Apple iCloud Keeps More Real-Time Data Than You Can Imagine .

Apple has a wonderfully integrated ecosystem. It conveniently synchronizes information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This mechanism uses iCloud to sync and store information. It works independently from iOS system backups that are also stored in iCloud or iCloud Drive. As opposed to daily iCloud backups, synced data is updated and propagated across devices in almost real time. Extracting this data can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.
What exactly is synced through iCloud?
– Photos (iCloud Photo Library)
– Mail (iCloud mail only)
– Contacts, Calendars, Reminders
– Safari (browsing history, bookmarks, tabs open on other devices)
– Game Center (profiles, achievements, game progress)
– Siri (requests, settings)
– Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple, some third-party apps, but not Google Chrome)
– iCloud backups (up to last 3 copies per device, created daily while charging)
– iBooks, Pages, Numbers, Keynote
– Maps
– Wallet
– Wi-Fi
While this data is or can be synced with iCloud, there is really no way to view, download or otherwise access most of that data other than by syncing it to an Apple device. This is why we made Elcomsoft Phone Breaker. With time, we were adding support for more and more categories. iCloud Keychain was particularly tricky as it features an advanced protection mechanism; we were able to work around it just months ago. iCloud Photo Library was another highlight. We discovered that Apple didn’t actually remove photos users deleted from their library. We were also the first to extract call logs, which, despite the lack of a dedicated option in iCloud settings, are still synced with other device with no obvious way to disable the (quite controversial, according to many users) feature.
Elcomsoft Phone Breaker 8.20 adds the following categories to the list of extractable ones:
– Account/User info
– Wi-Fi
– Apple Maps
– Wallet (except credit card data)
– iBooks
What’s so interesting about the newly added categories? In many cases, there’s more to them than meets the eye.
Account/User info includes comprehensive information about the owner of the Apple Account including their phone numbers and street address. In addition, here you’ll find the list of the user’s devices including their serial numbers and OS versions. As a bonus, you’ll often find information about devices that used to be registered on the user’s account (but not anymore).
iBooks: why would you want to read somebody else’s books? The thing is, it’s not about the books at all. The new category includes documents that were opened or manually added by the user. Since iBooks can handle PDF files, many iOS users won’t bother installing a third-party PDF reader such as Adobe Acrobat. By downloading the “iBooks” category, you can gain access to PDF files, e-books and documents the user opened with the iBooks app.
Wi-Fi information includes wireless access point names and MAC addresses. This data cannot be removed from the device without doing a hard reset. By tracing down the location of those MAC addresses, it becomes possible to determine the user’s whereabouts at the time the access point was added.
Wallet may contain a lot of essential evidence including air tickets, hotel bookings and car rentals with full information, boarding passes, bonus programs, club cards, movie and railway tickets, and so on and so forth.
Last but not least, Apple Maps is probably the most undervalued category. It’s common belief that Google is the evil one, collecting excessive information about the user and tracking their every step, while Apple is privacy-minded and does’t track its customers. Well, think again: Apple Maps deliver just as much data about the iPhone user as would be available for an Android user in their Google Account. While Google allows its users to see exactly what the company knows about them and fully or selectively delete any of that data, Apple keeps things in secret. Want to access your location history? Google users can navigate to their Timeline and instantly see what Google knows about their location. iPhone users don’t have such luxury. The only way to access historic geolocation data would be using Elcomsoft Phone Breaker and download “Apple Maps”, then viewing the data in Elcomsoft Phone Viewer. Routes, places, favorites and searches are available.
This time, we didn’t “break” or “hack” anything. You still need the user’s iCloud/Apple ID authentication credentials to access iCloud data, be it the login/password or an authentication token extracted from the user’s computer.