Belkasoft Acquisition Tool

Resumen
Ayuda

Belkasoft Acquisition Tool ayuda a los investigadores con uno de los pasos más importantes de la investigación: obtener datos de una fuente de datos. Actualmente, se soportan cuatro tipos de fuentes de datos:

Discos duros y extraíbles
Dispositivos móviles
Memoria RAM de PC
Datos de la nube

Luego es posible analizar la imagen adquirida con Belkasoft Evidence Center o una herramienta de terceros.

Adquirir imagen de un disco duro o extraíble

BelkaImager sirve para adquirir los imágenes de los discos duros, unidades SSD y unidades extraíbles conectadas a su PC, portátil o tableta. Se realiza la adquisición física. El resultado sería una imagen DD o E01.

Adquirir imagen de un dispositivo móvil

El producto adquiere datos de los dispositivos Android e iOS (iPhones, iPads), iOS 10 incluido. Se adquiere una imagen lógica.

Adquirir una imagen de la memoria RAM

La memoria RAM de un PC, portátil o tableta Windows se puede descargar en un formato sin procesar.

Descargar los datos de la nube

BelkaImager permite descargar los datos de las nubes más importantes, tales como iCloud, Google Drive y Google Plus.

Acquiring iCloud

Belkasoft Acquisition Tool can download various information from iCloud, including "Find my iPhone", Calendar, Pages and recent backups. In order to download this info, you must be authorized. iCloud provides two authorization methods: login/password and authorization by cookies.

Login/Password

This is the most straightforward authorization scheme. Login is an AppleID of an account; Password is a password for that account.

Note that iCloud will notify an account owner about successful login attempt via email. The user will receive an email with subject "Your Apple ID was used for login to iCloud from a web-browser". There is no way to avoid that.

Cookies

This authentication method provides access to Calendar and iCloud Pages data by using cookies stored by a browser if an account owner accessed https://www.icloud.com with their browser. Cookies are relatively short-lived (they declare expiration time of two weeks if the user selected “Remember me” on login screen and “Until browser session ends” if not). A way of obtaining cookies from a browser is browser-dependent, for example in Chrome cookies can be found at Settings -> Settings -> Show Advanced Settings -> Content Settings… -> All cookies and site data… -> icloud.com. Here is the example of Chrome cookies window with X-APPLE-WEBAUTH-TOKEN selected:

You should copy Content part of a cookie for X-APPLE-WEBAUTH-TOKEN, X-APPLE-WEBAUTH-USER and X-APPLE-WEBAUTH-PCS-Documents cookies (without quotes) and paste to corresponding fields on the authentication window.

An alternative way of obtaining these cookies is sniffing browser traffic with some tool like “Fiddler”. It is not easy without access to a client machine, since iCloud uses encrypted HTTPS protocol, but allows intercepting cookies in any phase of communication between client and iCloud, because valid cookies are sent with every request to a server. Fiddler shall be configured to decrypt HTTPS traffic (here is the official doc on how to enable it; note that it requires installing a self-signed certificate on a client machine: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/FirefoxHTTPS). Here is what it looks like: on the screenshot below you can see an example of a packet intercepted during editing of iCloud Pages document:

Note that only iCloud Pages and iCloud Calendar apps can be downloaded with cookies at this moment. "Find My iPhone" cookies are too short-lived to be used (they stay valid for about one minute), iCloud Backup does not have a browser interface so does not use cookies at all.

Acquiring Google Cloud

Google services are using various authentication tokens for various parts of available functionality, so, for example, Google Drive and Google Plus will require two different logins even for the same account. Additionally, Google services use OAuth as authentication/authorization, so a consent screen will be shown even when a login and a password are known (more info about that can be found in Google API documentation). Nevertheless, OAuth Refresh Tokens can be extracted from Google Drive Sync client traffic (it uses HTTPS encrypted protocol, so it is not easy to intercept without access to a client machine).

Google Drive consent screen

This authorization method uses user consent (as specified by OAuth protocol) to receive a permission to download files and meta-information from Google Drive. On a first use it opens standard Google consent screen where user should authenticate with Google (using credentials of the account which information and files are to be downloaded) and if authentication is successful give an application rights to view files in Google Drive:

Google Drive Refresh Token

This option uses Refresh Token extracted from Google Drive Sync client to authorize BelkaImager. Refresh Tokens have long lifespan (over 6 months), but can be revoked by user or by Google itself if there are too many Refresh Tokens are registered at the same time (25 tokens per account per client). More details on this in Google API docs. To get Refresh Token from Google Drive Sync client it is possible to use Fiddler tool configured to decrypt HTTPS traffic ( more info here, note that it requires to install self-signed certificate on a client machine). Also Google Drive Sync shall be started with “--unsafe_network” command-line option. Here is the detailed instruction on how to do this.

Fiddler screen with intercepted Google Drive Refresh Token looks as follows:

Note that Refresh Token is used only in a request to “accounts.google.com/o/oauth2/token”, all subsequent requests use Access Token that is provided by a request with Refresh Token (Access Token is short-lived so cannot be used for authorization).

Also Refresh Token can be obtained via user consent, if login and password for Google Account is known; in this case one can use “Google Drive consent screen” authentication method. Note that Refresh Token received this way is also long-lived and can be used later with “Refresh Token” authorization method.

Google Plus consent screen

It works the same way as Google Drive consent screen, but uses different application scope, so separate authorization will be required.

Google Plus Refresh Token

It works the same way as Google Drive Refresh Token, but uses different Refresh Token, so tokens from Google Drive will not work for Google Plus authorization. There is no widespread Google Plus client, so the only way to get Refresh Token is to use “Google Plus consent screen” authentication method and save token received after user consent.