Elcomsoft Phone Breaker is not just about Apple iCloud data. It can also download the data from other cloud services including Microsoft accounts. In this new version, we have added support for even more types of data, including Windows 10 Timeline, Account Activity (logins to the account), OneDrive files, recent OneDrive files history, and files from Microsoft Personal Vault. Learn about these data types and how they can help advance your investigation.

Windows Timeline

Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications, searches, documents, and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage.

If the user signs into their Microsoft account, Windows synchronizes the Timeline across devices. This is where we extract it from: Elcomsoft Phone Breaker 9.70 downloads the data, and Elcomsoft Phone Viewer 5.30 displays its content in a convenient layout.

By analyzing the Timeline data, experts can access to timestamped information about the app usage and Web page visits.

In addition to the Timeline, the tool extracts Account Activities detailing the user’s sign-ins to their Microsoft account.

OneDrive and Personal Vault

OneDrive needs no introduction, but the Personal Vault feature is still relatively unknown. According to Microsoft, “Personal Vault is a protected area in OneDrive that you can only access with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS. Your locked files in Personal Vault have an extra layer of security, keeping them more secured in the event that someone gains access to your account or your device.”

When accessing Personal Vault, one would typically need to pass through all authentication steps: the login and password, and the second authentication step. For most tools, that would mean either no Vault extraction at all or a second, duplicate authentication effort. The newest update to Elcomsoft Phone Breaker can extract files from the user’s Personal Vault without the need to perform an additional (double) authentication.

Step by Step Guide

Extracting OneDrive, Personal Vault and Timeline data with Elcomsoft Phone Breaker is straightforward.

1. Install the latest version of the tool (EPB 9.70 or newer required).
2. Select “Download data from Microsoft account”
3. Authenticate into the user’s Microsoft account with login, password, and two-factor authentication.
4. Choose categories (e.g. OneDrive, Personal Vault, and Timeline).
   
5. Click Continue. The data will be downloaded.

To analyze, follow these steps.

1. Install and launch the latest version of Elcomsoft Phone Viewer (version 5.30 or newer).
2. Select “Microsoft account data”
3. Specify data types for parsing
4. Start analyzing specified data types

Conclusion

Now supporting the widest range of data in multiple cloud services, Elcomsoft Phone Breaker becomes truly indispensable for cloud analysis. The updates are free of charge to existing users with currently valid licenses.