Apple iCloud contains massive amounts of data, which may become highly valuable evidence. The oldest and most frequently mentioned are iCloud backups, which ElcomSoft were the first to extract back in 2012. A lot has changed since then. Today, iCloud backups account for a very minor part of the evidence available in iCloud. Learn what types of data are stored in iCloud, how Apple protects the data with end-to-end encryption, and how to access that valuable evidence with the updated Elcomsoft Phone Breaker.

Improved Cloud Access

We’ve updated Elcomsoft Phone Breaker 9.60 with new, significantly handier cloud access. The new product breaks down the 17 iCloud categories (that’s not counting the backups or files in iCloud Drive) into three large groups:

1. iCloud Synced Data
2. iCloud Drive
3. iCloud Backups

iCloud Synced Data

Apple synchronizes significantly more information than lands in iCloud backups, but many of the synchronization vs. backup options depend on the user’s choice. For example, if the user ticks “iCloud Photos” in the Settings app, the pictures they snap will be synchronized to the cloud instead of landing in iCloud backups. If the user does not use iCloud photos, the images will be part of the backup instead. The same goes for iCloud Messages.

Either way, we counted some 17 data types in the Synced category. The list is set to grow. Parts of the Synced Data set are end-to-end encrypted, and are not available to the law enforcement when Apple serves a government request. Elcomsoft Phone Breaker can access end-to-end encrypted data, with caveats:

1. In order to decrypt end-to-end encrypted data, one needs the user’s Apple ID, password, second authentication factor, as well as the screen lock passcode or system password of one of the user’s devices (that participate in the sync).
2. End-to-end encrypted data are not accessible via a token.

End-to-end encrypted data includes:

1. iCloud Keychain: all of the user’s passwords and filled forms; some keys and tokens.
2. Apple Health: Health data is among the better protected types.
3. iCloud Messages: SMS and iMessages.
4. Maps (since iOS 13): quite not what the name suggests, Maps data only stores data such as frequent places and routes. No comprehensive location history here as one would expect.
5. Screen Time.

In EPB, end-to-end encrypted data is market with orange.

Passcode only required to access end-to-end encrypted types.

iCloud Drive

This category holds both the user’s files and documents (e.g. PDF files) the user consciously stores in their iCloud Drive, but also files downloaded in Safari, standalone backups to some third-party apps etc.

There is no easy way to extract most of the data without third-party tools. By using Apple tools, one can only access documents (Pages/Numbers/Keynote), the content of the Downloads folder (a feature of iOS 13), the user’s stored files, as well as files created by a very limited set of apps. Elcomsoft Phone Breaker can download everything, including some system files as well as the data saved by virtually all apps. This includes standalone backups created by many instant messengers (WhatsApp, Viber, LINE), databases of a few password managers (1Password, Ennass), Desktop and Documents of connected Mac computers (if sync is enabled), recently deleted files and a lot more. Most of that data is not available if you were to use Apple tools.

iCloud Backups

iCloud backups still contain valuable information, even if all synchronizations are turned on. Apple understands the value of iCloud backups, and is constantly working on improving (or simply changing) protection. Recently, we have noticed a change in the data format of iCloud backups. Elcomsoft Phone Breaker 9.60 accommodates to the change, now correctly downloading and processing iCloud backups in the ‘new’ format.

Elcomsoft Phone Breaker supports all two-factor authentication methods including push notifications on trusted devices, codes delivered via text messages as well as codes generated offline in the Settings app. The tool can download backups created by all versions of iOS up to and including the latest iOS 13.5.

The Viewer Update

Elcomsoft Phone Viewer received an important update, too. Needless to say the updated viewer now supports all the 17 data types extracted by Elcomsoft Phone Breaker, but it does more than that. Elcomsoft Phone Viewer 5.10 can now display keychain records including those extracted from local backups, during the course of physical acquisition or downloaded from the cloud. This functionality was previously exclusive to Elcomsoft Phone Breaker – now finally available in the proper tool.

Conclusion

Elcomsoft Phone Breaker and Elcomsoft Phone Viewer remain the most powerful all-in-one iOS extraction tools on the market. Supporting local backups and offering extensive cloud acquisition options including cloud backups, iCloud Drive and some 17 categories of synchronized data (including point-to-point encrypted types), Elcomsoft Phone Breaker is a tool no mobile forensic specialist should go without. Our cloud forensic tools are the fastest, most complete, and the most compatible on the market, delivering law enforcement professionals significantly more evidence than Apple themselves. Note that some features of the product are only available in the Professional edition, while some other features are exclusive to the Forensic edition.