Elcomsoft Phone Breaker 6.50 Extracts Deleted Notes from iCloud

Elcomsoft Phone Breaker 6.50 adds the ability to extract deleted notes from iCloud and fixes the issue of accessing iCloud backups. The built-in Notes app syncs records with iCloud. Once a note is deleted, it’s supposed to be gone from the Recently Deleted folder in 30 days. However, the notes are retained in the cloud even after the 30-day period, making it possible for Elcomsoft Phone Breaker to extract. Elcomsoft Phone Viewer is also updated to support filtering existing and deleted notes.

Elcomsoft Phone Breaker 6.50 enables support for extracting deleted notes from the user’s iCloud account and fixes the issue of accessing iCloud backups that appeared two days ago after Apple has implemented additional security checks. Users of iOS and macOS devices are getting the Nchecksotes app pre-installed. Once the device signs in to the user’s Apple account, the Notes app starts automatically syncing notes across devices registered with the same Apple ID.

Fixing Access to iCloud Backups

Two days ago, Apple has implemented additional security checks that broke the ability for third-party tools to access iCloud backups. The extra security checks now occur past authentication stage; the ability to download iCloud synced data was uaffected. In this release, we fixed the ability to access iCloud backups protected with the additional security checks.

Additional information about the issue is available in our blog:

Extracting Deleted Notes

Synchronizing notes across devices is standard practice. Note taking apps such as Evernote, Google Keep, Microsoft OneNote and open-source Simplenote all feature cross-device, cross-platform synchronization. Apple follows the trend with its Notes app, although Apple’s note taking solution is exclusively available on its own platform.

Similar to other types of data such as phone calls, contacts, Safari tabs, browsing history, favorites and photos, Apple synchronizes newly created, edited and deleted notes. Once a synced note is deleted, it is first being transferred into the “Recently Deleted” folder, and can be viewed or recovered during the 30-day period. After the 30-day period has passed (or if the user cleans up the “Recently Deleted” folder manually), the note is (supposedly) permanently deleted.

The particular implementation of cloud sync employed by Apple note taking app apparently shares the same flaw as Apple’s other types of synced data. Similar to our previous findings, we discovered that Apple fails to delete notes from iCloud in timely manner. The notes are retained in the user’s iCloud account way past the 30-day period. On some accounts, we discovered deleted notes going back to 2015. Apple does not offer a way for the user to access those records, or even learn they are still there.

Elcomsoft Phone Breaker 6.50 now offers experts the ability to extract notes from iCloud that were deleted a long time ago. Elcomsoft Phone Viewer is also updated to enable filters allowing to distinguish between existing and deleted notes.

See also