Extracting Unread Notifications from iOS Backups

March 2nd, 2017 by Oleg Afonin
Category: «Did you know that...?», «Elcomsoft News», «Tips & Tricks»

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation!

As you may already know, we’ve updated Elcomsoft Phone Viewer 3.30 with a single new feature: support for iOS notifications extracted from cloud and local backups. The update can show several years’ worth of undismissed iOS notifications, which can account for hundreds or thousands of messages.

Why notifications? Because they may contain sensitive information that won’t be available anywhere else. Just a few days ago, a French man filed a lawsuit after his wife learned of his affair from Uber app notifications. According to BBC, “The man says he once requested an Uber driver from his wife’s phone. Despite logging off, the application continued to send notifications to her iPhone afterwards, revealing his travel history and arousing her suspicions.”

Notifications are an essential part of iOS. Notifications are pushed by pretty much every app that has any forensic significance. Email clients and instant messengers are easy to spot, but that’s not all. Notifications are pushed by Uber and taxi apps, booking and travel services, online shopping and delivery services, social networks and banking apps. Unless read or dismissed, these notifications are stored in local and cloud backups. This is where Elcomsoft Phone Viewer 3.30 extracts them from.

Why “undismissed” notifications only? If the user reads, dismisses or otherwise interacts with a notification (by e.g. replying to an email or instant message), the corresponding file is deleted from the system and is therefore not included into a backup. One more thing. Unlike calls or browsing history, notifications are not shared between iOS devices. There is no real-time sync for them. As a result, analyzing backups (local or iCloud) is the only way to extract notifications.

When using an iOS device, you’ll be only able to access notifications going up to one week back – regardless of the actual number of notifications. If you read or dismiss a notification, you won’t be able to go back to it. Inside, iOS keeps each notification in a separate file. Reading or dismissing a notification deletes that file, so there’s no way to access it afterwards. The good thing, however, is that iOS backs up all unread/undismissed notifications even if they are older than one week. The reason for this is not exactly clear (there is no way to access those notifications when using an iOS device), but we can definitely benefit from this behavior.

For each individual application up to 100 notifications are stored. Older notifications are automatically deleted by the system.

Elcomsoft Phone Viewer allows filtering notifications by application; the default view places apps with most notifications to the top. At this time, we’ll only display package names such as “com.viber” for Viber, “ph.telegra.Telegraph” for Telegram, “com.foursquare.robin” for Foursquare, “com.ubercab.UberClient” for Uber etc. It is technically possible to retrieve application names from the server, and we’re working on it in the next release.

Finally, you can export all or select notifications into a CSV file for further analysis or reporting.

What can you expect to see when viewing undismissed notifications? We checked several accounts, and discovered as many as 1200 individual messages going back all the way to 2012. Here’s what we’ve got:

  1. Online banking updates. Our banking app pushes account updates, statement availability, daily balance and transaction alerts as notifications as opposed to sending insecure emails or text messages.
  2. A slew of social network updates including Facebook, Twitter, LinkedIn and Pinterest. This included likes, retweets, friend requests, comments and updates.
  3. Instant messages. We’ve been able to view complete messages for Skype, WhatsApp and Viber (the only three messengers installed on that device).
  4. Uber: lots of “you’ve got a car” notifications.
  5. Amazon: delivery notifications and order updates.
  6. eBay: messages, order updates.
  7. DHL: tracking updates.
  8. Home security app: engaging and disengaging alarms.
  9. Email: subject and a few lines of message body.
  10. A bunch of Google Maps and Google Trips updates.

Here’s how it looks like:

Is this enough to profile a user? Not quite, but it can help a lot. Is there a chance to get all of that data elsewhere? Not if you jailbreak the device and perform physical acquisition. Downloaded mail, banking updates, instant messaging and pretty much everything else on our list is excluded from iOS backups except for notifications, and can only be obtained via physical acquisition or by analyzing notifications with Elcomsoft Phone Viewer 3.30.


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »