Elcomsoft Phone Password Breaker
Elcomsoft has been producing a tool named Phone Password Breaker (EPPB), which is essential for gaining access to pin code locked cell phone and smart phones during digital forensics. Just recently, EPPB has been updated to include the ability to access data stored in Apple’s iCloud. As of iOS v5, an iOS device can operate as an independent device and does not require a host Mac or PC for activation, data loading, or backup. All of this can be performed directly thru the iOS device, meaning the historically important iTunes Backup exists on Apple’s servers. Elcomsoft has recognized this and added the ability to access the iCloud backup thru their software. In this article, we will walk thru the process of gathering an iOS device backup stored on Apple’s iCloud and view the data using traditional digital forensic software.
In order for this process to work, one must have the iCloud credentials (Apple ID) of the user, and of course, the authority to perform this process. For this article, we have both. EPPB does not perform any attacks against Apple’s servers to gain iCloud stored data.
To begin, EPPB has a new choice in the File menu to access iCloud data. Selecting “Apple - Get backup from iCloud…” will access the new feature.
EPPB Menu to Access iCloud Stored Data
As mentioned, the iCloud credentials must be known. In the following dialog box, EPPB asks the analyst for the Apple ID that will be accessed for stored iOS Backups saved on iCloud.
Entering iCloud Credentials
Once proper credentials have been entered, EPPB will contact iCloud and display the available iOS device backups for the given Apple ID. For this article, 1 iPhone has been set to backup to the iCloud. If other devices were available, they would be listed here and the analyst could check mark each device desired for the download.
iOS Backups Available for Download for iCloud Account
Click on Download button and the Windows Explorer Save dialog will appear. It is suggested that a folder be created specifically to hold the case data being downloaded. Once the location has been chosen, EPPB will give one final option as seen in the dialog box below.
EPPB Download Option
If the data will be analyzed with software that looks at native iOS (iTunes) Backups, the download should not be converted and the “No” button should be clicked. This is the option used in this article. If the “Yes” button is clicked, file names will be restored to actual names instead of the format used by Apple during a Backup. If no iOS Backup analysis software is available, choosing “Yes” may be the best option for viewing the data available. Once this choice is made, the download of the iOS device backups begins to the selected location. Progress is monitored thru a dialog box.
EPPB Download Progress of iCloud Backup Data
When all data has been downloaded and placed in the correct folder structure, a success dialog appears as seen below.
EPPB Success in Downloading iCloud Backup
The downloaded data can be seen in Windows Explorer in the same format that is used by the iTunes “MobileSync/Backup” folder structure. The below Explorer window shows the data obtained from the iCloud download. A separate folder for each device downloaded will exist. In this article, only 1 iPhone was downloaded and only 1 backup folder is saved. The “.chunks” folder is used for caching by Apple when making the backup and restore. It can safely be deleted as all current data will reside in the full backup folder(s) that are in the backup folder you have just downloaded.
iCloud Backup Data obtained thru EPPB
This download was performed thru a virtual machine, and I was able to immediately switch to OS X and view the same data. I chose BlackBag Technologies BlackLight as my tool of choice to view the data obtained from iCloud. In the following dialog box, I am able to select any 1 of the 6 available backups that are available for this device.
iCloud Backup Data as seen thru BlackLight
Selecting the first backup, BlackLight presents its standard “Add Evidence” window and properly recognizes the data as an iOS Backup. In the dialog box, I have selected to process the evidence with all options except for the SHA1 and SHA256 calculations (default settings) and add the evidence to a case file.
iCloud iOS Specific Backup being Added to BlackLight Case
Once added to the BlackLight, which took about 30 seconds, the Case Details page showed me an overview of what I have obtained, thanks to Elcomsoft Phone Password Breaker and its new iCloud support.
BlackLight Details Page
The 5 remaining iPhone Backups can each be added to the BlackLight case for comparison and analysis. iOS Device backups can contain a wealth of information for historical use of the device including old SMS data, previous voicemail, old apps and related data, location data, and more.
We would like to thank Elcomsoft for supplying us with EPPB for this article along with their support in teaching the community about its product and data available for Apple digital forensics.