Cloud Acquisition via Apple iCloud and Microsoft Account
Cloud acquisition is a highly effective way of retrieving up-to-date information backed up or synced by modern smartphones with their respective cloud services. Elcomsoft Phone Breaker supports the extraction of cloud backups and synced data from Apple iCloud and Microsoft Account, enabling remote acquisition of iPhone and iPad devices as well as Windows devices, Skype and other Microsoft software.
Online backups and synchronized data can be acquired by forensic specialists without having the original iOS device in hands. All that’s needed to access online data stored in the cloud service are the original user’s authentication credentials including the second authentication factor.
End-to-End Encryption in iCloud
Elcomsoft Phone Breaker enables access to iCloud data with end-to-end encryption. Protected categories include iCloud Keychain, iCloud Messages, Health, Screen Time and Maps data. Accessing end-to-end encrypted data requires the user's full authentication credentials including second authentication factor, as well as a system password or screen lock password to one of the user's devices.
Elcomsoft Phone Breaker is the only tool on the market to access, extract and decrypt iCloud Keychain, Apple's cloud-based system for storing and syncing passwords, credit card data and other highly sensitive information across devices. As opposed to authorizing a new Apple device, Elcomsoft Phone Breaker does not become part of the circle of trust and does not require a middleware device, thus offering truly forensic extraction of protected records.
Screen Time Passcode
The Screen Time passcode is an optional feature in iOS 12/13/14 and newer versions that can be used to secure the Content & Privacy Restrictions. Once the password is set, iOS will prompt for the Screen Time passcode if an expert attempts to reset the device backup password (iTunes backup password) in addition to the screen lock passcode. As a result, experts will require two passcodes in order to reset the backup password: the device screen lock passcode and the Screen Time passcode. Since the 4-digit Screen Time passcode is separate to the device lock passcode (the one that is used when locking and unlocking the device), it becomes an extra security layer effectively blocking logical acquisition attempts.
By extracting and analyzing Screen Time information, experts can extract Screen Time passwords,
thus gaining the ability to remove Screen Time protection and/or to reset the password protecting local (iTunes) backups. This in turn makes logical acquisition easily possible.
iCloud Messages and Health Data
Apple supports Health and Messages sync through iCloud. Elcomsoft Phone Breaker is the first tool on the market to extract and decrypt messages from iCloud complete with attachments, extract and decrypt Health data. To access Health and Messages, the login and password to the user's Apple Account, one-time code to pass Two-Factor Authentication and a screen lock password or system password for one of the already enrolled devices are required.
Extract Skype Conversations, OneDrive and Vault Files, and Windows 10 Timeline
The tool allows downloading of Skype conversation histories, files, contact lists and metadata directly from the user's Microsoft account. Individual and group chats, text messages and attachments are extracted. The downloading of the entire conversation of an average Skype history only takes minutes!
For deleted chats and messages as well as for files purged from Skype servers after the 30-day retention period, Elcomsoft Phone Breaker can obtain metadata such as the date and time the file was deleted, the file's name and size, sender's Skype ID and the name of the chat.
The tool can download files from the user's OneDrive. The downloaded files include the content of OneDrive Vault, which is a protected cloud storage for keeping the most sensitive kinds of information. In addition, the tool can obtain metadata for files that have been recently deleted from OneDrive.
Windows Timeline enhances Task View to display the currently running apps and past activities. The Timeline contains historical information about the user’s launched applications, searches, documents and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage.
Elcomsoft Phone Breaker can now download Windows 10 Timeline data synchronized to the user's Microsoft account, enabling experts’ access to timestamped information about the app usage, searches and opened Web pages.
Access iCloud without Login and Password
If the user’s Apple ID and password are not available, Elcomsoft Phone Breaker may be able to use a different method for authenticating into iCloud.
First, it can use a binary authentication token to access limited sets of synchronized data. The use of authentication tokens allows bypassing two-factor authentication even if no access to the second authentication factor is available.
The second method offers unrestricted access to everything stored in the user's iCloud account including end-to-end encrypted data. Instead of using the login and password, you can authenticate to iCloud with the user’s trusted iOS device. By using a trusted device, experts benefit from unrestricted access to all kinds of information stored in the user’s iCloud account including the iPhone backups and end-to-end encrypted data. The trusted device must be unlocked and compatible with a jailbreak or the included agent app.