Forwarded from BlackBox (Security) Archiv
Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition
Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five top instant messaging apps for iOS in the context of their forensic analysis.
Acquisition and Extraction
Speaking of iOS, there are several methods to acquiring communications going through an instant messaging app. The MITM (man-in-the-middle) attack is practically out of the question for most modern instant messaging apps; if there are exceptions, we aren’t aware of those. Even on Android devices, a MITM attack would require installing a third-party SSL certificate, and even that may not work for some instant messengers.
The ability to obtain communication histories from the vendor is a great tool in the hands of the law enforcement. The policies of different vendors vary greatly from near-instant full disclosure to flat non-disclosure with stops in between. We’ll discuss it in detail for each of the messaging apps.
Cloud extraction may be possible from several sources, which include iCloud synchronized data (including end-to-end encrypted data), iCloud backups and stand-alone backups in iCloud Drive. It’s up to the vendor to decide where and how to store the data; more on that later.
Finally, the data can be extracted from the iPhone device itself. For some messaging apps, logical extraction via iTunes-style backups is enough, while some other messengers don’t store anything in local backups. Imaging the file system (and, in some cases, decrypting the keychain) is always enough to gain full access to conversation histories.
So let us see the different extraction options available for the five top instant messaging apps for iOS.
https://blog.elcomsoft.com/2020/04/forensic-guide-to-imessage-whatsapp-telegram-signal-and-skype-data-acquisition/
#forensic #guide #imessage #whatsapp #telegram #signal #skype
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@NoGoolag
📡@BlackBox
Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five top instant messaging apps for iOS in the context of their forensic analysis.
Acquisition and Extraction
Speaking of iOS, there are several methods to acquiring communications going through an instant messaging app. The MITM (man-in-the-middle) attack is practically out of the question for most modern instant messaging apps; if there are exceptions, we aren’t aware of those. Even on Android devices, a MITM attack would require installing a third-party SSL certificate, and even that may not work for some instant messengers.
The ability to obtain communication histories from the vendor is a great tool in the hands of the law enforcement. The policies of different vendors vary greatly from near-instant full disclosure to flat non-disclosure with stops in between. We’ll discuss it in detail for each of the messaging apps.
Cloud extraction may be possible from several sources, which include iCloud synchronized data (including end-to-end encrypted data), iCloud backups and stand-alone backups in iCloud Drive. It’s up to the vendor to decide where and how to store the data; more on that later.
Finally, the data can be extracted from the iPhone device itself. For some messaging apps, logical extraction via iTunes-style backups is enough, while some other messengers don’t store anything in local backups. Imaging the file system (and, in some cases, decrypting the keychain) is always enough to gain full access to conversation histories.
So let us see the different extraction options available for the five top instant messaging apps for iOS.
https://blog.elcomsoft.com/2020/04/forensic-guide-to-imessage-whatsapp-telegram-signal-and-skype-data-acquisition/
#forensic #guide #imessage #whatsapp #telegram #signal #skype
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@NoGoolag
📡@BlackBox
ElcomSoft blog
Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition
Instant messaging apps have become the de-facto standard of real-time, text-based communications. The acquisition of instant messaging chats and communication histories can be extremely important for an investigation. In this article, we compare the five…
Forwarded from GJ `°÷°` 🇵🇸🕊 (t ``~__/>_GJ06)
info_activism@mastodon.cc - Tools of digital repression - Myanmar
https://www.justiceformyanmar.org/stories/tools-of-digital-repression
#répression #Myanmar #OutilsDeSurveillance #ExtractionMobile #Forensic #DataInterception
https://www.justiceformyanmar.org/stories/tools-of-digital-repression
#répression #Myanmar #OutilsDeSurveillance #ExtractionMobile #Forensic #DataInterception
Forwarded from Pegasus NSO & other spyware
Kaspersky reveals new method to detect Pegasus spyware | Kaspersky –
#Pegasus #NSO #Reign #Predador #iOS #Spyware #Malware #Kapersky #MobileForensics #CyberSec
Kaspersky's Global Research and Analysis Team (GReAT) has developed a lightweight method to detect indicators of infection from sophisticated iOS spyware such as #Pegasus, #Reign, and #Predator through analyzing Shutdown.log, a previously unexplored #forensic artifact.
The company’s experts discovered Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within any mobile #iOS device’s sysdiagnose archive. This archive retains information from each reboot session, meaning anomalies associated with the Pegasus malware become apparent in the log if an infected user reboots their device.
Among those identified were instances of ”sticky“ processes impeding reboots, particularly those linked to Pegasus, along with infection traces discovered through cybersecurity community observations.
#Pegasus #NSO #Reign #Predador #iOS #Spyware #Malware #Kapersky #MobileForensics #CyberSec