Extracting Calls, Contacts, Calendars and Web Browsing Activities from iOS Devices in Real Time

December 21st, 2016 by Vladimir Katalov
Category: «Clouds», «Elcomsoft News», «Tips & Tricks»

Cloud acquisition has been available for several years. iPhones and iPads running recent versions of iOS can store snapshots of their data in the cloud. Cloud backups are created automatically on a daily basis provided that the device is charging while connected to a known Wi-Fi network. While iCloud backups are great for investigations, there is one thing that might be missing, and that’s up-to-date information about user activities that occurred after the moment the backup was created. In this article, we’ll discuss an alternative cloud acquisition option available for iOS devices and compare it to the more traditional acquisition of iCloud backups.

iCloud Backups

iCloud backups are no longer cutting news. Cloud backups made their first appearance several years ago, and they improved significantly in iOS 9 (a reminder: binary authentication tokens no longer expire for iOS 9 and 10.x backups). Cloud backups contain most information available on the device. They are created once a day if certain conditions are met.

iCloud backups are great for forensic analysis. They are easily accessible, and they can be requested from Apple by following established procedures. One thing that’s not so great about cloud backup is the fact that they are created daily at best. In San-Bernardino case, the last cloud backup was months old; this was the reason for FBI to insist on unlocking the physical device.

However, there is another method that can deliver up-to-date information about the user’s activities straight from the cloud and without forcing anyone to break into the device itself.

Synced Data and Why It Matters

In addition to periodic cloud backups, Apple syncs certain types of data across iOS devices via iCloud. As an example, iPhones send information about phone calls and FaceTime conversations to iCloud just minutes after the call. Unlike iCloud backups, syncing occurs with or without Wi-Fi connectivity and whether or not the device is connected to a charger. In other words, the data will be synced on the go using available connectivity (including mobile data). In addition to call logs, iOS syncs Safari activities, notes, calendars and contacts.

One of the most interesting parts in this cloud sync is browsing history. iOS devices automatically sync Safari browsing activities with the cloud, saving information about open tabs and general browsing history. Similar to phone calls, these types of data are pushed to iCloud on a regular basis throughout the day, often just minutes after the user clicks on a Web link.

Interestingly, this feature is not clearly advertised by Apple. There is no clear, documented way to disable this syncing (apart from “not using the same Apple ID on different devices”, end of quote). Information is uploaded to Apple servers automatically if iCloud Drive is enabled on a given iPhone. Disabling iCloud Drive entirely seems to disable the syncing; however, some users reported that even turning off iCloud Drive did not disable the syncing for them.

About a month ago we released Elcomsoft Phone Breaker 6.20, giving it the ability to extract information about the user’s phone calls from the cloud. While we tried to make it clear that the data extracted was neither part of cloud backups nor Continuity artefacts, we still received mixed press on this feature. So why do we feel that iOS cloud sync is important?

Due to the obscurity of the feature, the chance that a criminal would have this cloud synchronization thing silently working on their device is higher than the chance of them maintaining a fresh cloud backup. In addition, the data is synced just minutes after the activity as opposed to iCloud backups being daily at best.

Retrieving Synced Data

In order to access synced data, you will need to use Elcomsoft Phone Breaker 6.30 or newer. Once the product is launched, click on “Download synced data from iCloud” in the Tools > Apple, and follow the prompts.

The user’s Apple ID and password or iCloud authentication token are required to extract data from the cloud. Alternatively, you can use an authentication token to log in, which helps bypassing two-factor authentication checks.

Once the data is downloaded, you can view it with the updated Elcomsoft Phone Viewer:


REFERENCES:

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »