Extracting Unread Notifications from iOS Backups

March 2nd, 2017 by Oleg Afonin

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation!

As you may already know, we’ve updated Elcomsoft Phone Viewer 3.30 with a single new feature: support for iOS notifications extracted from cloud and local backups. The update can show several years’ worth of undismissed iOS notifications, which can account for hundreds or thousands of messages.

Why notifications? Because they may contain sensitive information that won’t be available anywhere else. Just a few days ago, a French man filed a lawsuit after his wife learned of his affair from Uber app notifications. According to BBC, “The man says he once requested an Uber driver from his wife’s phone. Despite logging off, the application continued to send notifications to her iPhone afterwards, revealing his travel history and arousing her suspicions.”

Notifications are an essential part of iOS. Notifications are pushed by pretty much every app that has any forensic significance. Email clients and instant messengers are easy to spot, but that’s not all. Notifications are pushed by Uber and taxi apps, booking and travel services, online shopping and delivery services, social networks and banking apps. Unless read or dismissed, these notifications are stored in local and cloud backups. This is where Elcomsoft Phone Viewer 3.30 extracts them from.

Why “undismissed” notifications only? If the user reads, dismisses or otherwise interacts with a notification (by e.g. replying to an email or instant message), the corresponding file is deleted from the system and is therefore not included into a backup. One more thing. Unlike calls or browsing history, notifications are not shared between iOS devices. There is no real-time sync for them. As a result, analyzing backups (local or iCloud) is the only way to extract notifications.

When using an iOS device, you’ll be only able to access notifications going up to one week back – regardless of the actual number of notifications. If you read or dismiss a notification, you won’t be able to go back to it. Inside, iOS keeps each notification in a separate file. Reading or dismissing a notification deletes that file, so there’s no way to access it afterwards. The good thing, however, is that iOS backs up all unread/undismissed notifications even if they are older than one week. The reason for this is not exactly clear (there is no way to access those notifications when using an iOS device), but we can definitely benefit from this behavior.

For each individual application up to 100 notifications are stored. Older notifications are automatically deleted by the system.

Elcomsoft Phone Viewer allows filtering notifications by application; the default view places apps with most notifications to the top. At this time, we’ll only display package names such as “com.viber” for Viber, “ph.telegra.Telegraph” for Telegram, “com.foursquare.robin” for Foursquare, “com.ubercab.UberClient” for Uber etc. It is technically possible to retrieve application names from the server, and we’re working on it in the next release.

Finally, you can export all or select notifications into a CSV file for further analysis or reporting.

What can you expect to see when viewing undismissed notifications? We checked several accounts, and discovered as many as 1200 individual messages going back all the way to 2012. Here’s what we’ve got:

  1. Online banking updates. Our banking app pushes account updates, statement availability, daily balance and transaction alerts as notifications as opposed to sending insecure emails or text messages.
  2. A slew of social network updates including Facebook, Twitter, LinkedIn and Pinterest. This included likes, retweets, friend requests, comments and updates.
  3. Instant messages. We’ve been able to view complete messages for Skype, WhatsApp and Viber (the only three messengers installed on that device).
  4. Uber: lots of “you’ve got a car” notifications.
  5. Amazon: delivery notifications and order updates.
  6. eBay: messages, order updates.
  7. DHL: tracking updates.
  8. Home security app: engaging and disengaging alarms.
  9. Email: subject and a few lines of message body.
  10. A bunch of Google Maps and Google Trips updates.

Here’s how it looks like:

Is this enough to profile a user? Not quite, but it can help a lot. Is there a chance to get all of that data elsewhere? Not if you jailbreak the device and perform physical acquisition. Downloaded mail, banking updates, instant messaging and pretty much everything else on our list is excluded from iOS backups except for notifications, and can only be obtained via physical acquisition or by analyzing notifications with Elcomsoft Phone Viewer 3.30.

Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

75 Comments on "Extracting Unread Notifications from iOS Backups"

Notify of
avatar
ssl
Guest

Hi!
I’m getting “SSL certificate failed. You can try to use transparent proxy” on epb today. What’s up with that?

Thanks

Anonz
Guest

I am also having same issue. I’ve submitted a ticket but no response yet. Sounds to me like Apple changed something on their end. We’ll see.

Anonz
Guest

Does anyone know of a user forum for EPB? Would like to see what others are saying about this SSL issue.

Joe
Guest

ssl issue here too

Peter
Guest

SSL Error here too

Andy
Guest

SSL Error. I want my money back

Pauli
Guest

SSL Error here too.
Elcomsoft really should work on this. Also on a workaround on 2fa. Apple is pushing 2fa really hard. Soon everybody uses 2fa. Who will buy your Products then? If elcomsoft cant find a way around 2fa or ssl error…..that pretty much means the end for elcomsoft. But i guess your smart enough to know that.

shitfuck
Guest

There probably isn’t a workaround 2fa. Apple won this and every upcoming round

Pauli
Guest

Yeah probably. But then its also the end for Elcomsoft. How are they plan to sell products if there is no way to use them……..?

With last iOS update apple automatically enables 2fa. So soon there wont be accounts without 2fa………

Andy S
Guest

I also have an SSL error and submitted a ticket.

Anonz
Guest
EPB has always run into this scenario almost on a yearly basis. Apple changes something that breaks EPB then Elcomsoft finds a fix.. it takes them a while but they do. What I find shameful, is that there is NO user forum to discuss these issues and obtain much deserving updates from Elcomsoft while they work on these issues. Instead we the users (who pay good money for this product) have to stagger the internet and find irrelevant comment boards such as these to communicate and try to figure out what is going on. FIX THIS VLADIMIR!!! And yes, I… Read more »
Vladimir Katalov
Admin
Vladimir Katalov

We are working on a fix for SSL certificate problems. Sorry foe the delay, but it was a holiday yesterday (March 8th) here in Russia.

As for 2FA: well, if you download backups (or other data) fro your own iCloud account, you should have the second factor and so pass the authentication successfully. If you don’t have the one, that means that you are trying to get into someone else’ account, which is obviously illegal.

Jonas K
Guest

Thanks for the update, do you have an eta for the SSL fix?

As for 2FA, isn’t it one of the key stated functions of Elcomsoft software to allow forensic examination of a target account? A “target” is rarely ourselves.

Vladimir Katalov
Admin
Vladimir Katalov

We will do our best to release the fix today, but tomorrow is the latest (until we meet some unexpected problems).

As for forensic examination of the “target” – of course it is still possible even with 2FA. But you will have to get the authentication token.

Jonas K
Guest

Thanks for letting us know, good to hear the fix is coming soon!

I understand that 2FA is extremely difficult for anyone to work around, so I’m not expecting Elcomsoft to perform a miracle. But as one of the posters here said earlier, quite soon almost all active Apple accounts will be 2FA-enabled, making remote acquisition of data virtually impossible. Is there any hope of getting around 2FA?

John
Guest

Will the people who had their licenses recently expire have to spend another $400 for the fix?

Crazybaby
Guest

Same question as other poster. My license recently expired. Would be pretty damn unfair to have to buy a new key just because a small little fix.

As for 2fa. Of course elcomsoft must state that using eppb on not your own is illegal. But your smart enough to figure out that almost all of your customers are doing that. How many % of your buyers are realy using the software on their own account? 1% maybe 2% or 3%. So if 99% of your customers disappear because of all accounts having 2fa…….elcomsoft can still survive? I doubt that.

Your dad
Guest

What are you 12?

Andyborg
Guest

Yeah good points. Cant see elcomsoft survive with 2fa getting pushed so hard by apple.

And yeah, paying 400$ again just for a fix would be……not cool

Angyman
Guest

So what now? Fix it! I think Vladimir is just talking and they have no idea what to do. So all you people dont buy this product for now.

Oh by the way, ALL other icloud backup download tools are still working…….no its not that apple changed someting………

Anonz
Guest

All other tools still work? Hmmmm interesting.
Definitely don’t think it’s fair to charge for fox if that’s going to be the case. Can you comment on this Vladimir?

Pissypants
Guest

What other tools are working? Reincubate doesn’t seem to be working now either

Angyman
Guest

Wondershare, iloot, Donkey for example work perfactly fine

For me it looks like this is staged by elcomsoft. They release a fix for it and force old buyers to buy a new licance. Because they loose customers because od 2fa.

John
Guest

Are any of those other options worthwhile compared to eppb? I assume none handle 2fa…

Angyman
Guest

none handle 2fa

yes they are worthwhile, at least they work at all…….compared to eppb 😉

Rick
Guest

Hi – I have the same problem with EXWA (SSL error), I’ve been without it for 2 days now, I hope that will that be subject to an update too.

Dan
Guest

Thanks for fixing EPB but Whatsapp Explorer still has the problem.

Vladimir Katalov
Admin
Vladimir Katalov
Elcomsoft Phone Breaker 6.41 is now online (for both Windows and macOS), the problem has been fixed. Thanks for your patience. About updates: well, Apple make the changes all the time – to encryption, protocols and data formats. For example, current version of EPB does not work with iOS 10.3 (beta) iCloud backups yet, but the fix is also on the way. You do not pay $400 for a single fix. That’s the cost of updates and maintenance for a whole year – dozens of fixes and many new features. But for those who have their licenses expired just recently,… Read more »
Angyman
Guest

Nice thing to do. Still its weird that ALL other tools work fine, not just Reincubate. So it must be a error with elcomsoft.

Lets see if the free update works as well as you promised………

Vladimir Katalov
Admin
Vladimir Katalov

Well, I should say that our code is *completely* different from all competitors’. Most other programs are based on old, slow and extremely buggy iLoot (which does not support iOS 9 and 10 btw). Well, if you own both RPB and other tools, you can download the same backup with them and compare (the speed and downloaded content).

Angyman
Guest

speed is the best with eppb, no doubt about that.

James
Guest

Emailed you hours ago, no answer.
I doubt the free update thing will go as smooth as you say.

Still, whatsapp not working.

Jonas K
Guest

Thanks for fixing the SSL issue.

Any idea exactly when you expect iOS 10.3 compatibility for EPB?

Vladimir Katalov
Admin
Vladimir Katalov

Next week 🙂 Most probably on Tuesday 14th.

James
Guest

no answers to all the other questions? Regarding whatsapp, regarding emails, regarding free update?

This looks all so staged by elcomsoft……

Vladimir Katalov
Admin
Vladimir Katalov

James,

We do our best to answer all requests promptly, but delay may occur. We have already processed *all* update requests we received, though.

As for WhatsApp – EXWA update is also on the way, sorry for the delay.

Let me know if you have any other questions.

Angyman
Guest

my update request was not processed, maybe my email was going in spam folder?

Vladimir Katalov
Admin
Vladimir Katalov

Maybe. Please contact me at vkatalov@gmail.com!

Angyman
Guest

Send now to that email again.

Whatsapp still not working…..

Vladimir Katalov
Admin
Vladimir Katalov

Your new license is on the way. EXWA update is in progress, will be updated promptly.

Angyman
Guest

Nope still nothing.

Send 2 mails und 2 adresses, no reply. Send a ticket, no reply…..

Vladimir Katalov
Admin
Vladimir Katalov

Check your spam folder. The license has been issued.

Angyman
Guest

to what email? Not the email i send the request from. Nothing there.
Also, licence still expired when i check on your site…..

It cant be that difficult…………….

Angyman
Guest

helloooo?

popman
Guest

Are you guys even working?
Didnt received an answer regarding my free update.

Whatsapp still not working.

So pretty much elcomsoft sells not working software.

Be carefull people.

Other icloud backup software is working fine.

Vladimir Katalov
Admin
Vladimir Katalov

We do (almost 24/7). What email address you sent the update request to? We have processed all requests we received. EXWAupdat will be available a bit later.

Angyman
Guest

still nothing

cheater company

Angyman
Guest

ok guys be carefull

elcomsoft is clearly lying about the free upgrades

i havent received anything, old key still expired, even though they said everything has been issued.
Not a cool move

Vladimir Katalov
Guest
Vladimir Katalov

Please include the last 5 chars of your code here, we will double-check. Old key remain expired, but again, we issued the new ones to those who requested. Either we have not received your request, or you have to blame your ISP.

Angyman
Guest

Last 5 digits are:
42RAX for eppb and B5L99 for whatsapp. Now i got a mail from you saying the codes where send to me yesterday. I received NOTHING.

Angyman
Guest

whatsapp still not working……
what does promptly mean for you?

Vladimir Katalov
Guest
Vladimir Katalov

Got the new codes now? I’d appreciate if you confirm that here, and take your word (that we are cheating) back.

Angyman
Guest

now i finally got the new codes. thanks

so i take my cheating thing back, its just seemed odd that i didnt got anything even though you statet multiple times you send something.

thanks

Vladimir Katalov
Admin
Vladimir Katalov

Thank you! And I am sorry that you have not received the codes in time. We are investigating the problem.

EXWA has been updated, too – please get version 2.01.

Johnny #5
Guest

Thank you for the fix and working hard to get it done so quickly.

Adam L
Guest

Anybody actually received a free upgrade? Like another poster elcomsoft never replied to my mail or ticket.

Also new testversion doesnt show standalone whatsapp backup in iclud drive, even if there is clearly a backup. Another bug.

Whatsapp explorer still not working also

Vladimir Katalov
Admin
Vladimir Katalov

We have issued many free updates already (though in fact we do not have to). All mails have been replied. If you created the ticket, please let us know its number.

Jaden
Guest

didnt received anything neither

dont know what they are talking about..

Vladimir Katalov
Guest
Vladimir Katalov

Where you sent your request about update to? What are the last 5 chats of your old code?

James
Guest

Just curious, but how come some of us have paid for the software and others seem to be getting it for free? Seems a bit odd and a bit unfair for those of us who have paid quite a lot of money and a bit bizarre that people who have paid nothing are complaining!

How is the EXWA fix progressing please.

Vladimir Katalov
Admin
Vladimir Katalov

James,

EXWA 2.01 is now available, thanks for your patience.

As for free licenses: yes, we sometimes issue such ones for active beta-testers, those who have contributed a lot, helped us debugging hard-to-reproduce problems and so on.

James
Guest

OK, thankyou for the info. I understand now, EXWA works great thanks!

Rip
Guest

Awesome product. I know it;s not easy going through all the code and providing fixes for us. Good work Elcomsoft!

Aaab
Guest

Hi Vladimir!
It seems like downloading photos from icloud doesn’t work anymore.

John
Guest

Downloading anything doesn’t work anymore. Backups aren’t displaying even if there is a complete one.

Jorge
Guest

I’m getting a credentials error, but can log into my icloud.com account without issue.

Jonas
Guest

Yes the latest version of EPB is basically broken for downloading icloud data. Can we got some details from Elcomsoft as to if/when this will be fixed?

Justin
Guest

I’m really curious as to if this is fixable. I can’t even get my synced data anymore.

Jonas
Guest

Well my license expired a few weeks ago so I’m definitely waiting to see if they can fix this before renewing. Even if there is a workaround, it may take Elcomsoft a lot of time and effort to find it and implement it properly, so I’ll continue to wait…

Paul
Guest

Hello

EPPB and EXWA not showing or downloading backups for me also. Credentials error?

John
Guest

Any news guys? I know it was a big holiday in Russia yesterday but could you shake off your hangovers and update us please.

Many Thanks

Billy
Guest

Thanks for the EPB fix, any news about Whatsapp Explorer?

Peter poyle
Guest
Peter poyle

So my licence expired 4 weeks ago. And now i cant use eppb anymore because of that fix? Its the same like 2 months ago. So elcomsoft builds in “errors” so customers have to update the software and users who had their lizence recently expired cant use the software anymore?

Not a cool move from this company. It seems like elcomsoft now builds in fake errors every few months because they are loosing costumers because of 2fa.

And not even a statement from them……

James
Guest

Any updates on Whatsapp explorer please? It’s been 12 days now not downloading backups.

wpDiscuz