Extracting cloud data becomes increasingly valuable – and increasingly complex at the same time. In scenarios where a target device is physically unavailable cloud extraction is often the only real way to access evidence. This is particularly relevant when devices are secured by an unknown passcode or locked under Apple’s Stolen Device Protection framework without available biometric authentication, rendering traditional extraction techniques ineffective.

Apple’s cloud ecosystem aggregates synchronized data from all devices tied to a specific Apple ID, providing forensic specialists with a comprehensive, cross-device dataset rather than a fragmented, single-device view. Accessing this data, however, requires more and more efforts. Beginning with the rollout of iOS 18, Apple initiated substantial modifications to its cloud infrastructure and access mechanisms. While backward compatibility with legacy access protocols was temporarily maintained to support devices running older versions of iOS, Apple executed a definitive cut-off in January and February of 2026. During this window, the old protocols were permanently blocked, and cloud authentication procedures were entirely overhauled, rendering prior extraction methods obsolete.

What Works Now: iCloud Drive and Synchronized Data

Elcomsoft Phone Breaker 11 restores extraction capabilities for most data categories including synchronized data, iCloud Drive, and iCloud backups.

Let’s start with iCloud Drive. This service frequently acts as a catch-all repository for user data beyond standard iOS backups. It routinely contains synchronized macOS Desktop and Downloads folders, alongside application data and third-party backups from various iOS and iPadOS apps, such as encrypted WhatsApp backups. Accessing this unstructured storage often yields evidence that is not categorized by Apple’s standard synchronization services.

The updated engine also successfully extracts regular, non-end-to-end encrypted (E2EE) synchronized data, providing a consolidated view of user activity across the account. The following data types are currently supported:

• Account Info & Devices: Yields a full list of linked devices to guide further hardware acquisition. It also extracts the FileVault token, which can decrypt Intel-based (non-T2) Mac disk images without a password. Support for APFS decryption utilizing this token will be arriving soon in Elcomsoft Forensic Disk Decryptor.
• Photos & Notes: These high-value targets are extracted with metadata intact. Photos retain EXIF data, including geolocation and timestamps, while Notes maintain folder structures and attachments. Based on our observations, data manually cleared from the “Recently Deleted” folder can sometimes still be recovered for up to two weeks before Apple permanently purges it from their servers.
• Other Usable Data: Extracts Screen Time metrics (installed apps per device and Family Sharing members), Voice Memos, Wallet items (loyalty cards and boarding passes), Contacts, Calendars, iBooks (which frequently hold PDF tickets), Apple Maps (Favorites only), and Safari records (Bookmarks, Open Tabs, and Reading List).

No End-to-End Encrypted Data: The main limitation of the current release involves data protected by Apple’s end-to-end encryption. As we are still working on the overhauled E2EE authentication mechanisms, these categories remain inaccessible. Currently, we cannot extract Apple Maps (Searches and Explored places), Safari browsing history, Health data, iCloud Keychain, or Messages.

End-to-end encrypted data is only available (according to https://support.apple.com/en-us/102651) to trusted devices. Previously, one could enroll into the trusted circle by simply providing a passcode or system password of an already trusted device. Now, however, Apple additionally engages Secure Enclave, which currently eliminates software-based access.

iCloud Backups: Known Issues and Workarounds

Currently, iCloud backups kind of work. They do download, but stability remains an issue when handling large data sets. While small backups typically download without error, the extraction of larger backups may unexpectedly interrupt or fail after downloading several gigabytes. These interruptions appear to be the result of new, undocumented security measures Apple recently implemented for backup data. The exact reason causing the downloads to drop is currently unknown; we are actively investigating into these new protocols to identify the root cause and develop a permanent fix.

In the meantime, investigators can use a workaround to bypass this issue and still download the data. When setting up the extraction or a large cloud backup, first check the box for “Restore original file names,” and then “Download only specific data.” Once the subsequent list loads, select all available categories. Our testing confirms that this selective download method extracts nearly the entire backup without triggering an interruption.

Conclusion

We released Elcomsoft Phone Breaker 11 mainly to restore access to the highest-yield, most reliable evidence such as synchronized data and iCloud Drive as quickly as possible, rather than delaying the release for an all-inclusive and permanently-fixed solution. The primary missing piece in this build remains the extraction of end-to-end encrypted categories. We are currently working on investigating Apple’s new E2EE authentication mechanisms, and support for these protected data types will be addressed in a future update. Another point to address will be the permanent fix to the backup downloading problem; we are actively working on a solution.