Home » Tag cloud » Backups
Category: Tutorial

ComputerCavalry Creating, Managing, and Restoring Backups
ComputerCavalry: Creating, Managing, and Restoring Backups
MP4 | Video: AVC 1280x720 | Audio: AAC 44KHz 2ch | Duration: 38M | Lec: 8 | 63 MB
Genre: eLearning | Language: English

Download Now
Read More
Category: Other

Recently, ElcomSoft Co. Ltd. released a major update to Elcomsoft eXplorer for WhatsApp. Elcomsoft Explorer for WhatsApp 2.30 adds the ability to extract and decrypt WhatsApp stand-alone backups created by Android users in Google Drive. The tool obtains a WhatsApp cryptographic key by registering itself as a new device.

The decryption is possible with access to a verified phone number or SIM card, and requires authenticating into the user's Google account. A WhatsApp encryption key must be only obtained once, and can be used to access all previously created and all future backups for a given combination of Google Account and phone number. The tool provides automatic download and decryption for WhatsApp backups and comes with a built-in viewer.

Notably, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.

WhatsApp for Android: Not an Easy Target

For several years, WhatsApp has been encrypting its backup databases. Both stand-alone and cloud backups produced by the Android app and are securely protected with industry-standard AES256 encryption. The encryption key is generated by WhatsApp at the time of the first backup. The key is unique per account and per phone number. If the user has multiple WhatsApp accounts and only one Google Account, each WhatsApp account will use a unique encryption key.

The encryption keys are generated by WhatsApp servers; they are never stored in Google Drive. Extracting the encryption keys from a local Android may or may not be possible depending on the phone's root status and the version of Android it is running.

Making things even more complicated is the fact that the many versions of WhatsApp released during the last years are employing different encryption algorithms. This makes it difficult to build an all-in-one acquisition tool compatible with all versions of WhatsApp.

Elcomsoft Explorer for WhatsApp 2.30 gains the ability to download WhatsApp backups for Android devices directly from the user's Google account, retrieve cryptographic keys from WhatsApp servers and decrypt the content of WhatsApp backups including conversation histories and messages.

In order to obtain the encryption key from WhatsApp, access to the user's trusted phone number or SIM card is required. The authentication code is requested and delivered as a text message. Based on that authentication code, Elcomsoft Explorer for WhatsApp automatically creates a cryptographic key that will be used to decrypt all existing and future backups for a given combination of Google Account and phone number. In addition, the user's authentication credentials are required to log in to their Google Account.

If the expert does not have access to the user's SIM card or trusted phone number, Elcomsoft Explorer for WhatsApp can access contacts and media files (pictures and videos) the users send and receive with WhatsApp.

Step-by-step WhatsApp acquisition guide: http://blog.elcomsoft.com/2018/01/extract-and-decrypt-whatsapp-backups-from-google/

For more information, please visit http://www.elcomsoft.com/exwa.html

Download Now
Read More
Category: Other

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer, we've added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation!

As you may already know, Elcomsoft Phone Viewer has a useful feature: support for iOS notifications extracted from cloud and local backups. It can show several years' worth of undismissed iOS notifications, which can account for hundreds or thousands of messages.

Why notifications? Because they may contain sensitive information that won't be available anywhere else. Several months ago, a French man filed a lawsuit after his wife learned of his affair from Uber app notifications. According to BBC, "The man says he once requested an Uber driver from his wife's phone. Despite logging off, the application continued to send notifications to her iPhone afterwards, revealing his travel history and arousing her suspicions."

Notifications are an essential part of iOS. Notifications are pushed by pretty much every app that has any forensic significance. Email clients and instant messengers are easy to spot, but that's not all. Notifications are pushed by Uber and taxi apps, booking and travel services, online shopping and delivery services, social networks and banking apps. Unless read or dismissed, these notifications are stored in local and cloud backups. This is where Elcomsoft Phone Viewer extracts them from.

Why "undismissed" notifications only? If the user reads, dismisses or otherwise interacts with a notification (by e.g. replying to an email or instant message), the corresponding file is deleted from the system and is therefore not included into a backup. One more thing. Unlike calls or browsing history, notifications are not shared between iOS devices. There is no real-time sync for them. As a result, analyzing backups (local or iCloud) is the only way to extract notifications.

When using an iOS device, you'll be only able to access notifications going up to one week back - regardless of the actual number of notifications. If you read or dismiss a notification, you won't be able to go back to it. Inside, iOS keeps each notification in a separate file. Reading or dismissing a notification deletes that file, so there's no way to access it afterwards. The good thing, however, is that iOS backs up all unread/undismissed notifications even if they are older than one week. The reason for this is not exactly clear (there is no way to access those notifications when using an iOS device), but we can definitely benefit from this behavior.

For each individual application up to 100 notifications are stored. Older notifications are automatically deleted by the system.

Elcomsoft Phone Viewer allows filtering notifications by application; the default view places apps with most notifications to the top.

Finally, you can export all or select notifications into a CSV file for further analysis or reporting.

What can you expect to see when viewing undismissed notifications? We checked several accounts, and discovered as many as 1200 individual messages going back all the way to 2012. Here's what we've got:

  1. Online banking updates. Our banking app pushes account updates, statement availability, daily balance and transaction alerts as notifications as opposed to sending insecure emails or text messages.

  2. A slew of social network updates including Facebook, Twitter, LinkedIn and Pinterest. This included likes, retweets, friend requests, comments and updates.

  3. Instant messages. We've been able to view complete messages for Skype, WhatsApp and Viber (the only three messengers installed on that device).

  4. Uber: lots of "you've got a car" notifications.

  5. Amazon: delivery notifications and order updates.

  6. eBay: messages, order updates.

  7. DHL: tracking updates.

  8. Home security app: engaging and disengaging alarms.

  9. Email: subject and a few lines of message body.

  10. A bunch of Google Maps and Google Trips updates.

Is this enough to profile a user? Not quite, but it can help a lot. Is there a chance to get all of that data elsewhere? Not if you jailbreak the device and perform physical acquisition. Downloaded mail, banking updates, instant messaging and pretty much everything else on our list is excluded from iOS backups except for notifications, and can only be obtained via physical acquisition or by analyzing notifications with Elcomsoft Phone Viewer.

Learn more about Elcomsoft Phone Viewer and download free trial version at http://www.elcomsoft.com/epv.html

Download Now
Read More
Category: Other

Elcomsoft Explorer for WhatsApp 2.10 adds the ability to extract and decrypt WhatsApp stand-alone backups created in iCloud Drive. The tool can obtain a WhatsApp encryption key by registering itself as a new device. Access to user's iCloud authentication credentials and their verified phone number is required to generate the encryption key.

Elcomsoft Explorer for WhatsApp 2.10 adds the ability to access iPhone users' WhatsApp conversation histories by extracting and decrypting WhatsApp stand-alone backups from iCloud Drive. Access to the user's iCloud account and their verified phone number (SIM card) is required to obtain the encryption key and decrypt the backup.

Since last year, both manual and daily stand-alone backups stored by WhatsApp in iCloud Drive are automatically encrypted. The encryption key, generated by WhatsApp when the user makes a backup for the first time, is unique per each combination of Apple ID and phone number. Different encryption keys are generated for different phone numbers registered on the same Apple ID. These encryption keys are generated and stored server-side by WhatsApp itself; they are never stored in iCloud or on the device.

If a SIM card with a verified phone number is available, Elcomsoft Explorer for WhatsApp 2.10 can now access the encryption key by registering itself with WhatsApp as a new device. Once obtained, the encryption key will be used to decrypt WhatsApp stand-alone backups (iCloud authentication credentials or binary authentication token required).

At this time, Elcomsoft Explorer for WhatsApp 2.10 supports all of the following WhatsApp acquisition methods:

  1. (new) Extracting and decrypting WhatsApp stand-alone backups from iCloud Drive

  2. Extracting WhatsApp data from iOS system backups (iTunes)

  3. Downloading and extracting WhatsApp data from iOS cloud backups (iCloud)

  4. Extracting WhatsApp databases from rooted Android devices (all versions of Android; root access required)

  5. Producing and extracting WhatsApp backups on pre-Android 7 devices without root access

You can find more information about Elcomsoft Explorer for WhatsApp at

Current State of WhatsApp Security

Despite recent discoveries regarding WhatsApp encryption of the tool's iCloud backups, the app's end-to-end message delivery still remains secure, and the messaging service remains one of the most secure on the market. WhatsApp securely encrypts messages sent and received, and makes use of encryption when producing cloud backups. Decrypting WhatsApp-produced backups requires access to the trusted phone number or SIM card, as well as access to the user's Apple ID account.

WhatsApp does not keep communication histories on their servers, making them unavailable to hacker attacks. For the same reason, government requests result in very limited data. As a result, acquisition is only possible from physical devices, iOS system backups or proprietary WhatsApp backups.

Download Now
Read More
Category: E-Book
High Performance MySQL: Optimization, Backups, and Replication (3rd edition)

High Performance MySQL: Optimization, Backups, and Replication (3rd edition) By Baron Schwartz, Peter Zaitsev, Vadim Tkachenko
2012 | 826 Pages | ISBN: 1449314287 | EPUB + PDF | 5 MB + 16 MB
Download Now
Read More