Cloud Extraction Compared: What Is Available in iCloud, Google Account and Microsoft Account

July 6th, 2017 by Oleg Afonin
Category: «Clouds», «General»

There are three major mobile operating systems, and three major cloud services. Most Android users are deep into the Google’s ecosystem. iCloud is an essential part of iOS, while cloud services provided by Microsoft under the OneDrive umbrella are used not only by the few Windows Phone and Windows 10 Mobile customers but by users of other mobile and desktop platforms.

In this article, we’ll try to figure out what types of data are available for extraction and forensic analysis in the three major cloud platforms: Apple iCloud, Google Account and Microsoft Account.

Acquisition Tools

For the purpose of this article, we will use ElcomSoft-developed cloud extraction tools.

Cloud Comparison Table

  iCloud Backups iCloud Synced Data Google Microsoft
Device backups Comprehensive Limited Somewhere in between
Call logs Yes Synced No
(call log syncing was available for a brief period of time; this is no longer the case now)
In device backups
Text messages (SMS) Yes
(if text message syncing is not enabled in iOS 11)
No (iOS 10 and older)

Yes (iOS 11, if enabled)

Some devices only
(Pixel, Pixel XL; all devices running Android O)
Yes, synced
iMessage Yes No (iOS 10 and older)

Yes (iOS 11)

Passwords All kinds of passwords

 

Keychain in device backups: encrypted, cannot be decrypted without securityd key that can only be extracted from jailbroken 32-bit devices

 

All kinds of passwords

 

iCloud keychain: synced

Synced

 

Chrome passwords

Wi-Fi passwords

Synced

 

Internet Explorer (Windows 8, 8.1)

Edge (Windows 10)

Wi-Fi passwords

Authentication tokens Same as above (encrypted keychain in device backups) No Yes, in device backups for compatible OS (Android 6 and up) and supporting apps (targeting API level 23 or higher and allowing backup) Yes, only in mobile device backups (Windows Phone 8/8.1, Windows 10 Mobile)
Location history Limited (current/last location) No Detailed and comprehensive beyond imaginable Limited (often only last location reported per device)
Two-factor authentication required? Yes, if enabled and using login/password

 

No, if using authentication token

Yes, if enabled and using login/password

 

No, if using authentication token

Yes, if enabled For all types of data except mobile device backups: yes, if enabled

 

For mobile device backups: yes, always (even if not enabled in account)

Email alert delivered to original user? No (login/password)
No (token)Note: Apple may lock accounts and require a password change if you download a backup with third-party tools
Yes (if logging in via Web site)
No (if logging in with Elcomsoft Phone Breaker)
Yes, when logging in from a new device (multiple other triggers exist) No, unless accessing mobile device backups

Yes: access to device backups requires 2FA code delivered by email or SMS

Browser history Yes (Safari) Yes (Safari) Yes, synced (Chrome) Yes, theoretically (Edge). Very erratic in practice.
Browser bookmarks Yes (Safari) Yes (Safari) Yes, synced (Chrome) Yes (Edge: favourites and reading list)
Browser open tabs Yes (Safari) Yes (Safari) Yes, synced (Chrome) No
Mail No Yes (iCloud Mail) Yes (Gmail) Yes (Hotmail, Live.com, Outlook.com)
Notes Yes Yes Yes, synced (Keep) Yes, synced (OneNote)
Contacts Yes Yes Yes Yes
Calendars Yes

(all local and cloud calendars, including third-party services such as Google or Exchange)

Yes (iCloud only) Yes (Google) Yes (Microsoft)
Media (photos and videos) Yes:

 

If no iCloud Photo Library: files included in device backups

Yes:

 

If iCloud Photo Library is enabled: synced, including deleted files (30 days)

Yes (Google Photos) Yes (OneDrive)
List of devices Yes Yes Yes Yes
Files and documents Yes (local) Yes (iCloud Drive) Yes (Google Drive) Yes (OneDrive)
WhatsApp backups Yes (part of device backups) Yes (only if enabled in WhatsApp; standalone; encrypted, cannot be extracted) Yes (standalone; encrypted and not extractable)
Third-party app data Yes Yes (iCloud Drive only) Yes (limited)
currently not extractable
Yes
currently not extractable
 Number of backups per device Up to 3 last backups 1 1
Encryption keys No Yes (FileVault 2 recovery keys) No Yes (BitLocker escrow keys for desktop Windows devices)

No (for Windows smartphones)

Other data Weather, Home, Wallet, iBooks, Game Center Google Dashboard

User profile

iCloud Backups

iOS has the most comprehensive cloud backup system of all three platforms. In addition to synced data, iCloud backups contain a lot of additional information. We’ll list information available in iCloud backups in a separate table.

Up to three last backups may be available for each device.

  Content Possible to extract?
Keychain Passwords to Web sites and apps. Credit card data, stored logins, authentication tokens. No *

The keychain from iCloud backups can only be restored onto the same device the backup has been made with. Other devices can use iCloud Keychain.

 

* For jailbroken 32-bit devices only: the securityd key may be extracted and used to decrypt the keychain.

Text messages SMS only Yes
iMessages Yes (iOS 10 and older)

Yes (iOS 11, iMessage sync off)

No (iOS 11, iMessage sync on)

No (iOS 10 and older)

No (iOS 11, iMessage sync off)

Yes (iOS 11, iMessage sync on)

Media Photos and videos Only if iCloud Photo Library is not enabled.

If iCloud Photo Library is on, media is not stored as part of the backup.

Application data App-specific data, often in SQLite format Yes, with restrictions

Some apps may use encrypted databases

Some apps may feature a higher protection class, allowing to restore to the same device only

Some apps may not allow backups at all

Internet (Safari) Browsing history and bookmarks Yes

In addition, Safari browsing history, open tabs and bookmarks can be extracted from synced data

Location Current/last location only Yes
Health Steps, fitness etc. No

Encrypted with hardware-specific key.

Call logs Call logs from individual device, including any calls merged by syncing with other registered devices Yes

 


REFERENCES:

Elcomsoft Cloud eXplorer

Learn what Google knows about you! Download information directly from the Google Account with or without a password. Elcomsoft Cloud Explorer enables over-the-air acquisition for a wide range of Google services including Contacts, Hangouts Messages, Google Keep, Chrome browsing history, search history and page transitions, Calendars, images, location and a lot more.

Elcomsoft Cloud eXplorer official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »