iOS 15 Forensic Implications: Temporary iCloud Backups

August 23rd, 2021 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»

iOS 15 is about to bring a host of new features, some of which will have forensic implications. Today we’ll cover a feature that can help experts do cloud analysis, creating and extracting a copy of the device’s data even if the user does not have enough free space in their iCloud account via temporary iCloud backups. The temporary backups are designed to speed up the migration when changing Apple devices; they are not affected by the storage quota, but have a limited lifetime.

One of the main problems of iCloud forensics (unknown account passwords aside) is the sporadic nature of cloud backups. Experts often find out that a given user either does not have device backups in their iCloud account at all, or only has a very old backup. This happens primarily because of Apple’s policy of only granting 5GB of storage to the users of the free tier. While users can purchase additional storage for mere 99 cents a months, very few do so. iCloud Photos, downloads and other data quickly fill up the allotted storage space, leaving no space for a fresh cloud backup.

Now when you buy a new device you can use iCloud Backup to move your data to your new device, even if you’re low on storage. iCloud will grant you as much storage as you need to complete a temporary backup, free of charge, for up to three weeks. This allows you to get all your apps, data, and settings onto your device automatically. Apple

The ability to wirelessly back up and restore an iPhone is one of the hallmarks of the ecosystem. Currently, users can wirelessly transfer the content of an old iPhone onto a new device regardless of how much free space they have in iCloud. The problem, however, is that the process effectively backs up the original iPhone (which may take a lot of time), and restores the data onto the new device. The migration process occurs much faster without the first step, so in iOS 15 Apple offers an option to back up the iPhone temporarily whenever convenient, then restore the temporary backup onto a new (or even the same) iPhone. Unlike traditional iCloud backups, these temporary backups have the following properties:

  • Requires iOS 15 on both devices
  • Must be created manually (no scheduled temporary backups possible); device must be unlocked
  • Does not count against iCloud storage quota
  • Retained for 21 days, automatically deleted afterwards
  • Currently, users cannot manually delete temporary backups (might be a bug in the beta version)

Creating a temporary backup

To create a temporary backup, do the following.

  1.  Update device to iOS 15.

2. Open the ‘Transfer or Reset iPhonetab (Settings/General/Transfer or Reset iPhone). In earlier versions of iOS this was the ‘Reset’ tab.

3. Click through the information screens.

4. When you create the backup, the Settings app will display its progress (iCloud Backup In Progress).

Once the backup is complete, you can see it in iCloud. Note that the backup does not count against storage quota.

Extracting and analyzing temporary backups

Currently, iOS 15 is still in beta. However, we have already added support for temporary iCloud backups to Elcomsoft Phone Breaker (Forensic edition). You can view these backups with Elcomsoft Phone Viewer. Elcomsoft Phone Breaker is the only tool on the market allowing to extract iCloud backups with no strings attached.

The following screen shot demonstrates how the 8.6GB backup is successfully created in the iCloud account with only 5GB of free storage.

At this time, users cannot manually delete temporary backups. This might be a bug in the beta version of iOS 15.

Conclusion

Temporary backups will have their use in mobile forensics, albeit a limited one. These backups can be only created manually, with the phone unlocked, which raises the question of making a local backup instead, which will contain a larger set of data. For this reason, temporary backups may be handy if you are unable to create or decrypt a local backup, e.g. if the device’s Lightning port is damaged or if you cannot reset the backup password.

With the release of iOS 15, we expect a significant influx of users upgrading to iCloud+ to use features such as Private Relay and Hide My Email. In addition to these features, users will receive 50GB of cloud storage, which will reopen the possibility to create regular cloud backups, decreasing the significance of temporary backups even further.


REFERENCES:

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »