We Did It Again: Deleted Notes Extracted from iCloud

May 19th, 2017 by Oleg Afonin
Category: «Clouds», «Security», «Software»

As we already know, Apple syncs many types of data across devices that share the same Apple ID. Calls logs, contacts, Safari tabs and browsing history, favorites and notes can be synced. The syncing mechanism supposedly synchronizes newly created, edited and deleted items. These synchronizations work near instantly with little or no delay.

Apple is also known for keeping some items that users want to be deleted. As a reminder, this is a brief history of our findings:

What’s It All About?

Apple has a great note taking app that comes pre-installed on phones, tablets and computers. The Notes app offers the ability to take notes and sync them with the cloud to other devices using the same Apple ID. We discovered that Apple apparently retains in the cloud copies of the users’ notes that were deleted by the user. Granted, deleted notes can be accessed on iCloud.com for some 30 days through the “Recently Deleted” folder; this is not it. We discovered that deleted notes are actually left in the cloud way past the 30-day period, even if they no longer appear in the “Recently Deleted” folder.

For accessing those notes, we updated Elcomsoft Phone Breaker to version 6.50.

Why Sync Notes at All?

Syncing notes with the cloud is convenient. Users can access synced notes from any Apple device they use. They can also access notes via iCloud.com from any computer (yet a trusted Apple device may still be needed to log in if two-factor authentication is enabled).

Syncing notes is normal practice employed by pretty much every significant note taking app. Evernote, Microsoft OneNote, Google Keep, Simplenote and many smaller products offer their users the ability to sync notes with the cloud and across devices. None of those services are known for holding onto notes that users delete.

This Is How It Works

So let us have a look at a real-case scenario. Let’s have a look at the following screen shot captured on an iPhone 7:

We can see there are 288 notes stored on this device. We will now use Elcomsoft Phone Breaker to download notes from that user’s iCloud account:

As you can see, some 334 notes are extracted. Now let’s see what’s in there. For that, we’ll be using Elcomsoft Phone Viewer:

The screenshot demonstrates a number of notes, of which 2 were located in the Recently Deleted folder (and hence could be accessed through iCloud.com), but some 47 notes were deleted more than 30 days ago and were recovered by Elcomsoft Phone Breaker. These notes would not be accessible by using any other means.

Is It Guaranteed?

If deleted notes are stored in the cloud way past the 30-day retention period, is there a guarantee you can successfully extract those notes?

Not necessarily. While some of our test accounts did indeed contain deleted notes going all the way back to 2015, some other accounts contained much less than that. In several cases, we’ve been able to access two weeks worth of deleted notes (still, this is two weeks *after* the 30-day retention period). We need larger base to make any conclusions.

Is There a Fix?

Once we made a discovery about deleted photos being kept in iCloud Photo Library for years, Apple was prompt to making those images disappear. Once we discovered that Safari browsing history records are never deleted from the cloud, Apple patched that as well. There is no doubt Apple will fix the current issue. The question is: what other data you don’t want Apple to keep is still retained by the company? And does Apple actually destroy deleted records or simply hides them or moves to a different server? These questions still have no answer.

Extracting Deleted Notes with Elcomsoft Phone Breaker

You’ll need Elcomsoft Phone Breaker 6.50 to extract deleted notes as well as the latest version of Elcomsoft Phone Viewer to view them. You’ll also need the user’s Apple ID and password (with access to secondary authentication if two-factor authentication is enabled on that account). Alternatively, a binary authentication token may be used.

To extract deleted notes from iCloud, do the following:

  1. Launch Elcomsoft Phone Breaker 6.50 or newer
  2. Click “Download Synced Data from iCloud”
  3. Authenticate with Apple ID/password or binary authentication token
  4. Wait for the download to complete

To view deleted notes using Elcomsoft Phone Viewer:

  1. Launch Elcomsoft Phone Viewer
  2. Open iCloud synced data you downloaded
  3. Navigate to “Notes”
  4. Apply filter to specify records for existing or deleted browsing history (or All to view all records)

Looking for a Password?

In order to extract Safari history from iCloud, you’ll need to authenticate into the user’s Apple ID. While you can use the login and password combination, sometimes you simply won’t know the password. If this is the case, you can use an authentication token extracted from the user’s computer.

Elcomsoft Phone Breaker comes with tools to help experts extract iCloud authentication tokens. These tokens are automatically created by iCloud Control Panel on Windows and Mac computers that were synced with iCloud. By using the token to log in, you’ll bypass both the password and the secondary authentication prompt if two-factor authentication is enabled on the user’s account. As a result, iCloud access alert will not be delivered to the user.


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »