Pulling data from i...
 
Notifications
Clear all

Pulling data from iCloud backups

17 Posts
9 Users
0 Likes
2,811 Views
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
Topic starter
 

I am well versed in pulling data from local iTunes backups but how would I go about pulling data from iCloud backups? The only thing I've come up with is to sign into the apple id onto a device (provided I have the credentials) and restore from iCloud backup and then perform a file system extraction.

Is there a better way? We have Cellebrite 4 PC and Oxygen.

 
Posted : 16/06/2015 8:50 pm
(@marius1512)
Posts: 4
New Member
 

Try Elcomsoft Phone Breaker or this one https://github.com/hackappcom/iloot

regards

 
Posted : 16/06/2015 11:53 pm
(@twjolson)
Posts: 417
Honorable Member
 

Pretty much every cell phone tool supports iCloud backups from Apple. When I get a search warrant return from Apple, I run it through Cellebrite, Lantern, and Oxygen.

But, you can review the data manually if you wish. It's all databases, PLists, and such. Nothing too scary.

 
Posted : 17/06/2015 12:42 am
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
Topic starter
 

What feature of Cellebrite are you using to communicate with iCloud in order to download the data?

 
Posted : 17/06/2015 3:53 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I have successfully used and own

1) Elcomsoft's Phone Breaker (https://www.elcomsoft.com/eppb.html)

2) Reincubate's iPhone Backup Extractor Pro (http//www.iphonebackupextractor.com/)

I have personally found Elcomsoft to be extremely responsive from a customer support standpoint when I needed help.

Reincubate's tool has reporting features that Elcomsoft's tool does not, whereas Phone Breaker has password cracking, Blackberry handling, and other features that iPhone Backup Extractor Pro does not.

If you only require the iCloud mobile backup download feature and nothing else, Reincubate's tool is far less expensive.

If you need to crack through encrypted mobile backups on occasion, then Elcomsoft's tool is your only choice out of the two.

 
Posted : 17/06/2015 7:09 am
(@arcus2005)
Posts: 11
Active Member
 

If you have Passware Kit Forensic, then you can use the iCloud Backup Acquisition under Mobile Forensic to download the files. Then use your tool of choice to analyse the content.

Worked quite well for me in many cases.

 
Posted : 17/06/2015 6:44 pm
(@seanharold)
Posts: 2
New Member
 

I have successfully used and own

1) Elcomsoft's Phone Breaker (https://www.elcomsoft.com/eppb.html)

2) Reincubate's iPhone Backup Extractor Pro (http//www.iphonebackupextractor.com/)

I have personally found Elcomsoft to be extremely responsive from a customer support standpoint when I needed help.

Reincubate's tool has reporting features that Elcomsoft's tool does not, whereas Phone Breaker has password cracking, Blackberry handling, and other features that iPhone Backup Extractor Pro does not.

If you only require the iCloud mobile backup download feature and nothing else, Reincubate's tool is far less expensive.

If you need to crack through encrypted mobile backups on occasion, then Elcomsoft's tool is your only choice out of the two.

Use number 2. That is an awesome easy to use tool.

I recovered over 30k text messages from this using reincubates tool (including deleted). I use another tool and barely got anything off of it.

 
Posted : 17/06/2015 9:20 pm
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
Topic starter
 

Thanks guys! I only needed the ability to download data from iCloud. I use Cellebrite for analysis. I'll try Reincubate and then Passware Kit Forensic after and see which I like. It is nice that Reincubate is so cheap.

 
Posted : 23/06/2015 3:32 am
(@v-katalov)
Posts: 52
Trusted Member
 

This posting comes from the manufacturers of Elcomsoft Phone Breaker, a tool that was mentioned earlier in the thread.

Reincubate's iPhone Backup Extractor (as well as every tool other than Elcomsoft Phone Breaker) is based on the open-source project iLoot (https://github.com/hackappcom/iloot). We had a look at the code, and discovered it has lots and lots of issues (e.g. it's unable to decrypt certain files from iCloud backups; its download speed is very slow, especially for subsequent downloads). The code doesn't support 2FA methods other than trusted devices, and doesn't support binary authentication tokens.

AFAIK, the upfront purchase cost for Reincubate is $69 (our tool is $199). However, we were contacted by their customer who asked whether or not Elcomsoft Phone Breaker has a limit on the number of iCloud backups/devices that can be recovered because (as the customer stated) "iPhone Backup Extractor had an undocumented limit of 3 backups, at which point one can only keep using that function by paying outrageous additional yearly fees."

 
Posted : 29/06/2015 8:54 pm
ForensicMeteor
(@forensicmeteor)
Posts: 60
Trusted Member
Topic starter
 

This posting comes from the manufacturers of Elcomsoft Phone Breaker, a tool that was mentioned earlier in the thread.

Reincubate's iPhone Backup Extractor (as well as every tool other than Elcomsoft Phone Breaker) is based on the open-source project iLoot (https://github.com/hackappcom/iloot). We had a look at the code, and discovered it has lots and lots of issues (e.g. it's unable to decrypt certain files from iCloud backups; its download speed is very slow, especially for subsequent downloads). The code doesn't support 2FA methods other than trusted devices, and doesn't support binary authentication tokens.

AFAIK, the upfront purchase cost for Reincubate is $69 (our tool is $199). However, we were contacted by their customer who asked whether or not Elcomsoft Phone Breaker has a limit on the number of iCloud backups/devices that can be recovered because (as the customer stated) "iPhone Backup Extractor had an undocumented limit of 3 backups, at which point one can only keep using that function by paying outrageous additional yearly fees."

I have been researching the different packages Elcomsoft offers. There is the $200 and the $800. Is the $800 package absolutely needed ?

 
Posted : 07/07/2015 4:06 am
Page 1 / 2
Share: