Site icon MacTech.com

Passware exposes suspects’ Photo Stream to computer forensics

Passware.jpg

Investigators now have a unique tool that leverages Passware’s research in live-memory analysis for over-the-air acquisition of Apple Photo Stream contents without an Apple ID or password.

Passware — a provider of password recovery, decryption, and electronic evidence discovery software for computer forensics, law enforcement organizations, government agencies, and private investigators — has announced version 2 of its flagship encrypted electronic evidence discovery product, Passware Kit Forensic 2015. This new release now acquires suspects’ iPhone and iPad photos without Apple ID or password, provided the physical access to the computer with iCloud application installed.

According to Apple, “Your new photos appear automatically on the iOS devices, computers, and Apple TV you set up with My Photo Stream, no matter which iOS device or computer you use to take or import new photos.” This also concerns shared photo stream where photos and videos of trusted contacts are automatically synchronized with the Apple device.

An authentication token, which replaces Apple credentials and thus allows iPhone/iPad photo stream download, resides in the computer memory and hibernation file (for Windows OS). This token allows downloading of photos and videos from the owner’s photo stream and, additionally, from the shared albums of his trusted contacts.

Until now, the only solution for acquiring iCloud data without Apple ID and password was extracting the iCloud token from the target hard disk, which further required a user password for the operating system to decrypt the token. Passware says it’s found a way to acquire the token from a live memory image and, which is more applicable, from a Windows hibernation file.

The company says this makes it unnecessary to have a user password for the OS. What’s more, if the target computer is shut down and live memory data no longer available for acquiring, the hibernation file with the token resides there until the next hibernation even after the power-off.

Each photo and video contains evidence such as GPS coordinates, time taken, and device name. Analysis of this data occurs in Oxygen Forensic Passware Analyst, which also provides detailed reports and graphs for computer forensic investigations. Supported are all versions of iOS, including the latest 8.2.

Passware Kit Forensic is available directly from Passware and a network of resellers worldwide. The price is US$995 with one year of free updates. Go to http://tinyurl.com/o7kbveb for more info.

Exit mobile version