Passware, Inc. announced version 2 of its flagship encrypted electronic evidence discovery product – Passware Kit Forensic 2015. This new release now acquires suspects' iPhone and iPad photos without Apple ID or password, provided the physical access to the computer with iCloud application installed.
According to apple.com, "Your new photos appear automatically on the iOS devices, computers, and Apple TV you set up with My Photo Stream, no matter which iOS device or computer you use to take or import new photos." (Source: https://support.apple.com/kb/PH13693?viewlocale=en_US&locale=en_US). This also concerns shared photo stream where photos and videos of trusted contacts are automatically synchronized with the Apple device.
An authentication token, which replaces Apple credentials and thus allows iPhone/iPad photo stream download, resides in the computer memory and hibernation file (for Windows OS). This token allows downloading of photos and videos from the owner's photo stream and, additionally, from the shared albums of his trusted contacts.
Until now, the only solution for acquiring iCloud data without Apple ID and password was extracting the iCloud token from the target hard disk, which further required a user password for the operating system to decrypt the token. Passware has found a way to acquire the token from a live memory image and, which is more applicable, from a Windows hibernation file. This makes it unnecessary to have a user password for the OS. Moreover, if the target computer is shut down and live memory data no longer available for acquiring, the hibernation file with the token resides there until the next hibernation even after the power-off.
Each photo and video contains invaluable evidence, such as GPS coordinates, time taken, and device name. Thorough analysis of this data occurs in Oxygen Forensic Passware Analyst, which also provides detailed reports and graphs for computer forensic investigations. Supported are all versions of iOS, including the latest 8.2.
Cases Enabling Acquisition of iPhone and iPad Full Backups
Computer forensics can now acquire full backups of a suspect's iPhone or iPad using Passware in unique cases, including:
- Apple ID and password are known: No physical access to the device or target computer is required. Full iCloud backup is downloaded with Apple credentials.
- Apple ID and password are unknown and the target computer is powered off. Local iTunes backup (PLIST file) is extracted from the hard disk image and, if necessary, its password is recovered.
- Apple ID and password are unknown and the target computer is running (locked, user logged off or sleep mode). Live memory acquisition is possible. iCloud Photo Stream data is downloaded with the token extracted from the memory image.
- Apple ID and password are unknown and the target computer (Windows OS) is powered off. Hibernation file extraction is possible. iCloud Photo Stream is downloaded with the token extracted from the hibernation file.
A graph of these unique cases where Passware acquires data of a suspect's iPhone or iPad are available here: http://www.lostpassword.com/f/downloads/press/2015-2-icloud.pdf.
Additional features of Passware Kit Forensic 2015 v.2 include:
- Hardware-accelerated password recovery for hidden TrueCrypt containers
- Automatic software updates
- Improved performance of Passware Kit Agent for Linux
- Decryption of FileVault 2 from Mac OS X Yosemite
- Extraction of passwords and credentials from KeePass databases
- Exporting results to CSV format for further analysis and forensic reports