The past two years introduced a number of challenges forensic experts have never faced before. In 2018, Apple made it more difficult for the police to safely transport a seized iPhone to the lab by locking the USB port with USB restricted mode, making data preservation a challenge. The release of the A12 platform, also in 2018, made it difficult to unlock iOS devices protected with an unknown password, while this year’s release of iOS 13 rendered unlock boxes useless on iPhones based on the two most recent platforms.
On desktop and especially laptop computers, the widespread use of SSD drives made it impossible to access deleted data due to trim and garbage collection mechanisms. The users’ vastly increased reliance on cloud services and mass migration off the forensically transparent SMS platform towards the use of end-to-end encrypted messaging apps made communications more difficult to intercept and analyze.
Sheer amounts of data are greater than ever, making users rely more on external (attached) storage compared to using internal hard drives. Many attached storage devices are using secure encryption, some of them without even prompting the user. Extracting data from such devices becomes a challenge, while analyzing the huge amounts of information now requires significantly more time and effort.
The number of online accounts used by an average consumer grows steadily year over year. While password reuse and the use of cloud services to store and synchronize passwords makes experts’ jobs easier, the spread of secure, encrypted password management services is turning into a new challenge.
Knowing everyday challenges in desktop and mobile forensics, we can now peek into the future.
We can see several major trends in desktop forensics. The first and most important challenge is the increasing use of data encryption. Since Windows 8, thin and light devices could be automatically protected with BitLocker Device Encryption, a Microsoft implementation of full-disk encryption. BitLocker Device Encryption was activated automatically on all devices meeting certain specifications (such as the use of a TPM2.0 module and support for Connected Standby) once the user signed in to their computer with Microsoft Account credentials (as opposed to using their local credentials).
Using local credentials became increasingly difficult to the point that setting up a Windows 10 computer without a Microsoft account becomes almost impossible (a workaround exists, but even experienced users had to google the way). This in turn means that even more laptops are encrypted.
There is also light at the end of the tunnel. BitLocker recovery keys are stored in the user’s Microsoft account, and experts can easily request those keys from Microsoft or obtain them by signing in with the user’s Microsoft Account credentials. We have a comprehensive how-to about instantly extracting BitLocker and FileVault 2 keys from a variety of sources.
The second major challenge is the use of solid-state media in place of magnetic hard drives. SSD drives destroy evidence near instantly after the file is deleted or the disk is (quick) formatted. Once the data is marked as deleted, the SSD controller will return zeroes to all SATA commands regardless of whether or not the data is still physically present in the NAND cells. It is not possible to access deleted data or stop the SSD drive from destroying deleted data in background by ordinary means (no, write-blocking SATA devices won’t help a bit). We suggested a possible way to work around the issue in Life after Trim.
Speaking of encryption, today’s products make attacks significantly more difficult by employing literally millions of hash iterations to verify passwords (you can read about these “hash iterations” in our introduction to password hacking). As an example, Microsoft doubled the number of SHA-1 hash iterations from 50,000 in Office 2007 to 100,000 Office 2010, while newer versions of Microsoft Office are still using 100,000 cycles, but employ significantly slower SHA-512 instead. In layman terms, this means we could try about 1000 passwords per second when breaking Office 2007 documents on a single 4-core Intel i7 CPU. On the same CPU, we could try about 500 passwords per second for Office 2010 documents, but only about 50 passwords per second for Office 2013. More on that in Evolution of Microsoft Office encryption.
We expect the complexity of encryption to raise, making attacks even slower. Brute-force attacks will become unfeasible even with the use of GPU acceleration. Distributed and cloud-based attacks will become the new norm, while targeting the human factor will be the only practical way for accessing many types of data (1 and 2).
The New T2 Macs
This year’s and some of the last year’s Apple Macs and MacBooks are equipped with a new security chip, the T2. The T2 security chip makes it possible to effectively protect computers by combining SDE encryption, FileVault2 encryption and effectively blocking the ability to boot from an external media. The effect of these security measures is the inability of forensic experts to even capture an image of a FileVault 2 partition, let alone decrypt the data. The correct password is absolutely required to start the Mac or MacBook, to unlock the encrypted storage device and to decrypt the FileVault 2 partition. Overcoming these security measures will become a major challenge in macOS forensics.
The use of Microsoft Account
Microsoft continues pushing Windows users towards the use of a Microsoft Account as their Windows sign-in option. In recent Windows 10 builds, setting up a new system without a Microsoft Account becomes difficult even for seasoned experts, while ordinary users may never realize the local option even exists.
The use of the Microsoft Account offers users immediate benefits such as the ability to save and restore their files, pictures, and even desktop icons through OneDrive; immediate Skype sign in; and the much lesser known features such as the automatic deposit of BitLocker Recovery Keys into the same user account.
It is important to understand that an offline, hardware-accelerated attack is possible on the user’s Windows logon password regardless of whether the password belongs to a local account or a Microsoft Account. Once the password is recovered, experts may continue the extraction by signing in to the user’s Microsoft Account and obtaining the BitLocker escrow keys, OneDrive data, Skype chat histories and saved passwords.
Attached Storage Encryption
The massive influx of silent and affordable SSD drives waved goodbye to big and noisy built-in hard drives. However, the amounts of hoarded information continues to grow. More and more of that data ends up being stored on external storage devices, many of which advertise secure AES-256 encryption.
We are just beginning our research of encryption in some of the most popular attached storage devices. The Attached Storage Forensics: Forensic Analysis of Synology NAS Devices is the first of the series of articles dedicated to the protection of data stored on external devices. Spoiler: circumventing AES-256 encryption used in many of these devices does not require brute-forcing the 256-bit encryption key or attacking the user’s password. Next in line: Thecus NAS forensics and the analysis of WD external storage. Stay tuned.
Steganography is about concealing encrypted messages in innocent-looking content. Steganography is designed to allow plausible deniability. Without having the correct encryption key, it won’t be possible to tell if a given picture embeds an encrypted message.
Today, steganography is nearly forgotten and almost never used in real life. We expect this trend to continue in future years.
Challenges in Mobile Forensics
The main challenge in mobile forensics remains to be encryption. The encryption in Android devices, even though it appeared in Android 6 devices, only recently started being a problem for extractions. Many mid-range Android smartphones and all pre-2019 Samsung phones used to use Full Disk Encryption (FDE), the less secure encryption scheme that protects data with “default_password” as a seed for the encryption key. This year, almost all new smartphones come with the more secure File-Based Encryption (FBE), a newer encryption scheme that encrypts files with a key based on the user’s screen lock passcode. In many cases, experts could work around the FDE; however, the newer FBE encryption is a real challenge, still underexplored.
While the phones released with FDE encryption cannot be updated to use FBE, that generation of devices will essentially die off. The new encryption scheme used in newer devices will prevail, and it will make acquisitions significantly more difficult and time-consuming.
In Apple’s land, per-file encryption based on the user’s screen lock passcode has been used since iOS 8 on all devices starting with the iPhone 5s. The encryption was and remains secure, and while it remains a challenge, it does not present a new challenge.
Unlocking Apple smartphones will become increasingly difficult. The bootloader-level vulnerability discovered in A5 through A11 devices is no longer present in the iPhone Xs/Xr and iPhone 11 generations, while iOS 13 closed many security vulnerabilities discovered in iOS 12. We expect older devices (up to and including the iPhone 8/iPhone X generation) to remain easily unlockable, while the new generation will be more difficult (and slower) to unlock. The now-default 6-digit passcodes are particularly slow to brute force, often making BFU (Before First Unlock) attacks unfeasible.
While Apple employs secure biometrics to unlock their devices, numerous Android copycats use “me-too” imitations of Apple’s Face ID. Such imitations are generally insecure, and can be fooled with a printed image or, at worst, a 3D model of the user’s face. It’s the sheer number and diversity of Android devices that guards them against a dedicated security research; the type of research that resulted in the unpatchable checkm8 exploit for many Apple devices.
Full-disk and file-based encryption effectively prevent straightforward extractions, making experts seek for dedicated forensic tools for imaging devices. Before First Unlock or After First Unlock extractions will continue to return vastly different amounts of evidence, with AFU extractions slowly passing out as vulnerable models are close to the end of their lifecycle.
Yet, alternatives to physical extraction will continue to develop. With significantly more information stored in the cloud today compared to just two years ago, forensic experts can expect to get ahold of that data – and more.
In classic desktop forensics of the old days capturing an image of the hard drive and calculating the checksum would satisfy the verification requirement. This no longer works in the mobile forensics. Most extraction methods are not forensically sound. The results are not repeatable, and calculating the checksum only makes sense to validate integrity of a given dump or archive. Repeating the extraction will produce a different image and a different checksum. Many vendors are secretive about the techniques they use to extract smartphones; their testimony may be the only validation available in the court.
Cloud Extractions and Vendor Counter-Forensics
While more and more users’ data ends up in the cloud, companies continue to secure their cloud services against straightforward acquisition attempts.
Starting with Android 9, google began to encrypt Android backups with the user’s device passcode. At this time, no other data is being encrypted, not even health (Google Fit) or passwords. We’ll keep watching Google cloud services.
Apple continues its efforts to counter forensic access to parts of its cloud services. iCloud backups, while not encrypted with user credentials, are becoming increasingly difficult to obtain due to the use of device credentials as a required pre-requisite for accessing the data. The user’s passwords (iCloud Keychain), Health data, and even messages are securely encrypted with the user’s screen lock passcode or system password. None of that information is given away to the law enforcement when Apple serves a government request, and none of that data is provided to users pulling their data via Apple Privacy Requests.
We’ll continue to develop cloud extraction tools to obtain as much data as technically possible.
While two-factor authentication is not exactly new, manufacturers keep pushing users to enable the feature while making it very difficult or impossible to disable it.
At the same time, two-factor authentication has its ugly side. In Apple ecosystem, users whose accounts are protected with two-factor authentication can do things such as disabling the Find My protection or resetting the Apple ID/iCloud password without providing their original Apple ID password.
Deleted Data Analysis
Deleted data analysis is dead. For many years, it was impossible to recover files deleted from an Apple iPhone because of the way Apple handles the encryption keys. The abundance of trimming SSD drives makes access to deleted data impossible just moments after the file is gone. Manufacturers keep trying finding a way to gain access to trimmed data on some SSD models. The SSD factory access mode is one of the newest SSD analysis methods that helps experts gain access to the hidden parts of the SSD drive.
Does hi-tech forensic stand a chance with more data, more apps, more devices and increasingly strong encryption? We believe it does. More data is great for big data analysis, while strong encryption is countered by smarter attacks.
In hi-tech forensics, there is no ‘silver bullet’. No single tool and no bunch of tools can take care of every step of an investigation. Even if one has access to every forensic tool ever made, the end result may be poor due to the lack of proper methodology, silly mistakes, faulty workflow, or because of just overlooking something small but very important from the wrong time zone to some hidden file metadata.
All of the above is worth an additional presentation with in-depth explanation, practical examples, the common mistakes and things to consider before, during and after the investigation. It is the expert who needs to have the deepest understanding of how things work from the very basics of math to cryptography and to the very specific features of multiple software packages and forensic tools. The expert must carefully record their every step, and ensure their steps can be followed by someone else, and the end result is repeatable. In an ideal world, the end result should be the same even if different tools are used. This, while not a 100% guarantee, is much better than nothing.