The majority of mobile devices today are encrypted throughout, making extractions difficult or even impossible for major platforms. Traditional attack vectors are becoming a thing of the past with encryption being moved into dedicated security chips, and encryption keys generated on first unlock based on the user’s screen lock passwords. Cloud forensics is a great alternative, often returning as much or even more data compared to what is stored on the device itself.

The challenges of device forensics

The past years introduced a number of challenges to mobile forensic experts. It’s been a while since device encryption killed chip-off analysis, but there are more challenges than that. A few years back, Apple introduced USB restrictions, making data preservation a challenge. The release of the A12 platform patched the very effective checkm8 acquisition and made device unlocks more difficult.

In the land of Android, Google had finalized the move from the less-secure Full Disk Encryption (FDE) to the much more robust File-Based Encryption (FBE) that uses an encryption key based on the user’s screen lock password, rendering EDL extractions nearly useless without knowing the correct passcode. In many cases, experts could work around the FDE; however, the newer FBE encryption is a real challenge.

With passcode unlocks becoming more difficult with each generation of mobile devices, device forensics become more and more difficult year over year.

The benefits of cloud forensics

Cloud forensics overcomes most of the challenges associated with analyzing physical devices, while adding a share of other challenges. Compared to analyzing a single device, cloud forensics offers the following benefits:

• Authenticating into a cloud account is easier than unlocking a device. The password may be obtained from multiple sources (more on that in the next chapter), while the screen lock passcode is rarely stored anywhere.
• Government requests. Starting with iOS 8, Apple stopped accepting physical devices for extraction. However, the company readily serves government requests, returning iCloud data (except end-to-end encrypted types). Google and Microsoft do not use end-to-end encryption to the extent of Apple, and return nearly all information collected from their users.
• Limited token-based authentication. If you have access to the user’s computer, you may be able to use a token to authenticate into a cloud account. For Apple devices, this only works to a limited extent: you can only use macOS tokens, and only on the very same macOS computers they were extracted from, and even then you need an authenticated user session (or must know the account password).
• More information than a single device contains. This is especially true for Android as Google accounts typically hold years worth of historical data such as location information and browsing history. For Apple devices, cloud synchronization aggregates information submitted by all devices signed in to the same Apple ID.
• Data accessible even if the device is broken, locked or missing. You don’t need the device itself to pull data from the cloud (except for passing the 2FA challenge in certain cases).

Elcomsoft Phone Breaker can extract nearly everything from iCloud accounts, even including end-to-end encrypted data that is not available otherwise.

The challenges of cloud forensics

Just like device forensics, cloud forensics has challenges on its own. The obvious challenge is the password: you won’t be able to authenticate into a cloud account without proper credentials. The password, however, may be obtained from one of the many sources, such as:

• Microsoft Account: browser stored passwords (with Elcomsoft Internet Password Breaker); brute-force cached Windows account credentials with Elcomsoft Distributed Password Recovery (if Microsoft Account is used for Windows 10 sign in); other devices and cloud services (e.g. Google Account with Elcomsoft Cloud Explorer, iOS keychain, macOS keychain, password manager apps and so on).
• Apple ID/iCloud: browser stored passwords; other devices and cloud services (e.g. Microsoft Account, Google Account).
• Google Account: browser stored passwords; other devices and cloud services (e.g. iCloud Keychain, Microsoft Account).

Two-factor authentication has been a major part of the authentication process for a long time. In recent years, Apple requires the use of two-factor authentication with all newly created Apple IDs (an exception is made for children accounts). In our experience, real-world use of two-factor authentication for Apple account has reached 90%. Overcoming the challenge of two-factor authentication may be as easy as pulling a trusted SIM card or as difficult as attempting to unlock a device or searching for a trusted FIDO U2F security key.

Then comes encryption. Zero-knowledge end-to-end encryption is commonly used by cloud services to protect essential bits and pieces of information. The protected bits and pieces become unextractable without additional steps. The “zero-knowledge” part means that the cloud service provider does not know and does not have access to such encrypted data, and is unable to provide such data to the law enforcement when serving government requests. The different cloud providers protect different bits and pieces, Apple leading the way in most regards. Below is the list of data protected with end-to-end encryption by major cloud services.

• Microsoft Account: Microsoft does not seem to be using end-to-end encryption. Everything is accessible with regular authentication.
• Apple ID/iCloud: lots of data uses end-to-end encryption, requiring the screen lock passcode or system password of any device enrolled into the trusted circle. See below for the full list.
• Google Account: Android backups starting with Android 9. Restoring such backups onto a new device requires entering the screen lock passcode of the original device.
• Amazon (consumer accounts): Amazon is not known to use end-to-end encryption for any of its consumer products (e.g. Kindle, FireOS and FireTV devices).
• BitWarden (password manager): all passwords are end-to-end encrypted with master password.

For Apple ID/iCloud, end-to-end encryption protects the following (iOS 14 and 15):

• iCloud Keychain
• Messages (SMS, iMessages, attachments)
• Apple Maps (searches, routes, frequent locations)
• Safari history (since iOS 13)
• Apple Health
• Screen Time
• Home data
• Voice memos

More on end-to-end encryption in iCloud Backups, Synced Data and End-to-End Encryption.

Authentication and encryption issues aside, there are other challenges to cloud forensics. The communication protocols are largely undisclosed and are constantly changing. Apple does everything it can to prevent third-party tools from accessing iCloud backups, going as far as requiring a valid Apple device hardware ID in order to release the data. Google makes constant changes to the various communication protocols and authentication methods, making it difficult to cope. Microsoft uses a complex synchronization protocol that is very difficult to grasp; it’s so difficult that even Microsoft’s own products (such as the iOS version of its Edge browser) may be unable to sync data they should be syncing.

Conclusion

Cloud forensics is the future. There are many challenges in cloud forensics, with more and more data being moved under the end-to-end encryption umbrella. At the same time, governments actively resist end-to-end encryption in the cloud, making major parts of user data (such as the photos) stored with no encryption, conveniently scannable for controversial materials.