ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

We Did It Again: Deleted Notes Extracted from iCloud

May 19th, 2017 by Oleg Afonin
  • 15

As we already know, Apple syncs many types of data across devices that share the same Apple ID. Calls logs, contacts, Safari tabs and browsing history, favorites and notes can be synced. The syncing mechanism supposedly synchronizes newly created, edited and deleted items. These synchronizations work near instantly with little or no delay.

Apple is also known for keeping some items that users want to be deleted. As a reminder, this is a brief history of our findings:

What’s It All About?

Apple has a great note taking app that comes pre-installed on phones, tablets and computers. The Notes app offers the ability to take notes and sync them with the cloud to other devices using the same Apple ID. We discovered that Apple apparently retains in the cloud copies of the users’ notes that were deleted by the user. Granted, deleted notes can be accessed on iCloud.com for some 30 days through the “Recently Deleted” folder; this is not it. We discovered that deleted notes are actually left in the cloud way past the 30-day period, even if they no longer appear in the “Recently Deleted” folder.

For accessing those notes, we updated Elcomsoft Phone Breaker to version 6.50.

Why Sync Notes at All?

Syncing notes with the cloud is convenient. Users can access synced notes from any Apple device they use. They can also access notes via iCloud.com from any computer (yet a trusted Apple device may still be needed to log in if two-factor authentication is enabled).

Syncing notes is normal practice employed by pretty much every significant note taking app. Evernote, Microsoft OneNote, Google Keep, Simplenote and many smaller products offer their users the ability to sync notes with the cloud and across devices. None of those services are known for holding onto notes that users delete.

This Is How It Works

So let us have a look at a real-case scenario. Let’s have a look at the following screen shot captured on an iPhone 7:

We can see there are 288 notes stored on this device. We will now use Elcomsoft Phone Breaker to download notes from that user’s iCloud account:

As you can see, some 334 notes are extracted. Now let’s see what’s in there. For that, we’ll be using Elcomsoft Phone Viewer:

The screenshot demonstrates a number of notes, of which 2 were located in the Recently Deleted folder (and hence could be accessed through iCloud.com), but some 47 notes were deleted more than 30 days ago and were recovered by Elcomsoft Phone Breaker. These notes would not be accessible by using any other means.

Is It Guaranteed?

If deleted notes are stored in the cloud way past the 30-day retention period, is there a guarantee you can successfully extract those notes?

Not necessarily. While some of our test accounts did indeed contain deleted notes going all the way back to 2015, some other accounts contained much less than that. In several cases, we’ve been able to access two weeks worth of deleted notes (still, this is two weeks *after* the 30-day retention period). We need larger base to make any conclusions.

Is There a Fix?

Once we made a discovery about deleted photos being kept in iCloud Photo Library for years, Apple was prompt to making those images disappear. Once we discovered that Safari browsing history records are never deleted from the cloud, Apple patched that as well. There is no doubt Apple will fix the current issue. The question is: what other data you don’t want Apple to keep is still retained by the company? And does Apple actually destroy deleted records or simply hides them or moves to a different server? These questions still have no answer.

Extracting Deleted Notes with Elcomsoft Phone Breaker

You’ll need Elcomsoft Phone Breaker 6.50 to extract deleted notes as well as the latest version of Elcomsoft Phone Viewer to view them. You’ll also need the user’s Apple ID and password (with access to secondary authentication if two-factor authentication is enabled on that account). Alternatively, a binary authentication token may be used.

To extract deleted notes from iCloud, do the following:

  1. Launch Elcomsoft Phone Breaker 6.50 or newer
  2. Click “Download Synced Data from iCloud”
  3. Authenticate with Apple ID/password or binary authentication token
  4. Wait for the download to complete

To view deleted notes using Elcomsoft Phone Viewer:

  1. Launch Elcomsoft Phone Viewer
  2. Open iCloud synced data you downloaded
  3. Navigate to “Notes”
  4. Apply filter to specify records for existing or deleted browsing history (or All to view all records)

Looking for a Password?

In order to extract Safari history from iCloud, you’ll need to authenticate into the user’s Apple ID. While you can use the login and password combination, sometimes you simply won’t know the password. If this is the case, you can use an authentication token extracted from the user’s computer.

Elcomsoft Phone Breaker comes with tools to help experts extract iCloud authentication tokens. These tokens are automatically created by iCloud Control Panel on Windows and Mac computers that were synced with iCloud. By using the token to log in, you’ll bypass both the password and the secondary authentication prompt if two-factor authentication is enabled on the user’s account. As a result, iCloud access alert will not be delivered to the user.

  • 15

Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

6 Responses to “We Did It Again: Deleted Notes Extracted from iCloud”

  1. Jonas says:

    Thanks for the quick fix!

  2. name says:

    Where is the authentication token saved?
    And big thanks for all the great work you are doing!

    • Thank you!

      On Windows, token is stored in “com.apple.AOSKit.plist” file; on macOS, in ~Library/Application Support/iCloud/Accounts/. It is however encrypted, but Phone Breaker includes an utility to decrypt.

      • name says:

        I gave it a go with atex but no luck. “Failed to get message from error code 0x2
        Authentification token is successfully saved to” (didnt give a location)
        Any idea?

        • Please create the ticket in our support system — we need more details. EPB version, Windows or macOS version, whether you have admin privileges, do you get token from local (current?) account or from the files taken from the other one, etc.

  3. name says:

    Hey! Apple changed their code, accounts getting locked again unfortunately. Thanks