Cloud Forensics: Why, What and How to Extract Evidence

September 6th, 2018 by Oleg Afonin
Category: «Clouds», «General», «Security», «Software», «Tips & Tricks»

Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.

Accessing cloud evidence requires proper authentication credentials, be it the login and password or credentials cached in the form of a binary authentication token. Without authentication credentials, one cannot access the data. However, contrary to popular belief, even if proper authentication credentials are available, access to evidence stored in the cloud is not a given. In this article we’ll tell you how to access information stored in Apple iCloud with and without using forensic tools.

Introduction

Every time we release a new feature or update our cloud forensic tools, general public meets the news with a healthy dose of sarcasm. The latest example is the MacRumors article “ElcomSoft’s Latest Tool Can Allegedly Access iMessages in iCloud, But Only in Extreme Circumstances” about extracting messages from iCloud.

The story received a lot of sarcastic comments. “So they can access your data if they have access to your data…? Sounds like that to me”, posts a MacRumors user commenting the article. “HEY YOU KNOW WHAT I found a security hole in my bank’s ATMs, if someone has my card and PIN they can take out my cash!!! HOLY CRAP WHAT WILL WE DO NOW!??!”, adds another user (original spelling preserved). “BREAKING NEWS: If someone gets your Apple ID, Password, Passcode, AND PHYSICAL ACCESS TO YOUR DEVICE, they may be able to get your info! You HAVE BEEN WARNED”, exudes yet another commenter.

Can you spot something wrong with these comments? After all, one “can” access information if one has the correct credentials, right?

Apparently, not one of the users repeating the “it can be done” mantra has ever tried doing this “can be done” thing.

Speaking of Apple’s closed ecosystem, having the correct authentication credentials does not mean one has “access” to information, let alone “easy access”.

Cloud Forensics: Why You Need Tools

Let us start from an easy exercise. I give you the login (Apple ID) and password to a test Apple account; you try extracting application data, passwords and messages from that account. Let’s assume both you and I have access to the secondary authentication factor, and we both know a passcode (or system password) of the test device. I will use Elcomsoft Phone Breaker, and you can use anything you want – except any forensic tools.

This is what I do.

Step 1: I authenticate into iCloud with login, password, and 2FA

Step 2: I download all the synced data, including passwords and messages, to my computer. There, I’ll enter the test device passcode:

It takes me 1 minute and 52 seconds to obtain the data. Proof:

Passwords:

Step 3: Finally, I obtain the backup:

 

It’s your turn. Can you view passwords and messages online by logging in to https://appleid.apple.com/? No, you can only access messages and passwords from an Apple device. You’ll need a spare Apple device to restore an iCloud backup and sync passwords and messages.

So you crave for a spare iPhone, iPad or iPod Touch, and make sure it runs the latest version of iOS. You set it up, restoring a cloud backup (the owner of the test account receives an email alert) and wait (normally 30 minutes to several hours). You enable iCloud Keychain and Messages sync (the account holder receives yet another alert) and wait (no defined timeframe).

Once your device has everything set up, you can view passwords one by one via Settings:

Messages can be accessed via the Messages app. For application data (iCloud backup) dumped for offline analysis, you’ll have to back up the phone via iTunes and process that backup to analyse information. (By the way, did you know you must specify a temporary password for that backup in order to access all information? You’ll need to decrypt it afterwards; doing so may be difficult if you’re not using forensic tools).

Note: there will be no Maps data as it won’t be included in local backups. If you need access to the user’s Maps data, you’ll have to use Elcomsoft Phone Breaker or similar forensic tool.

If there is more than one backup for a given device, you’ll probably want to repeat the procedure starting with a factory reset.

Once you’ve completed the task, let me ask you a question: how much time did you spend? Was it an easy experience? If you did it as part of your daily job, how many cases would you process per day?

The GDPR Clause

One of the arguments we keep hearing repeatedly is the GDPR clause. According to these sources, one can simply fill out the form at https://privacy.apple.com/ and receive a downloadable archive packing “everything” Apple knows about the user.

In fact, Apple’s “everything” for GDPR is not really “everything”. A screen shot below shows the full list of data categories that are exported with GRPR pulls.

If you look closely, you’ll notice that two major categories are missing from information pulled via GDPR requests:

  1. Messages (SMS and iMessages)
  2. iCloud Keychain (passwords to user’s online accounts)

Apple argues that these bits of data are additionally encrypted with a key protected with a passcode or system password of an already enrolled device. For this reason, there is no option for the user (or investigator) to access these types of evidence via GDPR requests.

So what can you actually do to access passwords and messages?

If you have the correct credentials and you’re sceptical about using forensic tools (cough, Elcomsoft Phone Breaker, cough), you’re looking at the following procedure.

  1. Obtain a spare iOS device (iPhone, iPad or iPod Touch) running the same (or newer) version of iOS as the suspect’s device.
  2. Factory reset the device and restore it with the suspect’s Apple ID and password from a cloud backup (may take anywhere from 30 minutes to several hours).
  3. Enrol the device to iCloud Keychain and message sync (passcode or system password of an already enrolled device required).
  4. Wait while the device syncs passwords and messages (may take from several minutes to several hours).
  5. If all you need is a specific password or message, you can manually access it on the device itself. If, however, you need analysing all passwords or messages, you’ll need to dump those items via a local backup.
  6. Connect the device to your computer and make a local backup with iTunes (make sure to specify a known temporary password; this is absolutely required in order to access passwords). This may take several minutes or several hours depending on how much information the device has.
  7. Open the freshly produced backup in… something. There’s no Apple-made software to process iTunes backups other than restoring it onto an Apple device, so you will need a third-party tool to decrypt and analyse the backup.
  8. Finally, you can export the passwords and messages!

You did it! You did a great job, learned something and spent several hours of your time.

But what if you used a forensic tool instead? The same task would be completed in about a minute. It took us 33 seconds to pull the passwords:

Then another 27 seconds to obtain messages:

 

Back to GDPR. What about the rest of the data? Apple states it may take up to 7 days to process GDPR requests. In our experience, it’s been taking Apple exactly 7 days to return the data.

If you can afford the wait, I say go for it. If not, we know a faster way.

Government Information Requests

Law enforcement has long been able to obtain evidence via government information requests. Speaking of Apple accounts, that would be two orders: an Account Preservation Request followed by Account Information Request. All requests are handled in compliance with Apple’s privacy policy.

When serving a government request, Apple provides information in its own proprietary format. Investigators receive information in an encrypted form. They are provided with a decryption key but not the tools to actually decrypt the data. The decryption process is complicated to the point that many experts make use of third-party tools such as Kleopatra or GPG, or book the decryption service provided by companies such as Cellebrite or BlackBag. The resulting decrypted data will be in binary formats, so some more tools will be needed to analyze it.

Obtaining data via a government information request has the definite benefit of not having to know the user’s authentication credentials. If neither the login and password nor binary authentication token are available, a government request may be the only way to obtain information.

Authentication credentials aside, government requests have many significant drawbacks compared to in-house cloud acquisition.

  • Lots of legal paperwork required.
  • Account Preservation Request must be submitted ahead of acquisition.
  • The process is lengthy, and may take several weeks (unless you serve an emergency request*)
  • Apple provides the data in a binary format, encrypted. While the decryption key is also provided, Apple does not provide a tool to decrypt it. Third-party tools and services are available to help investigators decrypt the data, adding extra costs and delaying the investigation.
  • Apple will NOT deliver messages or passwords (iCloud Keychain) as those are additionally encrypted with a different encryption key. If you need those, you’ll have to either use Elcomsoft Phone Breaker or follow the steps described in the first chapter.

* “Emergency Requests relate to circumstances involving imminent danger of death or serious physical injury to any person. Apple has a dedicated team available around the clock to respond to Emergency Requests globally. We process requests on a 24/7 emergency basis.”

Cloud Forensics: When You Need Tools

With unlimited time and a spare Apple device you can access many bits and pieces of data. Using forensic tools (Elcomsoft Phone Breaker in this context) allows you to accomplish the same task in a fraction of the time (minutes instead of hours) even without a spare Apple device.

Elcomsoft Phone Breaker offers the following benefits over restoring a spare device from iCloud:

  • A spare Apple device is not required
  • Access to deleted items (photos and Safari bookmarks deleted less than 30 days ago)
  • Significantly faster access (minutes instead of hours)
  • Selective access for even faster access
  • No need to back up the device via iTunes
  • Seamless access to previous backups of the same device, if available (if using an Apple device restore, only the last backup can be restored)
  • Seamless access to backups of other devices on the same account
  • Authentication with tokens instead of the user’s Apple ID and password
  • No or fewer email alerts
  • SMS-based two-factor authentication possible
  • Maps data (can be downloaded with EPB but not included in local backups)
  • iCloud Drive files (can be accessed with a Mac or PC or downloaded with EPB)

Elcomsoft Phone Breaker offers the following benefits over GDPR pull requests:

  • Incomparable access time: several minutes instead of 7 days (during the 7 days, the data may change; some photos )
  • Access to deleted items
  • Messages (requires passcode or system password of an already enrolled device)
  • Passwords (iCloud Keychain) (requires passcode or system password of an already enrolled device)

Elcomsoft Phone Breaker offers the following benefits over Government Information Requests:

  • Significantly less paperwork
  • Data available near instantly instead of in several months
  • Significantly easier analysis with built-in decryption
  • Messages (requires passcode or system password of an already enrolled device)
  • Passwords (iCloud Keychain) (requires passcode or system password of an already enrolled device)

 

Conclusion

Technically speaking, cloud forensics is possible without forensic tools, yet it becomes a labor-intensive and time-consuming experience that requires additional hardware. The result is not forensically sound due to the many additional artefacts introduced during the course of setting up-restoring-syncing-backing up the device during the course of cloud extraction. If you have the credentials, you can pull iCloud data without using any forensic tools as a one-off trick (albeit the result won’t be clean or admissible in the court). Doing it regularly as part of your regular job, or having hard evidence that would be accepted by the court is a different story.