Dear Friends,

This announce will be quite unusual. We were working on a routine update, getting ready to push version 6.0 of our mobile forensic tool, Elcomsoft Phone Breaker (EPB). We wanted to add the ability to download photos from Apple's iCloud Photo Library, and researched said Library's API.

What we discovered was quite a shock. As many of you have known, Apple keeps photos that users delete from iCloud Photo Library for some 30 days — just in case the user changes their mind (or if somebody else needs those photos). What you probably did not know (we certainly didn't!) is the fact that Apple continues holding on to those images way past the advertised 30-day cooling off period.

Why does that happen, and how does it work? Technically, the pictures you delete from iCloud Photo Library are moved to the dedicated album called 'Recently Deleted'. The photos stay there for 30 days, after which they disappear from the album. We found that this is not the end of it. While the user cannot see those pictures (not from their iPhone, not from their Mac, and not via icloud.com), the supposedly deleted photos are still stored on Apple servers.

Here comes the big announce: in Elcomsoft Phone Breaker 6.0, we've been able to discover photos deleted from iCloud Photo Library way earlier than the past 30 days, and successfully extract them. The oldest image we extracted so far was deleted over 6 months ago, which is way past the advertised 30-day period. Why Apple does it and whether this is a bug or a feature to make life of hard-working policeman easier, we don't know.

We've also updated Elcomsoft Phone Viewer (EPV) to support viewing downloaded photo streams.

Instant Access to FileVault 2

Brute-forcing your way into a crypto container protected with a 256-bit XTS-AES key is a dead end. While you can brute-force user passwords to get your way in, this is not always easy and definitely not instant. In today's release, we're making it possible to decrypt FileVault 2 volumes without brute-forcing anything.

FileVault 2 creates a Recovery Key to allow users decrypt their files if they forgot their password or move the disk to a different computer. If the user logs in with their Apple ID credentials (as opposed to using a local account), OS X will offer to back up this key into iCloud. While it may be possible to make use of that key when mounting the encrypted volume in OS X (considering that not all languages and regions are serviced by AppleCare or iCloud), the mechanism is unclear and not documented. Apple does not offer a way for the end user to view this key, or to extract it from iCloud.

In Elcomsoft Phone Breaker 6.0, we can pull FileVault 2 recovery keys from iCloud, and use these keys to decrypt FileVault 2 containers. For that to work, you'll need the disk image in DMG, DD or EnCase format.

Of course, you'll need to be able to login into iCloud using the correct Apple ID/password or authentication token. Good news: we can get them for you!

Extracting Apple ID Password or Authentication Token

If you have access to a password-protected iOS backup, or if you can make one, Elcomsoft Phone Breaker 6.0 can extract the user's Apple ID password from that backup. The password is routinely cached by Safari browser, while Apple iTunes and the App Store may keep an authentication token that can be used for logging in to iCloud instead of the password. Elcomsoft Phone Breaker 6.0 automatically scans all those sources to extract the user's Apple ID password and/or authentication token.

In addition to Apple ID password, we added the ability to see passwords stored in the browser, passwords to email accounts, as well as passwords and tokens to social network accounts, gaming portals and instant messaging applications.

Did you buy the tool already? Download the update free of charge! Still sitting on the fence? A free evaluation download is available!

Read the complete press release in PDF format: English, German, Russian.

Read an article 'iCloud Photo Library: All Your Photos Are Belong to Us' in our blog.

Sincerely yours,
ElcomSoft team