Forensic access to iCloud backups

iPhone users have several options to back up the content of their devices. They can backup information stored in their device such as contacts, pictures, call logs and data into a file on their computer with the help of iTunes. Alternatively, they can backup all that information into cloud storage maintained by Apple.

iCloud allows users to store data from their devices on remote computer servers and share their files between multiple iOS devices. In addition, iCloud can be used as a data synchronization center for email, contacts, organizer events, bookmarks, pictures and other information. Various sources quote the service has as many as 125 million users as of April 2012.

iCloud backups are incremental. When set up to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within reach of a Wi-Fi access point. This is to say, iCloud backups represent a fresh, near real-time copy of information stored in iPhone devices, including information about recently made and received calls, sent and received text and email messages, and so on.

Regardless of their location, iPhone backups contain essential information stored in the device. Information stored in iPhone backups includes email, accounts and passwords, call logs and text messages, calendars, appointments, contacts and organizer information. Pictures and Web browsing history including URLs of recently visited sites is also included. Information stored in iPhone backups can be essential for investigations, and is in high demand by forensic customers.

Access to offline backups often requires the recovery of the original plain-text password protecting the backup, which may be a time-consuming operation. On the other hand, retrieving backup information from iCloud storage requires the use or user’s Apple ID and password.

Interestingly, the password, if not already known, can be acquired from an offline backup produced with Apple iTunes, and used by investigators to watch suspects’ activities by monitoring changes to their online iCloud backups.

Retrieve content from password-protected backups

ElcomSoft updated its Phone Password Breaker, a tool to retrieve user content from password-protected backups created by iOS devices and BlackBerry smartphones, with the ability to retrieve user data from iCloud.

No lengthy attacks and no physical access to an iPhone device are required: the data is downloaded directly onto the investigators’ computers from Apple remote storage facilities in plain, unencrypted form. Backups to multiple devices registered with the same Apple ID can be effortlessly retrieved. Investigators need to know the user’s original Apple ID and password in order to gain access to online backups.

If a user owns more than one device, and those devices are registered with the same Apple ID, their online backups can be seamlessly recovered from iCloud with no extra effort.

Don't miss