Monthly Archives: October 2018

What Grounds Are Broken in the Process of Data Recovery Now

In order to extract data from the iPhone, you must at least have access to the iPhone itself. Is it necessary or not necessarily? Indeed, a few years ago, it was possible to extract information from a smartphone only with the device in hand. The emergence of “cloud” services has led to a gradual shift of focus towards remote retrieval methods, and the emergence of embedded data synchronization mechanisms through the “cloud” further enhances the attractiveness of remote retrieval.

What methods of remote data extraction from iPhones and iPads are available to the modern forensic expert? Let’s try to figure it out.

Backups to iCloud

Cloud backups are nothing new. They appeared in iOS in the eighth version. It was in iOS 8 that the iPhone and iPad introduced a convenient automatic mechanism for creating and restoring backups, working through the iCloud “cloud”. A year later, this mechanism was reworked. In iOS 9, cloud-based backups migrated from iCloud to iCloud Drive, which led to a number of important consequences. One of these consequences was the change in the validity of binary authentication tokens (about them – in a separate article), which are no longer “burned out” in a matter of hours, but remain valid for a long time. The best in cloud solutions are there as well now.

  • In the “cloud” backup contains almost complete information about the device from the list of installed applications and their data and ending with calls and SMS-messages of the user. Information from the “cloud” can be downloaded using Phone Breaker. Access will require user credentials (Apple ID login and password, as well as a one-time password if two-factor authentication is enabled). An alternate authentication method is a binary authentication token that can be extracted from the user’s computer. Using the authentication token allows you to bypass both the password and additional protection using the two-factor authentication method.
  • The weak point of cloud backups from an expert’s point of view is episodic: Backups are created and updated no more than once a day when a number of conditions coincide (the phone is charging, the screen is locked, the device is connected to a known Wi-Fi network). Of course, the user can create a backup copy manually, but usually it is not necessary to rely on this during investigative actions. If you need access to relevant information, the iOS data synchronization mechanism comes to the rescue.

Synchronized data and why it matters

So, with the “cloud” backup sorted out. They contain fairly complete information about the device minus the data from the keychain (encrypted with the device key, recovered only on the same phone) and some other types of data (for example, e-mail messages). At the same time, for various reasons, the current backup is not always available. In cases where you need the latest information about the user’s actions, his current contacts, calls, notes or the history of open web pages, a synchronization mechanism comes to the rescue.