-end encryption is commonly used by cloud services to protect essential bits and pieces of information. The protected bits and pieces become unextractable without additional steps. The “zero-knowledge” part means that the cloud service provider does not know and does not have access to such encrypted data, and is unable to provide such data to the law enforcement when serving government requests. The different cloud providers protect different bits and pieces, Apple leading the way in most regards. Below is the list of data protected with end-to-end encryption by major cloud services.
For Apple ID/iCloud, end-to-end encryption protects the following (iOS 14 and 15):
More on end-to-end encryption in iCloud Backups, Synced Data and End-to-End Encryption.
Authentication and encryption issues aside, there are other challenges to cloud forensics. The communication protocols are largely undisclosed and are constantly changing. Apple does everything it can to prevent third-party tools from accessing iCloud backups, going as far as requiring a valid Apple device hardware ID in order to release the data. Google makes constant changes to the various communication protocols and authentication methods, making it difficult to cope. Microsoft uses a complex synchronization protocol that is very difficult to grasp; it’s so difficult that even Microsoft’s own products (such as the iOS version of its Edge browser) may be unable to sync data they should be syncing.
Cloud forensics is the future. There are many challenges in cloud forensics, with more and more data being moved under the end-to-end encryption umbrella. At the same time, governments actively resist end-to-end encryption in the cloud, making major parts of user data (such as the photos) stored with no encryption, conveniently scannable for controversial materials.
Learn what Google knows about you! Download information directly from the Google Account with or without a password. Elcomsoft Cloud Explorer enables over-the-air acquisition for a wide range of Google services including Contacts, Hangouts Messages, Google Keep, Chrome browsing history, search history and page transitions, Calendars, images, location and a lot more.
Elcomsoft Internet Password Breaker instantly reveals passwords to Web sites, identities, and mailboxes stored in a variety of applications. Supporting all popular Web browsers and all versions of Outlook Express, Microsoft Outlook, Windows Mail and Windows Live Mail, Elcomsoft Internet Password Breaker helps you retrieve the login and password information to a wide variety of resources.
Elcomsoft Internet Password Breaker official web page & downloads »
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.