We’ve just updated Elcomsoft Phone Breaker to version 6.60, adding remote acquisition support for Microsoft Windows 10 phones and desktops. The new build can pull search and Web browsing history, call logs, and location history directly from the user’s Microsoft Account. In this article we’ll have a look at what exactly is available and can be extracted and where this information is stored. We will also list the steps required to extract and view the data.

Microsoft Collects Information

Microsoft is notorious for collecting information from Windows 10 users. The amount of data collected by Windows 10 devices increased dramatically compared to the days of Windows 7. This “usage and diagnostics” data, which may include text snippets, app usage data, detailed or approximated location information etc., is automatically collected and transmitted to Microsoft servers unless one explicitly opts out.

Users of Windows-powered handsets (Windows Phone 8.x and Windows 10 Mobile) have access to iOS-style cloud backups created in their Windows Account. Once cloud backups are enabled, things such as application data, call logs, text messages and so on will also be stored in the cloud.

Finally, some information is synchronized by Windows-powered desktop and mobile devices in real-time or close to real-time speed. This includes Web browser history, Bing search history, location data, as well as other things such as notes, calendars, contacts etc.

Microsoft offers ways to access, restrict or delete this information via the Privacy portal.

However, we found that this portal returns very limited amounts of data compared to what’s being actually collected. For this reason we expanded Microsoft Account support in this latest EPB build.

What Is Extracted

Elcomsoft Phone Breaker 6.60 extracts all of the following types of data:

Browsing and Search History

Windows browsing history can only be extracted from the cloud from Windows 10 Mobile (phones) and regular Windows 10 devices if Microsoft Edge was used as a Web browser. Edge browsing history is automatically synced across desktop and mobile Windows 10 devices logged in to the same Microsoft Account. Windows 10 Mobile devices (phones) have Microsoft Edge as their default (and most commonly adopted) Web browser. Edge adoption is growing slowly but steadily on desktops. Note that we also have tools to extract browsing history from other popular Web browsers such as Chrome and Safari using their respective cloud services.

Search history can be extracted from all types of devices regardless of the Web browser used providing that the searches occurred on Microsoft-owned Bing. Microsoft collects Bing search requests if the user has been logged in to their Microsoft Account in the Web browser while running the search.

Call Logs

Elcomsoft Phone Breaker 6.60 can extract call logs from a wide range of cellular-enabled mobile devices running Windows Phone 8 and 8.1 as well as Windows 10 Mobile. The call logs are extracted from device cloud backups created in the user’s Microsoft Account. Since cloud backups are enabled by default for all Windows Phone 8, 8.1 and Windows 10 Mobile smartphones, call logs can be extracted in the majority of cases.

Location History

Microsoft collects location history from all stationary and mobile Windows devices starting with Windows 8.1. While users can review their location history by visiting https://account.microsoft.com/privacy/location and signing in to their Microsoft Account, the amount of data points returned on that Web page is low. Only the last detected location is displayed.

Elcomsoft Phone Breaker 6.60 extracts all available location points reported by all Windows 8.1, Windows 10, Windows Phone 8.1 and Windows 10 Mobile devices, resulting in a significantly more detailed report compared to Microsoft’s own offering. Microsoft does not specify the origins of location data it collects on desktop and laptop computers, tablets and 2-in-1 devices. At very least, location is reported by Cortana and via the Edge browser.

Text Messages (SMS) and Other Previously Extractable Data

Previous versions of Elcomsoft Phone Breaker were already able to extract certain types of data from the users’ Microsoft Accounts. This included text messages (SMS only), notes, calendar events, contacts and some other information. This functionality is now significantly extended by the addition of new types of data.

Bonus: Two-Factor Authentication for Microsoft Accounts

Previous versions of Elcomsoft Phone Breaker did not support two-factor authentication on Microsoft Accounts. Two-factor authentication is gaining momentum. With Microsoft now requiring a secondary authentication code to access phone backups even if the user has not configured 2FA in their account (yes, you read it right; we even have a blog post on that), we felt the need to bake 2FA support for Microsoft Accounts into Elcomsoft Phone Breaker. Starting with version 6.60, you won’t have a trouble accessing protected Microsoft Accounts providing that you have access to the secondary authentication factor (for Microsoft Accounts that’s usually a trusted email address or a trusted phone number).

What You Need to Extract That Data

Since the data is stored in the cloud, you’ll need authentication credentials for the user’s Microsoft Account. At this time, we only support the login and password. Note that accessing backups always triggers requests for the secondary authentication factor – even if two-factor authentication is not enabled on the user’s account. This means you will need access to the secondary authentication factor such as the user’s SIM card with trusted phone number, a trusted email address or similar.

Using Elcomsoft Phone Breaker to Extract Information from Windows devices

In order to remotely extract information from a Microsoft Account, do the following.

1. Launch Elcomsoft Phone Breaker 6.60 or newer
2. Select “Microsoft” from the top bar
3. Click “Download data from the Microsoft Account”
4. Authenticate with Microsoft Account login and password
5. If two-factor authentication is enabled (or if you select Calls during the next step), you will be prompted for a 7-digit secondary authentication code. You will need to complete the partial backup email address, receive an email message from Microsoft containing the one-time code, and enter that code into Elcomsoft Phone Breaker.
6. Select categories to download and click “Download”.
7. Note: if two-factor authentication was NOT enabled for a given Microsoft Account, once you select the “Calls” category, you will have to provide a secondary authentication code. This is because we extract call logs from Windows Phone/Windows 10 Mobile backups that feature additional protection compared to other types of data. If you already passed two-factor authentication during the previous step, this additional authentication prompt will be skipped.
8. Wait for the download to complete

To view the data you’ve just extracted, use Elcomsoft Phone Viewer:

1. Launch Elcomsoft Phone Viewer 2.30 or newer
2. Open Microsoft Account data you downloaded