Current state of iC...
 
Notifications
Clear all

Current state of iCloud Backup Collections

ZeroOneZero
(@zeroonezero)
New Member

Has anyone else experienced difficulties pulling backups from iCloud?

I use Elcomsoft Phone Breaker and Cellebrite Cloud Analyzer. Both have provided little to no solution to the latest security measures implemented by Apple to iCloud.

Is this limited to backups created after iOS 11? Can we share what we know here?

Elcomsoft goes as far as to say that if we log into an account with 2FA enabled that we have accessed in the past, it will be unable to send a new code to the device to access again.

Are iCloud collections a thing of the past. Usually, tools are able to keep up with iCloud updates. This time, for the past month or so, it seems they are stumped.

Quote
Topic starter Posted : 25/09/2018 8:59 pm
macuser
(@macuser)
New Member

I've tested EPPB Forensic 8.32 today, downloading backups works without 2FA for 11.4.1. I cannot find accounts in my list with iOS 12.

ReplyQuote
Posted : 25/09/2018 9:52 pm
ZeroOneZero
(@zeroonezero)
New Member

Unfortunantly, some accounts will not allow 2FA to be disabled.

Apple You can't turn off two-factor authentication for some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later. If you created your Apple ID in an earlier version of iOS or macOS, you can turn off two-factor authentication.

ReplyQuote
Topic starter Posted : 25/09/2018 10:15 pm
macuser
(@macuser)
New Member

The biggest problem for me is FMi now. I suspect iPhone, made iTunes copy, after that tried to install jailbreak(it needed for iOS Forensic tool by Elcom) and connect wi-fi. *Big fail+facepalm* 5 seconds and it was erased by unknown person using apple.com/find. So, all Telegram and other data were lost. So, checking FMi status is needed everytime, suspect friends can zero all of your work roll

ReplyQuote
Posted : 25/09/2018 10:40 pm
benfindlay
(@benfindlay)
Active Member

I happened to have cause to do an acquisition from an iCloud account yesterday for a civil matter (that's by the by). I thought I share my experiences here in case it's of any help to anyone…

The original device in question was 'bricked' so the last known good iCloud sync was all that was available.

I used one of the 'industry standard' forensic tools and got some basic stuff, but not the actual backups. Because of this I ended up resorting to using a 'non-standard' tool to download the data.

Looking at the last syncs, the device is/was running iOS 11.2.6 and was last backed up on the 18th September 2018. 2 backups were present, one very small and the other much larger (in the order of 50MB and 2GB respectively).

The account had 2FA, which meant another device connected to the same account was required to gain access. This process was successful, and without any significant incident (other than the office Wi-Fi dropping out very inconveniently - inopportune, but purely coincidental).

What's interesting is that the forensic tool saw the backups, but only captured the manifest file and the 'live' iCloud data, but none of the actual backup content.

Needless to say I'll be contacting the forensic tool provider separately about this so they can fix things (assuming of course it wasn't me that was doing it wrong!).

Hope this helps,

Ben

ReplyQuote
Posted : 26/09/2018 7:57 am
naspter
(@naspter)
New Member

We are also facing same issue.

ReplyQuote
Posted : 26/09/2018 1:22 pm
ZeroOneZero
(@zeroonezero)
New Member

Cellebrite's latest release notes for Cloud Analyzer states

"We are working on all iCloud-related authentication challenges to deliver the most extensive and reliable experience. Stay tuned for updates."

When running Elcomsoft Phone Breaker, the program advises you that backups of devices running anything below iOS 11.0 should be fine but anything beyond that requires 2FA to be deactivated. Fun fact Apple no longer allows 2FA to be disabled. The latest version of Elcomsoft is 8.32. Elcomsoft also mentions that sending 2FA codes might not be possible if you have signed into the same iCloud account through Elcomsoft or iCloud for Windows previously on that computer. I have not tested this, yet.

I recently downloaded a few backups from an iCloud account. The devices running iOS 10 were fine and I was able top pull the entire backup. The backups from iOS 11 downloaded some files - manifest, info plist, etc. No user data.

Two options in the interim using a clean iPhone, sign into the user's iCloud account and pull the backup to the phone. Extract the data from the phone using the tool of your choice and parse.

OR

Have the client purchase an external HDD. Walk them through creating a local iTunes backup through their local computer and point it to the external drive or create an image via FTK Imager from their default iTunes folder to the external HDD. Then, the client ships that external HDD to you for parsing in your preferred tool.

I have written to Elcomsoft and Cellebrite with little help. No response from Elcomsoft and "we are working on it" from Cellebrite.

ReplyQuote
Topic starter Posted : 26/09/2018 8:20 pm
benfindlay
(@benfindlay)
Active Member

Two options in the interim using a clean iPhone, sign into the user's iCloud account and pull the backup to the phone. Extract the data from the phone using the tool of your choice and parse.

OR

Have the client purchase an external HDD. Walk them through creating a local iTunes backup through their local computer and point it to the external drive or create an image via FTK Imager from their default iTunes folder to the external HDD. Then, the client ships that external HDD to you for parsing in your preferred tool.

2 sensible options!

A third option for consideration - carefully use a specialist but "non-forensic" tool which allows access to manage iCloud data.

I say carefully because the tool I used within the last few days to do this gave me access to the full iCloud backup data, but obviously has the facility to delete data from the account remotely. Basically you just need to avoid certain buttons!

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

Cheers,

Ben

ReplyQuote
Posted : 26/09/2018 8:25 pm
ZeroOneZero
(@zeroonezero)
New Member

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

From Magnet's release notes

"l You can acquire iCloud backups from accounts that have two-factor authentication for iOS versions 11.1 and lower"

and under known issues

"If you attempt to acquire iCloud backups that have two-factor authentication, AXIOM Process fails to acquire the image."

ReplyQuote
Topic starter Posted : 26/09/2018 10:13 pm
benfindlay
(@benfindlay)
Active Member

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

From Magnet's release notes

"l You can acquire iCloud backups from accounts that have two-factor authentication for iOS versions 11.1 and lower"

and under known issues

"If you attempt to acquire iCloud backups that have two-factor authentication, AXIOM Process fails to acquire the image."

Thanks for that - I totally missed it.

It's weird that AXIOM, Cellebrite and Elcomsoft's capabilities are all currently not working, but some of the commercial (i.e. "non-forensic") third-party iCloud management utilities are working fine.

I wonder what's going on there…

ReplyQuote
Posted : 27/09/2018 8:24 am
ZeroOneZero
(@zeroonezero)
New Member

It's weird that AXIOM, Cellebrite and Elcomsoft's capabilities are all currently not working, but some of the commercial (i.e. "non-forensic") third-party iCloud management utilities are working fine.

I wonder what's going on there…

Perhaps it is due to the way the forensic programs interact with the iCloud. Can you provide a few utilities that allows for the exporting of iCloud backups?

ReplyQuote
Topic starter Posted : 27/09/2018 10:01 pm
mcman
(@mcman)
Active Member

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

Long story short, Apple broke the cloud connection for all tools as mentioned. We fixed it in AXIOM 2.4 for all except accounts with 2FA. We fixed the 2FA in AXIOM 2.5 but then Apple made another change that broke it again for us (and other tools).

Isn't really anything new, just like apps change, the APIs and methods tools use to access the cloud data can change on a whim so it's a bit of a cat and mouse game. Should affect all tools that I know of. I'd be curious as to which other tools weren't impacted and what methods they use. Feel free to reach out directly if you have any questions.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 01/10/2018 2:10 am
benfindlay
(@benfindlay)
Active Member

Perhaps it is due to the way the forensic programs interact with the iCloud. Can you provide a few utilities that allows for the exporting of iCloud backups?

Sure - I've had some PMs about this too, but thought it best to share publically.

I've recently tested AnyTrans, from imobie (available from https://www.imobie.com/anytrans/ ) and found it currently works.

There are a number of other tools I've used previously, such as dr.fone (available from https://drfone.wondershare.com/iphone-data-recovery.html ) although I've not tested this one recently.

Again, these aren't "forensic" so use with caution. The AnyTrans tool for example lets you delete the backups, so be careful which buttons you click! They are intended for management of your own accounts/commercially owned devices etc.

These tools typically have 'business' licencing options avaiable to allow use for non-personal purposes which should satisfy any procurement reules anyone might have to obey.

And of course, I would strongly recommend testing first on a dummy account before using 'in anger'!

Ben

ReplyQuote
Posted : 05/10/2018 6:18 pm
Share: