Feeds

Off-the-shelf forensics tool slurps iPhone data via iCloud

Cops don't need your actual phone any more

SANS - Survey on application security programs

ElcomSoft has updated its mobile forensics software to include the ability to retrieve online backups from Apple iCloud storage.

The enhancement to Elcomsoft Phone Password Breaker adds the capability to retrieve user data associated with iPhones from Apple's iCloud online backup service. Backups to multiple devices registered with the same Apple ID can be retrieved using the technology, providing investigators has access to a user's original Apple ID and password.

The approach means that investigators need not have physical access to Jesus phones in order to recover unencrypted copies of data they hold.

Elcomsoft Phone Password Breaker launched with the ability to retrieve user content from password-protected backups created on Apple iPhones and BlackBerry smartphones. The password breaker only facilitated the recovery of passwords protecting offline backups not data held in the cloud.

Access to data stored in iCloud online backup service is of interest to forensic investigators, not least because the facility has been used by millions of fanbois for data backup and device synchronisation since its introduction last June. Apple's iCloud online backup service offers an alternative (or additional safety net) to backing up device data locally onto computers using iTunes.

iCloud backups offer a near real-time copy of information stored on iPhones including emails, call logs, text messages and website visits. iCloud backups are incremental. When set up to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within reach of a Wi-Fi access point.

"While other methods require the presence of the actual iPhone device being analyzed or at least an access to device backups this is not the case with iCloud," ElcomSoft chief exec Vladimir Katalov explained. "With a valid Apple ID and a password, investigators can not only retrieve backups to seized devices, but access that information in real-time while the phone is still in the hands of a suspect."

The technology is marketed to computer forensics consultants, law enforcement and intelligence organisations. Investigators using the technology still need iCloud login credentials, which can't be obtained with Elcomsoft Phone Password Breaker alone. Logging into iCloud requires an Apple ID and password.

This password, if not already known, can be acquired from an offline backup produced with Apple iTunes, and "used by investigators to watch suspects' activities by monitoring changes to their online iCloud backups," Elcomsoft explains.

"If investigators don't have Apple ID and password, they can always try to get them and there are plenty of scenarios (both more and less sophisticated) to do so," Elcomsoft spokeswoman Olga Koksharova told El Reg. "Getting Apple ID credentials may be a challenge, however there are numerous ways and places to find them or their traces on all iCloud devices registered to the same Apple ID."

"Investigators can try to get physical access to a left alone Apple gadget (including laptops) and search it (e.g. its FileVault, which can take less than a minute if it's unlocked), or take a physical image of one of i-devices (e.g. there is EIFT to acquire iPhone contents within 20 minutes or so), or search any other private/corporate stationary PC/Mac because the credentials can also be cached in web browser when the suspect tried to enter iCloud from the web browser, or social engineer at least," she added.

However they eventually manage to get iCloud login credentials, investigators are subsequently relieved of the need to crack backup encryption passwords. The data is smoothly downloaded directly onto their computers from Apple remote storage facilities in plain, unencrypted form.

A blog post by Elcomsoft explaining how the technology works can be found here. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.