ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»


Extracting Unread Notifications from iOS Backups

March 2nd, 2017 by Oleg Afonin
  • 43
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    43
    Shares

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer 3.0, we’ve added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation!

As you may already know, we’ve updated Elcomsoft Phone Viewer 3.30 with a single new feature: support for iOS notifications extracted from cloud and local backups. The update can show several years’ worth of undismissed iOS notifications, which can account for hundreds or thousands of messages.

Why notifications? Because they may contain sensitive information that won’t be available anywhere else. Just a few days ago, a French man filed a lawsuit after his wife learned of his affair from Uber app notifications. According to BBC, “The man says he once requested an Uber driver from his wife’s phone. Despite logging off, the application continued to send notifications to her iPhone afterwards, revealing his travel history and arousing her suspicions.”

Notifications are an essential part of iOS. Notifications are pushed by pretty much every app that has any forensic significance. Email clients and instant messengers are easy to spot, but that’s not all. Notifications are pushed by Uber and taxi apps, booking and travel services, online shopping and delivery services, social networks and banking apps. Unless read or dismissed, these notifications are stored in local and cloud backups. This is where Elcomsoft Phone Viewer 3.30 extracts them from.

Why “undismissed” notifications only? If the user reads, dismisses or otherwise interacts with a notification (by e.g. replying to an email or instant message), the corresponding file is deleted from the system and is therefore not included into a backup. One more thing. Unlike calls or browsing history, notifications are not shared between iOS devices. There is no real-time sync for them. As a result, analyzing backups (local or iCloud) is the only way to extract notifications.

When using an iOS device, you’ll be only able to access notifications going up to one week back – regardless of the actual number of notifications. If you read or dismiss a notification, you won’t be able to go back to it. Inside, iOS keeps each notification in a separate file. Reading or dismissing a notification deletes that file, so there’s no way to access it afterwards. The good thing, however, is that iOS backs up all unread/undismissed notifications even if they are older than one week. The reason for this is not exactly clear (there is no way to access those notifications when using an iOS device), but we can definitely benefit from this behavior.

For each individual application up to 100 notifications are stored. Older notifications are automatically deleted by the system.

Elcomsoft Phone Viewer allows filtering notifications by application; the default view places apps with most notifications to the top. At this time, we’ll only display package names such as “com.viber” for Viber, “ph.telegra.Telegraph” for Telegram, “com.foursquare.robin” for Foursquare, “com.ubercab.UberClient” for Uber etc. It is technically possible to retrieve application names from the server, and we’re working on it in the next release.

Finally, you can export all or select notifications into a CSV file for further analysis or reporting.

What can you expect to see when viewing undismissed notifications? We checked several accounts, and discovered as many as 1200 individual messages going back all the way to 2012. Here’s what we’ve got:

  1. Online banking updates. Our banking app pushes account updates, statement availability, daily balance and transaction alerts as notifications as opposed to sending insecure emails or text messages.
  2. A slew of social network updates including Facebook, Twitter, LinkedIn and Pinterest. This included likes, retweets, friend requests, comments and updates.
  3. Instant messages. We’ve been able to view complete messages for Skype, WhatsApp and Viber (the only three messengers installed on that device).
  4. Uber: lots of “you’ve got a car” notifications.
  5. Amazon: delivery notifications and order updates.
  6. eBay: messages, order updates.
  7. DHL: tracking updates.
  8. Home security app: engaging and disengaging alarms.
  9. Email: subject and a few lines of message body.
  10. A bunch of Google Maps and Google Trips updates.

Here’s how it looks like:

Is this enough to profile a user? Not quite, but it can help a lot. Is there a chance to get all of that data elsewhere? Not if you jailbreak the device and perform physical acquisition. Downloaded mail, banking updates, instant messaging and pretty much everything else on our list is excluded from iOS backups except for notifications, and can only be obtained via physical acquisition or by analyzing notifications with Elcomsoft Phone Viewer 3.30.


  • 43
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    43
    Shares

Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

75 Responses to “Extracting Unread Notifications from iOS Backups”

  1. ssl says:

    Hi!
    I’m getting “SSL certificate failed. You can try to use transparent proxy” on epb today. What’s up with that?

    Thanks

    • Anonz says:

      I am also having same issue. I’ve submitted a ticket but no response yet. Sounds to me like Apple changed something on their end. We’ll see.

      • Anonz says:

        Does anyone know of a user forum for EPB? Would like to see what others are saying about this SSL issue.

  2. Joe says:

    ssl issue here too

  3. Peter says:

    SSL Error here too

  4. Andy says:

    SSL Error. I want my money back

  5. Pauli says:

    SSL Error here too.
    Elcomsoft really should work on this. Also on a workaround on 2fa. Apple is pushing 2fa really hard. Soon everybody uses 2fa. Who will buy your Products then? If elcomsoft cant find a way around 2fa or ssl error…..that pretty much means the end for elcomsoft. But i guess your smart enough to know that.

    • shitfuck says:

      There probably isn’t a workaround 2fa. Apple won this and every upcoming round

      • Pauli says:

        Yeah probably. But then its also the end for Elcomsoft. How are they plan to sell products if there is no way to use them……..?

        With last iOS update apple automatically enables 2fa. So soon there wont be accounts without 2fa………

  6. Andy S says:

    I also have an SSL error and submitted a ticket.

    • Anonz says:

      EPB has always run into this scenario almost on a yearly basis. Apple changes something that breaks EPB then Elcomsoft finds a fix.. it takes them a while but they do. What I find shameful, is that there is NO user forum to discuss these issues and obtain much deserving updates from Elcomsoft while they work on these issues. Instead we the users (who pay good money for this product) have to stagger the internet and find irrelevant comment boards such as these to communicate and try to figure out what is going on. FIX THIS VLADIMIR!!!
      And yes, I did open a ticket more than 24 hrs ago, with no response yet.

  7. Vladimir Katalov says:

    We are working on a fix for SSL certificate problems. Sorry foe the delay, but it was a holiday yesterday (March 8th) here in Russia.

    As for 2FA: well, if you download backups (or other data) fro your own iCloud account, you should have the second factor and so pass the authentication successfully. If you don’t have the one, that means that you are trying to get into someone else’ account, which is obviously illegal.

    • Jonas K says:

      Thanks for the update, do you have an eta for the SSL fix?

      As for 2FA, isn’t it one of the key stated functions of Elcomsoft software to allow forensic examination of a target account? A “target” is rarely ourselves.

      • Vladimir Katalov says:

        We will do our best to release the fix today, but tomorrow is the latest (until we meet some unexpected problems).

        As for forensic examination of the “target” – of course it is still possible even with 2FA. But you will have to get the authentication token.

        • Jonas K says:

          Thanks for letting us know, good to hear the fix is coming soon!

          I understand that 2FA is extremely difficult for anyone to work around, so I’m not expecting Elcomsoft to perform a miracle. But as one of the posters here said earlier, quite soon almost all active Apple accounts will be 2FA-enabled, making remote acquisition of data virtually impossible. Is there any hope of getting around 2FA?

        • John says:

          Will the people who had their licenses recently expire have to spend another $400 for the fix?

        • Crazybaby says:

          Same question as other poster. My license recently expired. Would be pretty damn unfair to have to buy a new key just because a small little fix.

          As for 2fa. Of course elcomsoft must state that using eppb on not your own is illegal. But your smart enough to figure out that almost all of your customers are doing that. How many % of your buyers are realy using the software on their own account? 1% maybe 2% or 3%. So if 99% of your customers disappear because of all accounts having 2fa…….elcomsoft can still survive? I doubt that.

          • Your dad says:

            What are you 12?

          • Andyborg says:

            Yeah good points. Cant see elcomsoft survive with 2fa getting pushed so hard by apple.

            And yeah, paying 400$ again just for a fix would be……not cool

  8. Angyman says:

    So what now? Fix it! I think Vladimir is just talking and they have no idea what to do. So all you people dont buy this product for now.

    Oh by the way, ALL other icloud backup download tools are still working…….no its not that apple changed someting………

    • Anonz says:

      All other tools still work? Hmmmm interesting.
      Definitely don’t think it’s fair to charge for fox if that’s going to be the case. Can you comment on this Vladimir?

    • Pissypants says:

      What other tools are working? Reincubate doesn’t seem to be working now either

      • Angyman says:

        Wondershare, iloot, Donkey for example work perfactly fine

        For me it looks like this is staged by elcomsoft. They release a fix for it and force old buyers to buy a new licance. Because they loose customers because od 2fa.

        • John says:

          Are any of those other options worthwhile compared to eppb? I assume none handle 2fa…

          • Angyman says:

            none handle 2fa

            yes they are worthwhile, at least they work at all…….compared to eppb 😉

  9. Rick says:

    Hi – I have the same problem with EXWA (SSL error), I’ve been without it for 2 days now, I hope that will that be subject to an update too.

  10. Dan says:

    Thanks for fixing EPB but Whatsapp Explorer still has the problem.

  11. Vladimir Katalov says:

    Elcomsoft Phone Breaker 6.41 is now online (for both Windows and macOS), the problem has been fixed. Thanks for your patience.

    About updates: well, Apple make the changes all the time – to encryption, protocols and data formats. For example, current version of EPB does not work with iOS 10.3 (beta) iCloud backups yet, but the fix is also on the way. You do not pay $400 for a single fix. That’s the cost of updates and maintenance for a whole year – dozens of fixes and many new features. But for those who have their licenses expired just recently, please contact me directly (v.katalov@elcomsoft.com), let me know what is your order ID or registration code, and I will arrange a free upgrade to this version (but you will still have to renew your license to get access to further updates.

    Good idea about the user forum, I think we will start it soon.

    On 2FA: well, I am pretty sure that one day all iCloud accounts will be protected with 2FA, and moreover – iCloud backups will be encrypted much better than now, say with additional user-defined password. But that does not mean that we should stop EPB development now, right?

    About EXWA: it will be fixed today as well.

    And just my two cents on Reincubate software: you should know that their product sends login and password not to Apple iCloud directly, but to their (Reincubate) servers, and all data is being downloaded there, on their servers as well, while their desktop product works only as a ‘client’. That’s up to you to trust them or not, of course.

    • Oleg Afonin says:

      Actually, Microsoft protects users of Microsoft Account with additional challenges whether or not 2FA is enabled on a given MS Account. We’ll all be there, sooner or later.

    • Angyman says:

      Nice thing to do. Still its weird that ALL other tools work fine, not just Reincubate. So it must be a error with elcomsoft.

      Lets see if the free update works as well as you promised………

      • Well, I should say that our code is *completely* different from all competitors’. Most other programs are based on old, slow and extremely buggy iLoot (which does not support iOS 9 and 10 btw). Well, if you own both RPB and other tools, you can download the same backup with them and compare (the speed and downloaded content).

    • James says:

      Emailed you hours ago, no answer.
      I doubt the free update thing will go as smooth as you say.

      Still, whatsapp not working.

    • Jonas K says:

      Thanks for fixing the SSL issue.

      Any idea exactly when you expect iOS 10.3 compatibility for EPB?

      • Next week 🙂 Most probably on Tuesday 14th.

        • James says:

          no answers to all the other questions? Regarding whatsapp, regarding emails, regarding free update?

          This looks all so staged by elcomsoft……

          • Vladimir Katalov says:

            James,

            We do our best to answer all requests promptly, but delay may occur. We have already processed *all* update requests we received, though.

            As for WhatsApp – EXWA update is also on the way, sorry for the delay.

            Let me know if you have any other questions.

            • Angyman says:

              my update request was not processed, maybe my email was going in spam folder?

            • popman says:

              Are you guys even working?
              Didnt received an answer regarding my free update.

              Whatsapp still not working.

              So pretty much elcomsoft sells not working software.

              Be carefull people.

              Other icloud backup software is working fine.

            • Angyman says:

              ok guys be carefull

              elcomsoft is clearly lying about the free upgrades

              i havent received anything, old key still expired, even though they said everything has been issued.
              Not a cool move

              • Please include the last 5 chars of your code here, we will double-check. Old key remain expired, but again, we issued the new ones to those who requested. Either we have not received your request, or you have to blame your ISP.

              • Angyman says:

                Last 5 digits are:
                42RAX for eppb and B5L99 for whatsapp. Now i got a mail from you saying the codes where send to me yesterday. I received NOTHING.

              • Angyman says:

                whatsapp still not working……
                what does promptly mean for you?

              • Got the new codes now? I’d appreciate if you confirm that here, and take your word (that we are cheating) back.

              • Angyman says:

                now i finally got the new codes. thanks

                so i take my cheating thing back, its just seemed odd that i didnt got anything even though you statet multiple times you send something.

                thanks

              • Thank you! And I am sorry that you have not received the codes in time. We are investigating the problem.

                EXWA has been updated, too – please get version 2.01.

    • Johnny #5 says:

      Thank you for the fix and working hard to get it done so quickly.

  12. Adam L says:

    Anybody actually received a free upgrade? Like another poster elcomsoft never replied to my mail or ticket.

    Also new testversion doesnt show standalone whatsapp backup in iclud drive, even if there is clearly a backup. Another bug.

    Whatsapp explorer still not working also

  13. James says:

    Just curious, but how come some of us have paid for the software and others seem to be getting it for free? Seems a bit odd and a bit unfair for those of us who have paid quite a lot of money and a bit bizarre that people who have paid nothing are complaining!

    How is the EXWA fix progressing please.

    • James,

      EXWA 2.01 is now available, thanks for your patience.

      As for free licenses: yes, we sometimes issue such ones for active beta-testers, those who have contributed a lot, helped us debugging hard-to-reproduce problems and so on.

  14. Rip says:

    Awesome product. I know it;s not easy going through all the code and providing fixes for us. Good work Elcomsoft!

  15. Aaab says:

    Hi Vladimir!
    It seems like downloading photos from icloud doesn’t work anymore.

    • John says:

      Downloading anything doesn’t work anymore. Backups aren’t displaying even if there is a complete one.

    • Jorge says:

      I’m getting a credentials error, but can log into my icloud.com account without issue.

    • Jonas says:

      Yes the latest version of EPB is basically broken for downloading icloud data. Can we got some details from Elcomsoft as to if/when this will be fixed?

      • Justin says:

        I’m really curious as to if this is fixable. I can’t even get my synced data anymore.

        • Jonas says:

          Well my license expired a few weeks ago so I’m definitely waiting to see if they can fix this before renewing. Even if there is a workaround, it may take Elcomsoft a lot of time and effort to find it and implement it properly, so I’ll continue to wait…

  16. Paul says:

    Hello

    EPPB and EXWA not showing or downloading backups for me also. Credentials error?

  17. John says:

    Any news guys? I know it was a big holiday in Russia yesterday but could you shake off your hangovers and update us please.

    Many Thanks

  18. Billy says:

    Thanks for the EPB fix, any news about Whatsapp Explorer?

  19. Peter poyle says:

    So my licence expired 4 weeks ago. And now i cant use eppb anymore because of that fix? Its the same like 2 months ago. So elcomsoft builds in “errors” so customers have to update the software and users who had their lizence recently expired cant use the software anymore?

    Not a cool move from this company. It seems like elcomsoft now builds in fake errors every few months because they are loosing costumers because of 2fa.

    And not even a statement from them……

  20. James says:

    Any updates on Whatsapp explorer please? It’s been 12 days now not downloading backups.