Bypass or Recovery of PasscodesBypasses or recovers pattern, password, or PIN locks. Extracts data from locked or encrypted mobile devices. |
Decryption of Application's DataRecovers open passwords and decrypts Signal Messenger and 1Password data. Support for additional applications is coming soon. |
Accounts and Passwords ExtractionExtracts iOS Keychain data and passwords from 1Password manager. Creates a decrypted copy of Keychain for further analysis. |
Fast RecoveryAccelerates the recovery of unlock codes for supported devices with NVIDIA and AMD GPUs. |
Advanced Extraction MethodsPerforms a forensically sound full file-system extraction. Extracts encryption keys from hardware-backed Keystore. |
Runs on Windows and macOSAcquires mobile devices on both Windows PCs and Macs. |
View currently supported devices here: Passware Mobile Supported Devices
Historically, forensic laboratories would more often than not use an air-gapped network to protect data and the integrity of their investigations. Although some of our customers are moving away from this model (in many cases to better leverage services such as Azure and AWS) a large proportion still rely on the ‘air-gap’ as their primary security defence.
Researchers from cyber-security firm ESET recently discovered a never-before-seen malware framework named ‘Ramsey’ that is designed to specifically target data stored within air-gapped networks.
]]>Historically, forensic laboratories would more often than not use an air-gapped network to protect data and the integrity of their investigations. Although some of our customers are moving away from this model (in many cases to better leverage services such as Azure and AWS) a large proportion still rely on the ‘air-gap’ as their primary security defence.
Although a properly implemented air-gap can be effective, it would be a mistake to place over reliance on this and neglect basic security best practice such as patching, privilege management and effective tooling.
Researchers from cyber-security firm ESET recently discovered a never-before-seen malware framework named ‘Ramsey’ that is designed to specifically target data stored within air-gapped networks.
Ramsey is designed to spread via removable media, and on infection, collects .doc, .pdf and .zip files and stores them within an encrypted container ready for exfiltration[3]. ESET go on to say that the exact mechanism for exfiltration is currently unknown, however articles on the subject have reported cases where an exfiltration has been successful [1].
Perhaps what is most concerning is that ESET speculate that distribution may be occurring via spear phishing [2], presumably specifically targeting individuals with access to air-gapped networks.
The above reinforces the fact that an air-gap alone is not a guarantee of security. If you would like some further guidance on effective cyber security tooling for forensic and air-gapped networks, contact us at info@avatu.co.uk
You can read full details of what is known about this malware on the blog post here: https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
[3] https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
]]>In the world we are currently living and working in, there can’t be many organisations who could hand on heart swear that they could get physical access to all of their endpoints at short notice. There has for some time been a gradual shift to remote working, but for obvious reasons this has now been accelerated beyond anyone’s expectations.
For investigation and cyber incident response departments this presents a challenge...
]]>Remote Forensic Investigation is nothing new, I remember first using EnCase Enterprise Edition (now Encase Endpoint Investigator) in 2008 and at that time it wasn’t new technology. Since then, the range and capabilities of technologies that allow an investigator to acquire data remotely across a network has broadened, but nevertheless, many organisations still do not utilise remote forensic technology in their investigation workflows.
In the world we are currently living and working in, there can’t be many organisations who could hand on heart swear that they could get physical access to all of their endpoints at short notice. There has for some time been a gradual shift to remote working, but for obvious reasons this has now been accelerated beyond anyone’s expectations. We have reached a point where now anyone who can work remotely must do so; and experts are speculating that once the current global health crisis is over, many organisations will not go back to how they were. If this mass remote working experiment is successful, then businesses will begin to question why they need large expensive city centre offices, and why they limit the talent pool to only those living within commutable distance.
For investigation and cyber incident response departments this presents a challenge. No longer will it be possible to physically unplug a machine because the user opened a dodgy email attachment, and neither will it be possible to take possession of a laptop because the user leaked confidential information. Remote forensics will become the ‘norm’ rather than a specialised capability reserved for specific cases.
At Avatu we are hearing from companies who already have something in place but are interested in expanding their use of remote forensic technologies. We are also speaking to companies who have no remote capability at all and are looking to deploy something quick. We thought, therefore, that it might be useful to share some high-level information, advice and warnings about operating a remote forensic capability, the remainder of this article is dedicated to this.
If you need help with this, or you would like a more in depth discussion around tooling options, please don’t hesitate to contact me at rob.savage@avatu.co.uk
There are many benefits of deploying and using remote forensic technologies, some are more obvious that others. I have highlighted some of the more common ones below:
With proper planning, procedures and permissions, an investigator is able to respond to requirements and start to collect data in minutes rather than hours/days. This is particularly important when responding to cyber security incidents.
Depending on the nature of the investigation it may be appropriate to leave the endpoints in the possession of the subject. In these cases, a remote forensic capability will allow you to acquire data without disrupting their work by taking possession of the device.
Many remote forensic tools have functionality that enable covert acquisitions/searches of endpoints. If you can navigate through the HR/Privacy complications, this can be very useful.
This is the obvious benefit, and probably the most relevant in the current environment. Remote forensic tools allow investigators to access, search and collect data from endpoints connected to the network.
There are many things to consider when deploying or utilising a remote forensic capability. I’ve highlighted a few challenges that I’ve personally encountered in the past, but by no means is this list exhaustive
Before any work can be done, agents need to be deployed to endpoints. This can be done as a company wide roll out, either as part of gold builds, group policy, or manually. Alternatively many organisations opt to deploy agents to machines only as and when they are needed. Either way, it is likely that some planning and engagement with IT will be needed here.
This is an absolute minefield and well beyond my expertise and the scope of this post to go into detail, but it’s worth keeping in mind, at very least, the following:
Depending on how much data you are looking to acquire, bandwidth might be a consideration. Remember that most home broadband connections have a significantly slower upload than download speed, a quick check of my own home broadband shows upload speed is less than a quarter of download speed. So, if you are to acquire a full forensic image or a large chunk of data from a subject based at home then you may be waiting a while.
In a cyber incident response scenario we need to balance the risk of leaving the device connected to company systems while we collect. In an ideal world we would isolate the device and then collect. Some tools allow this, but not all.
Especially when undertaking large collections in a covert scenario this can be an issue. If a user is active on their device, creating and changing data and logging on and off, then creating a ‘snapshot’ collection can be challenging. Some technologies provide the capability to make a local snapshot onto the device itself, which can then be collected gradually in segments over time.
The following are some things that I’ve found it useful to keep in mind when considering remote forensics:
The very first thing to get right is to choose the right technology for your use case. Understand what it is you are looking to achieve and then build a set of requirements from it.
There are multiple technologies in the market that offer a remote forensic capability. Some are collection only; some are collection and analysis combined. Some are aimed at Cyber Incident Response use cases; some are aimed at E-Discovery and Investigation. Some allow you to triage and search the endpoint prior to collecting; some just allow you to collect based on file attributes alone.
Take the time to understand what options are available and when choosing a technology, ensure that you choose one that not only meets your requirements, and is suitable for your technical environment, but also fits your processes.
Unless the investigation dictates a full acquisition, be as targeted as possible. This will help mitigate some of the privacy risks and also minimise the volume of data that you are uploading over the subject's internet connection. Plan and document the parameters of your collection, such as any keywords, date ranges, file type, file names and location filters used.
This can be used to identify sources of information and plan collections. If for example a user’s documents folder is replicated onto say OneDrive and email is O365, then there might not be a need to collect data from the endpoint at all.
If I’m only interested in email and we are using Office365, it is much easier to collect direct from O365 rather than attempting to collect the locally stored OST/PST file.
If your technology allows, do as much triage/searching on the endpoint itself as possible. If you only collect responsive documents, not only does it reduce the amount of data being collected it minimises any collateral intrusion.
Make sure that the investigation process is well documented and that authorisation is sought and documented at the correct level. This is a sensitive area and so comprehensive audit trails of decisions should be kept.
As above it is vital that any work done is properly documented and contemporaneous notes taken. You may find that you are having to account for exactly what was collected and why at a later date and accurate notes will be important for this.
Ensure that Company IT Policies make it clear that data held on company devices is subject to investigations and that the company deploys and makes use of technology that allows it to collect data from devices.
Remote Forensic Investigations can be challenging, especially if policies are not in place that facilitate their use. However as we all learn to adapt to new ways of working, it is likely the importance of having a remote capability will increase.
There are a number of reasons why organisations have previously resisted adoption of remote forensic technology, it may be because there exists a perception that it would be prohibitively expensive, or that deploying agents onto endpoints would be technically difficult, but in many cases (and I count myself in this category) there is something reassuring about taking physical possession of a target device and knowing that I have the data because it is safely locked away.
It is unlikely however that this is a luxury that we will be able to rely on forever.
If you need help with this, or you would like a more in depth discussion around tooling options, please don’t hesitate to contact me at rob.savage@avatu.co.uk
]]>