Releasing a major update of a complex forensic tool is always tough. New data locations and formats, new protocols and APIs require an extensive amount of research. Sometimes, we discover things that surprise us. Researching Apple’s iCloud Photo Library (to be integrated into Elcomsoft Phone Breaker 6.0) led to a particularly big surprise. We discovered that Apple keeps holding on to the photos you stored in iCloud Photo Library and then deleted, keeping “deleted” images for much longer than the advertised 30 days without telling anyone. Elcomsoft Phone Breaker 6.0 becomes the first tool on the market to gain access to deleted images going back past 30 days.

Current situation: Apple had completely fixed things. Deleted photos are retained for the maximum period of 30 days unless cleaned up, exactly as advertised. 

What Is iCloud Photo Library?

To put it simple, iCloud Photo Library is an online service for storing and syncing personal photos and videos (presumably, but not necessarily, captured with an iPhone). iCloud Photo Library is part of Apple iCloud. Any images and videos stored in iCloud Photo Library count against the user’s iCloud storage allotment.

Before iCloud Photo Library, photos and videos shot on an iPhone would be included into an iCloud backup (unless you used My Photo Stream, which only kept the last 1000 photos for 30 days only https://support.apple.com/en-us/HT201317). They wouldn’t sync with other devices, and you wouldn’t be able to see them on your computer unless you transferred or synced your photos with iTunes (or using one of the many third-party apps, some of them cloud-based).

iCloud Photo Library can be activated on your iPhone, iPad, or iPod touch via Settings > iCloud > Storage > Manage Storage > iCloud Photo Library (source: https://support.apple.com/en-us/HT204570). Once iCloud Photo Library is activated, the Camera Roll album is replaced with an All Photos album that will be automatically synced across your other devices if they share the same Apple ID and have iCloud Photo Library activated. You’ll also be able to access the synced files by logging in to icloud.com from any computer.

Forensic Access to iCloud Photo Library

The important news is that once the user activates iCloud Photo Library, the photos (and videos) synced via this service be will no longer included into iCloud backups made by your iOS devices. We were working on adding support for iCloud Photo Library in Elcomsoft Phone Breaker (basically, we had to research the protocol and create our own API to make it work). However, once we started working on it, we saw something unusual. Namely, we were able to extract more photos than appeared on synced iOS devices or showed up on iCloud.com. So we investigated.

What Happens to Photos (and Videos) You Delete?

According to Apple, deleted photos and videos will be stored in your account for 30 days (technically, they are moved to the Recently Deleted album). You can recover your photos and videos from the Recently Deleted during those 30 days, after which the files are supposed to be… deleted?

Apparently, it does not work that way. Yes, you can still access the photos and videos you deleted for the advertised 30 days. Yes, those files disappear from your iCloud Photo Library after 30 days, no longer showing up in the Recently Deleted album either on synced devices or on icloud.com. However, they are not destroyed.

In our research, we discovered that Apple holds on to your deleted photos and videos for much longer than 30 days. How much longer? While we don’t have big enough statistics, the oldest image we were able to recover so far was “deleted” about 6 months ago. At this time, we aren’t sure if all or some photos are kept. That’s a lot longer than 30 days!

What About Permanently Deleted Photos?

Now, there’s something even more interesting. You can manually remove photos from the Recently Deleted album, which should make them permanently deleted. Indeed, the pictures disappear from the Recently Deleted album. However, Apple keeps holding on to them for a little longer (at least six month longer for some files). Elcomsoft Phone Breaker 6.0 can extract photos that were “permanently” deleted from iCloud Photo Library. The oldest image we were able to recover was deleted from iCloud Photo Library more than 6 months ago.

How Can I Access Those Deleted Files?

Interestingly, there is no way for the end user to access those “deleted” images are not available to the end user. Not on your iPhone, not on your Mac, and not via icloud.com – unless you use Elcomsoft Phone Breaker 6.0. By directly utilizing the iCloud Photo Library protocol, we were able to discover and extract photos that were deleted significantly more than 30 days ago.

You may want to check for how long your own deleted files are stored in your iCloud Photo Library.

If you’ve never used iCloud Photo Library, make sure to enable it first (Settings > iCloud > Storage > Manage Storage > iCloud Photo Library if you use an iPhone or iPad). Shoot some photos, wait till they sync with the Photo Library and delete some images. Then open the Recently Deleted album and manually remove photos from there. (Alternatively, you can wait for 30 days to see them gone.) Open icloud.com on your computer to make sure the photos are actually gone from Recently Deleted. The rest will require using Elcomsoft Phone Breaker 6.0 to access the images.

Here’s how to do it.

• Download, install and launch Elcomsoft Phone Breaker. You’ll need the top-tier Forensic edition to make it work.
• Select [Tools] | [Apple] | [Download photos from iCloud]
• Enter your Apple ID and password (or use authentication token)
• You should see the list of photo albums including the number of photos and total size. The “Deleted” albums contains both “Recently Deleted” photos as well as images that are gone from the “Recently Deleted” album but still remain accessible.
• Choose albums to download (all albums/pictures will be downloaded by default)
• Click [Download], specify target folder and wait
• To view downloaded photos, use the latest version of Elcomsoft Phone Viewer and select [iCloud Photos]. If you don’t see iCloud Photos, you’re not using the latest version (EPV 2.20 or newer is required).
• Specify path to icloud_photos.xml from the folder where you saved the photos; wait till all pictures are downloaded
• Look at “Recently deleted” and “Recovered” albums; the latter contains the media files that have been permanently deleted (according to Apple) and so inaccessible via www.icloud.com or by other means

Conclusion

We are not sure what’s going on here. Maybe it is just a bug in the garbage collection algorithm. We don’t believe this was made on purpose to expose photos to law enforcement.

In the meanwhile, we have reviewed Apple’s privacy commitment and their policy regarding government information requests:

http://www.apple.com/privacy/government-information-requests/

http://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

According to these, Apple will provide “iv. Other iCloud Content. Photo Stream, Docs, Contacts, Calendars, Bookmarks, iOS Device Backups”, which may include “stored photos, documents, contacts, calendars, bookmarks and iOS device backups.”

What’s most important here is this: “Apple does not retain deleted content once it is cleared from Apple’s servers”. As we have proven with Elcomsoft Phone Breaker 6.0, this is not the case.

Speaking of iCloud backups, Apple keeps three most recent copies. Considering our latest findings, we are no longer sure.

One more thing. Apple does not own its data centers. Instead, the company is using 3^rd party cloud services such as Amazon AWS, Google and Microsoft Azure. Encryption keys are stored alongside the data, so anyone who has access to those servers can gain access to photos you thought were permanently deleted.