Apple iCloud Keeps More Real-Time Data Than You Can Imagine

February 8th, 2018 by Oleg Afonin
Category: «Clouds», «Did you know that...?», «Elcomsoft News», «General», «Industry News», «Security», «Software», «Tips & Tricks»

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

While this data is (or can be) synced with iCloud, there is really no way to view, download or otherwise access most of that data other than by syncing it to an Apple device. This is why we made Elcomsoft Phone Breaker. With time, we were adding support for more and more categories. iCloud Keychain was particularly tricky as it features an advanced protection mechanism; we were able to work aroundit just months ago.

iCloud Photo Library was another highlight. We discovered that Apple did not actually remove photos users deleted from their library.

We were also the first to extract call logs, which, despite the lack of a dedicated option in iCloud settings, are still synced with other device with no obvious way to disable the (quite controversial, according to many users) feature.

Today, we are further expanding the list of extractable categories. Elcomsoft Phone Breaker 8.20 adds the following categories to the list of extractable ones:

  • Account/User info.
  • Wi-Fi
  • Apple Maps
  • Wallet (everything except credit card data )
  • iBooks: manually added books and documents

Below is the complete list of synced data you can now download with Elcomsoft Phone Breaker:

What’s so interesting about the newly added categories? In many cases, there’s more to them than meets the eye.

Account/User info: this includes comprehensive information about the owner of the Apple Account including their phone numbers and street address. In addition, here you will find the list of the user’s devices including their serial numbers and OS versions. As a bonus, you will often find information about devices that used to be registered on the user’s account (but not anymore).

iBooks: why would you want to read somebody else’s books? The thing is, it’s not about the books at all. The new category includes documents (in particular, PDF documents) that were opened or manually added by the user. Since iBooks can handle PDF files, many iOS users (myself included) won’t bother installing a third-party PDF reader such as Adobe Acrobat. By downloading the “iBooks” category, you can gain access to PDF files, e-books and documents the user opened with the iBooks app.

Wi-Fi information includes wireless access point names, which device they were added from, as well as their MAC addresses. Notably, this data cannot be removed from the device without doing a hard reset. By tracing down the location of those MAC addresses, it becomes possible to determine the user’s whereabouts at the time the access point was added.

Wallet may contain a lot of essential evidence including air tickets, hotel bookings and car rentals with full information, boarding passes, bonus programs and club cards, movie and railway tickets, and so on and so forth.

Last but not least, Apple Mapsis probably the most undervalued category. It’s common belief that Google is the evil one, collecting excessive information about the user and tracking their every step, while Apple is privacy-minded and does not track its customers. Well, think again: Apple Maps deliver just as much data about the iPhone user as would be available for an Android user in their Google Account. While Google allows its users to see exactly what the company knows about them and fully or selectively delete any of that data, Apple keeps things in secret. Want to access your location history? Google users can navigate to their Timelineand instantly see what Google knows about their location. iPhone users, on the other hand, don’t have such luxury. The only way to access historic geolocation data would be using Elcomsoft Phone Breaker and download “Apple Maps”, then viewing the data in Elcomsoft Phone Viewer. Routes, places, favorites and searches are available.


This time, we didn’t “break” or “hack” anything. You still need the user’s iCloud/Apple ID authentication credentials to access iCloud data, be it the login and password or an authentication token extracted from the user’s computer. Alternatively, you can use an iCloud authentication to access synced data. When using authentication tokens for accessing synced iCloud data, neither the password nor the secondary authentication factor is required. When used for accessing synced data, iCloud authentication tokens do not carry a defined expiry date.


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »

Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »