Cloud Extraction Compared: What Is Available in iCloud, Google Account and Microsoft Account
July 6th, 2017 by Oleg AfoninCategory: «Clouds», «General»
There are three major mobile operating systems, and three major cloud services. Most Android users are deep into the Google’s ecosystem. iCloud is an essential part of iOS, while cloud services provided by Microsoft under the OneDrive umbrella are used not only by the few Windows Phone and Windows 10 Mobile customers but by users of other mobile and desktop platforms.
In this article, we’ll try to figure out what types of data are available for extraction and forensic analysis in the three major cloud platforms: Apple iCloud, Google Account and Microsoft Account.
Acquisition Tools
For the purpose of this article, we will use ElcomSoft-developed cloud extraction tools.
- Apple iCloud: Elcomsoft Phone Breaker
- Microsoft Account: Elcomsoft Phone Breaker (version 6.60 or newer)
- Google Account: Elcomsoft Cloud Explorer
Cloud Comparison Table
| iCloud Backups | iCloud Synced Data | Microsoft | ||
| Device backups | Comprehensive | – | Limited | Somewhere in between |
| Call logs | Yes | Synced | No (call log syncing was available for a brief period of time; this is no longer the case now) |
In device backups |
| Text messages (SMS) | Yes (if text message syncing is not enabled in iOS 11) |
No (iOS 10 and older)
Yes (iOS 11, if enabled) |
Some devices only (Pixel, Pixel XL; all devices running Android O) |
Yes, synced |
| iMessage | Yes | No (iOS 10 and older)
Yes (iOS 11) |
– | – |
| Passwords | All kinds of passwords
Keychain in device backups: encrypted, cannot be decrypted without securityd key that can only be extracted from jailbroken 32-bit devices
|
All kinds of passwords
iCloud keychain: synced |
Synced
Chrome passwords Wi-Fi passwords |
Synced
Internet Explorer (Windows 8, 8.1) Edge (Windows 10) Wi-Fi passwords |
| Authentication tokens | Same as above (encrypted keychain in device backups) | No | Yes, in device backups for compatible OS (Android 6 and up) and supporting apps (targeting API level 23 or higher and allowing backup) | Yes, only in mobile device backups (Windows Phone 8/8.1, Windows 10 Mobile) |
| Location history | Limited (current/last location) | No | Detailed and comprehensive beyond imaginable | Limited (often only last location reported per device) |
| Two-factor authentication required? | Yes, if enabled and using login/password
No, if using authentication token |
Yes, if enabled and using login/password
No, if using authentication token |
Yes, if enabled | For all types of data except mobile device backups: yes, if enabled
For mobile device backups: yes, always (even if not enabled in account) |
| Email alert delivered to original user? | No (login/password) No (token)Note: Apple may lock accounts and require a password change if you download a backup with third-party tools |
Yes (if logging in via Web site) No (if logging in with Elcomsoft Phone Breaker) |
Yes, when logging in from a new device (multiple other triggers exist) | No, unless accessing mobile device backups
Yes: access to device backups requires 2FA code delivered by email or SMS |
| Browser history | Yes (Safari) | Yes (Safari) | Yes, synced (Chrome) | Yes, theoretically (Edge). Very erratic in practice. |
| Browser bookmarks | Yes (Safari) | Yes (Safari) | Yes, synced (Chrome) | Yes (Edge: favourites and reading list) |
| Browser open tabs | Yes (Safari) | Yes (Safari) | Yes, synced (Chrome) | No |
| No | Yes (iCloud Mail) | Yes (Gmail) | Yes (Hotmail, Live.com, Outlook.com) | |
| Notes | Yes | Yes | Yes, synced (Keep) | Yes, synced (OneNote) |
| Contacts | Yes | Yes | Yes | Yes |
| Calendars | Yes
(all local and cloud calendars, including third-party services such as Google or Exchange) |
Yes (iCloud only) | Yes (Google) | Yes (Microsoft) |
| Media (photos and videos) | Yes:
If no iCloud Photo Library: files included in device backups |
Yes:
If iCloud Photo Library is enabled: synced, including deleted files (30 days) |
Yes (Google Photos) | Yes (OneDrive) |
| List of devices | Yes | Yes | Yes | Yes |
| Files and documents | Yes (local) | Yes (iCloud Drive) | Yes (Google Drive) | Yes (OneDrive) |
| WhatsApp backups | Yes (part of device backups) | Yes (only if enabled in WhatsApp; standalone; encrypted, cannot be extracted) | Yes (standalone; encrypted and not extractable) | – |
| Third-party app data | Yes | Yes (iCloud Drive only) | Yes (limited) currently not extractable |
Yes currently not extractable |
| Number of backups per device | Up to 3 last backups | – | 1 | 1 |
| Encryption keys | No | Yes (FileVault 2 recovery keys) | No | Yes (BitLocker escrow keys for desktop Windows devices)
No (for Windows smartphones) |
| Other data | Weather, Home, Wallet, iBooks, Game Center | Google Dashboard
User profile |
iCloud Backups
iOS has the most comprehensive cloud backup system of all three platforms. In addition to synced data, iCloud backups contain a lot of additional information. We’ll list information available in iCloud backups in a separate table.
Up to three last backups may be available for each device.
| Content | Possible to extract? | |
| Keychain | Passwords to Web sites and apps. Credit card data, stored logins, authentication tokens. | No *
The keychain from iCloud backups can only be restored onto the same device the backup has been made with. Other devices can use iCloud Keychain.
* For jailbroken 32-bit devices only: the securityd key may be extracted and used to decrypt the keychain. |
| Text messages | SMS only | Yes |
| iMessages | Yes (iOS 10 and older)
Yes (iOS 11, iMessage sync off) No (iOS 11, iMessage sync on) |
No (iOS 10 and older)
No (iOS 11, iMessage sync off) Yes (iOS 11, iMessage sync on) |
| Media | Photos and videos | Only if iCloud Photo Library is not enabled.
If iCloud Photo Library is on, media is not stored as part of the backup. |
| Application data | App-specific data, often in SQLite format | Yes, with restrictions
Some apps may use encrypted databases Some apps may feature a higher protection class, allowing to restore to the same device only Some apps may not allow backups at all |
| Internet (Safari) | Browsing history and bookmarks | Yes
In addition, Safari browsing history, open tabs and bookmarks can be extracted from synced data |
| Location | Current/last location only | Yes |
| Health | Steps, fitness etc. | No
Encrypted with hardware-specific key. |
| Call logs | Call logs from individual device, including any calls merged by syncing with other registered devices | Yes |
REFERENCES:
Elcomsoft Cloud eXplorer
Learn what Google knows about you! Download information directly from the Google Account with or without a password. Elcomsoft Cloud Explorer enables over-the-air acquisition for a wide range of Google services including Contacts, Hangouts Messages, Google Keep, Chrome browsing history, search history and page transitions, Calendars, images, location and a lot more.
Elcomsoft Phone Breaker
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.
- iOS Forensic Toolkit 8.62: bug fixes and performance enhancements22 November, 2024
- Elcomsoft Distributed Password Recovery introduces intelligent load balancing, performance optimizations14 November, 2024
- iOS Forensic Toolkit 8.61 expands support for iOS versions and devices 3 September, 2024
- Advanced Intuit Password Recovery 3.14 supports Intuit QuickBooks 202429 August, 2024
- iOS Forensic Toolkit 8.60 enhances agent-based low-level extraction in Linux and Windows editions9 July, 2024