Acquiring data from locked, broken, or inaccessible devices poses significant challenges. However, there are ways to retrieve valuable information from such devices by obtaining the data from iCloud, including old data that has been deleted with no chance of recovery. In this article, we will explore the classic acquisition methods available for iOS devices and focus on the crucial role of Apple iCloud in forensic investigations.
Classic Acquisition Methods
For iOS devices, low-level extraction is an effective method that returns the full file system image and decrypts the keychain containing important data like passwords and encryption keys. Low-evel extraction remains the only way to access encrypted conversations in secure instant messengers (e.g. Signal). However, low-level extraction availability is limited to older devices or versions of iOS, leading to delays in supporting newer iOS releases. This rapid succession of updates and patches makes data extraction a continuous challenge for forensic experts.
In cases where unsupported iOS versions are encountered, advanced logical extraction becomes the only viable option. While it allows the extraction of device backups, some system logs, media files and metadata, it may not retrieve critical data like email messages or conversation histories from popular instant messaging apps.
No device – no data?
In some situations, accessing data directly from the device may not be possible or may not return all the desired information, even if the device is unlocked. This is particularly relevant when dealing with deleted data. When the device is factory reset, of data is deleted from a device, it may seem irretrievable. The specific type of data encryption used in modern versions of iOS renders deleted files completely inaccessible even if low-level access is granted to device storage.
Certain scenarios render the device inaccessible for data extraction. Physical damage to the device, such as water damage or hardware failure can pose significant challenges. Additionally, instances where the device has undergone a factory reset or has been wiped clean may hinder data retrieval efforts.
In such cases, cloud extraction provides a viable solution.
The Role of iCloud in Data Acquisition
Apple iCloud, being a centralized cloud storage and synchronization system for Apple devices, holds a wealth of information, including backups, synchronized data, and tons of sensitive information protected with end-to-end encryption.
iCloud backups, introduced in 2011, store system and application data similar to passwordless local backups. However, synchronized data, like photos from iCloud Photos, may not be present in these backups; these and many other types of data can be retrieved from iCloud by accessing synchronized data.
Accessing iCloud backups typically requires restoring onto a physical Apple device. This is the only way officially supported by Apple; there are no backup management tools and no official way to download iCloud backups from Apple servers. Accessing synchronized data is somewhat easier as some categories can be accessed by setting up iCloud on a Mac or using iCloud for Windows. Still there exists no way to download iCloud backups with official Apple software.
Getting iCloud Data: The Legal Way
To obtain iCloud data legally, forensic experts can request the data from Apple directly. This process involves specific steps and documentation, which can vary depending on the jurisdiction and legal requirements. Additionally, they may need to obtain proper consent or court orders, depending on the circumstances.
Requesting information from Apple must follow a certain pathway. For U.S. law enforcement, Apple has published a number of guidelines for US and non-US law enforcement officials.
The printable request form is available here:
The following general resources are available:
While the legal pathway ensures that the data is obtained with proper authorization, reinforcing the credibility of the evidence in any legal proceedings, the process may be lengthy and highly complicated.
Alternative Approach to iCloud Data Extraction
Elcomsoft Phone Breaker is a forensic tool that revolutionized iCloud backup extraction by eliminating the need for using authentic Apple hardware to restore iCloud data to. With this tool, experts can download iCloud backups created with devices running all versions of iOS up to and including iOS 16.x, access all types of synchronized data, and even decrypt end-to-end encrypted data (more on that later). Synchronized data encompass various types of information, such as calendars, contacts, notes, and more, which are synchronized by Apple apps across different devices linked to the user’s iCloud account.
To download iCloud backups and synchronized data using Elcomsoft Phone Breaker, the following requirements must be met:
The user’s Apple ID and password.
A one-time code for two-factor authentication, if enabled on the user’s account.
We published a comprehensive guideline on iCloud extraction:
End-to-End Encrypted Data
End to end encryption is used as an additional protection layer to safeguard some of the most sensitive information against unauthorized access even if the intruder knows the login and password to the user’s cloud account. Technically, end-to-end encrypted records belong to synchronized data. Data protected with end-to-end encryption requires an additional secret to unlock the encryption key. That key can be unlocked with a screen lock passcode (iOS) or macOS account password of one of the trusted devices. End-to-end encrypted data include iCloud keychain (authentication data and passwords), Health, Safari browsing history, iMessages, and several other categories.
Downloading end-to-end encrypted data requires all of the following:
The user’s Apple ID and password
One-time code for two-factor authentication (a must; end-to-end encryption is not available for accounts without two-factor authentication)
Screen lock passcode or system password of a trusted Apple device with the same Apple ID
Apple itself states that it cannot provide this encrypted information when serving legal requests. However, our software is capable of retrieving end-to-end encrypted data, but requires the user’s passcode or password from one of the trusted devices associated with the iCloud account. This capability makes Elcomsoft Phone Breaker the only tool on the market capable of extracting end-to-end encrypted data.
Advanced Data Protection for iCloud
Advanced Data Protection for iCloud is an optional setting that provides Apple’s highest level of cloud data security. When enabled, it offers end-to-end encryption for the majority of the user’s iCloud data, including iCloud backups, photos, notes, and more. This advanced encryption ensures that no one, not even Apple, can access end-to-end encrypted data, making it highly secure, even in the event of a cloud data breach. As forensic experts, it’s important to be aware of this data protection feature, as it means that data stored in iCloud accounts with this feature enabled may not be accessible using either the legal pathway or conventional forensic tools, including our software. While our software excels in extracting a wide range of iCloud data, Advanced Data Protection poses unique challenges due to its advanced protection measures.
Legal Considerations
When it comes to forensic investigations for legal proceedings, complexities arise. While ongoing investigations have clearer guidelines, presenting evidence in court requires meticulous adherence to legal standards and potential challenges from opposing parties. Therefore, forensic experts must be educated in legal procedures and practices to ensure the integrity of their findings.
Conclusion
iCloud acquisition is a valuable resource for forensic experts facing challenges in acquiring data from locked, broken, missing, or wiped devices. While classic acquisition methods provide access to certain data, iCloud extraction opens up new possibilities for retrieving crucial information, even including end-to-end encrypted data. However, forensic experts must be aware legal complexities and always ensure compliance with the law to uphold the integrity of their investigations.
By Oleg Afonin at 2023-07-25 16:00:44 Source ElcomSoft blog: