Pulling a backup out of iCloud is one of the more technically demanding jobs in cloud forensics. An iCloud backup is not a single, ready-to-download file; instead, it is assembled from a large number of separate fragments that have to be collected and stitched back together into a coherent backup. Recent changes to Apple’s communication protocols broke things for everyone except Apple themselves, meaning that we had to rework the underlying extraction logic. This is documented in Elcomsoft Phone Breaker 11 Restores iCloud Access.

Recent changes to Apple’s communication protocols and to the format of certain server responses meant that logic had to be substantially reworked. The first pass in version 11.0 had teething issues: backups could stop partway through, often after only the first few gigabytes. Version 11.1 applies the final fixes. Backups that previously stalled now download completely, and the reconstruction step produces a consistent backup you can actually work with – but only if the backup was made by a device running iOS or iPadOS 18 or lower. Cloud backups produced by iOS or iPadOS 26 are not supported just yet. Support for them is coming in a follow-up release.

Background: what EPB 11 changed

Apple’s sweeping changes to authentication and encryption had blocked the methods Elcomsoft Phone Breaker previously relied on. EPB 11.0 rebuilt iCloud extraction from the ground up in response. That release restored downloads of iCloud Drive files and synchronized data, but it also flagged unresolved issues that could interrupt backup extraction partway through. Version 11.1 is the follow-up that addresses those issues directly – the cloud extraction overhaul is now complete.

Why forensic specialists need iCloud backups at all

Cloud backups are often the only realistic route to critical evidence. When a suspect’s device is missing, locked, wiped, stolen or physically broken – and there is no hardware unlock on the table – the iCloud account may be the only thing left to work with. A backup sitting in the cloud does not care about the state of the phone.

There is usually more there than a single backup, too. One Apple ID often holds backups for several devices – an old iPhone, a current iPhone, an iPad – and all of them are reachable from the same account. It is worth checking what the account actually contains before assuming there is just one target.

For each device, iCloud typically keeps two backups: the most recent one and the one before it. The older backup is easy to overlook, but it can be the more useful of the two. It may predate an app uninstall or a deliberate cleanup, which means it can still hold data the latest backup no longer does. Treating the most recent backup as the only one that matters is a common way to miss evidence.

Finally, the cloud route stays open even when the device is locked down hard. If a phone is sitting behind Stolen Device Protection and cannot be unlocked in hardware, the iCloud account is still a way in: with the account credentials, you can pull the backup from the cloud. It will not be as complete as a full device extraction – synced and end-to-end encrypted categories stay out of it – but a partial backup is still a great deal better than no evidence at all.

Local vs. iCloud backups: what’s actually inside

It helps to be clear about what each backup type does and does not contain, because they are not interchangeable. The table below compares the four cases an examiner runs into. ✓ means the category is present and usable; ✗ means it is not in that backup; conditional notes are spelled out inline. Local backups with and without a password are somewhat different in both their content and accessibility of different content types. The content of iCloud backups, on the other hand, depends on whether the user has Advanced Data Protection for iCloud enabled; the table below has it under “iCloud backup with ADP”.

The short version: an encrypted local backup with a known password is the richest single source after low-level extraction, an iCloud backup is the fallback when the device is out of reach, and an iCloud account under Advanced Data Protection puts the backup itself end-to-end encrypted. Worth noting too that an iCloud backup is a complement to iCloud sync, not a copy of the whole device – anything actively syncing (Photos, Drive, Messages in iCloud and so on) usually lives in its own container and has to be acquired separately from the backup. For local backups, developers control whether their apps are allowed to back up with isExcludedFromBackup, while users can additionally exclude select apps specifically from iCloud backups.

A note on location data. The table is a starting point, not a guarantee – the photo-related rows in particular deserve a closer look. Even when iCloud Photos is switched on, so the photo library itself lives in its own container rather than in the backup, an iCloud backup can still carry photo metadata. In one of our test accounts, a small iCloud backup of around 500 MB held only about 80 actual photos, yet close to 20,000 location records – virtually all of them tied to photos, and stamped with timestamps. The metadata syncs even when the images largely do not. So treat an iCloud backup as something that may contain geolocation data rather than something that definitely does or definitely doesn’t: even where the full-resolution photos are absent, image previews or thumbnails can survive in the backup. It is worth checking on every case rather than assuming either way.

Working with the downloaded backup

Once the backup is on your machine, its origin barely matters. A local backup, encrypted or not (provided that you do know the password), and an iCloud backup land in the same format and call for the same approach, so nothing below changes depending on where the data came from.

The quickest route is the Decrypt backup feature in Elcomsoft Phone Breaker. Point it at the backup, tick the option that converts file names into readable form, and run it. Within minutes you get the actual media files plus all the databases (most of them SQLite) from both system and third-party apps: contacts, call logs, SMS, WhatsApp chats and so on. It’s fast enough to treat as triage: a quick look at what’s there before you commit to a deeper pass.

For a proper analysis you’ll want a dedicated forensic tool. Magnet AXIOM is a solid choice; it combines fast processing, reasonably deep parsing and a workable interface in one package. That stage is measured in hours rather than minutes, but it’s where the full picture comes together.

Bottom line

Backup extraction is fixed for all versions of iOS/iPadOS before 26. The interruptions that could cut a download short are gone, the reconstruction step produces a consistent result, and iCloud backups again come down in full for supported versions of iOS. If a stalled backup was holding up your work, update to Elcomsoft Phone Breaker 11.1 and download it again.