Current state of iC...
 
Notifications
Clear all

Current state of iCloud Backup Collections

13 Posts
5 Users
0 Likes
2,546 Views
(@zeroonezero)
Posts: 16
Active Member
Topic starter
 

Has anyone else experienced difficulties pulling backups from iCloud?

I use Elcomsoft Phone Breaker and Cellebrite Cloud Analyzer. Both have provided little to no solution to the latest security measures implemented by Apple to iCloud.

Is this limited to backups created after iOS 11? Can we share what we know here?

Elcomsoft goes as far as to say that if we log into an account with 2FA enabled that we have accessed in the past, it will be unable to send a new code to the device to access again.

Are iCloud collections a thing of the past. Usually, tools are able to keep up with iCloud updates. This time, for the past month or so, it seems they are stumped.

 
Posted : 25/09/2018 7:59 pm
(@macuser)
Posts: 2
New Member
 

I've tested EPPB Forensic 8.32 today, downloading backups works without 2FA for 11.4.1. I cannot find accounts in my list with iOS 12.

 
Posted : 25/09/2018 8:52 pm
(@zeroonezero)
Posts: 16
Active Member
Topic starter
 

Unfortunantly, some accounts will not allow 2FA to be disabled.

Apple You can't turn off two-factor authentication for some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later. If you created your Apple ID in an earlier version of iOS or macOS, you can turn off two-factor authentication.

 
Posted : 25/09/2018 9:15 pm
(@macuser)
Posts: 2
New Member
 

The biggest problem for me is FMi now. I suspect iPhone, made iTunes copy, after that tried to install jailbreak(it needed for iOS Forensic tool by Elcom) and connect wi-fi. *Big fail+facepalm* 5 seconds and it was erased by unknown person using apple.com/find. So, all Telegram and other data were lost. So, checking FMi status is needed everytime, suspect friends can zero all of your work roll

 
Posted : 25/09/2018 9:40 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

I happened to have cause to do an acquisition from an iCloud account yesterday for a civil matter (that's by the by). I thought I share my experiences here in case it's of any help to anyone…

The original device in question was 'bricked' so the last known good iCloud sync was all that was available.

I used one of the 'industry standard' forensic tools and got some basic stuff, but not the actual backups. Because of this I ended up resorting to using a 'non-standard' tool to download the data.

Looking at the last syncs, the device is/was running iOS 11.2.6 and was last backed up on the 18th September 2018. 2 backups were present, one very small and the other much larger (in the order of 50MB and 2GB respectively).

The account had 2FA, which meant another device connected to the same account was required to gain access. This process was successful, and without any significant incident (other than the office Wi-Fi dropping out very inconveniently - inopportune, but purely coincidental).

What's interesting is that the forensic tool saw the backups, but only captured the manifest file and the 'live' iCloud data, but none of the actual backup content.

Needless to say I'll be contacting the forensic tool provider separately about this so they can fix things (assuming of course it wasn't me that was doing it wrong!).

Hope this helps,

Ben

 
Posted : 26/09/2018 6:57 am
(@naspter)
Posts: 1
New Member
 

We are also facing same issue.

 
Posted : 26/09/2018 12:22 pm
(@zeroonezero)
Posts: 16
Active Member
Topic starter
 

Cellebrite's latest release notes for Cloud Analyzer states

"We are working on all iCloud-related authentication challenges to deliver the most extensive and reliable experience. Stay tuned for updates."

When running Elcomsoft Phone Breaker, the program advises you that backups of devices running anything below iOS 11.0 should be fine but anything beyond that requires 2FA to be deactivated. Fun fact Apple no longer allows 2FA to be disabled. The latest version of Elcomsoft is 8.32. Elcomsoft also mentions that sending 2FA codes might not be possible if you have signed into the same iCloud account through Elcomsoft or iCloud for Windows previously on that computer. I have not tested this, yet.

I recently downloaded a few backups from an iCloud account. The devices running iOS 10 were fine and I was able top pull the entire backup. The backups from iOS 11 downloaded some files - manifest, info plist, etc. No user data.

Two options in the interim using a clean iPhone, sign into the user's iCloud account and pull the backup to the phone. Extract the data from the phone using the tool of your choice and parse.

OR

Have the client purchase an external HDD. Walk them through creating a local iTunes backup through their local computer and point it to the external drive or create an image via FTK Imager from their default iTunes folder to the external HDD. Then, the client ships that external HDD to you for parsing in your preferred tool.

I have written to Elcomsoft and Cellebrite with little help. No response from Elcomsoft and "we are working on it" from Cellebrite.

 
Posted : 26/09/2018 7:20 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Two options in the interim using a clean iPhone, sign into the user's iCloud account and pull the backup to the phone. Extract the data from the phone using the tool of your choice and parse.

OR

Have the client purchase an external HDD. Walk them through creating a local iTunes backup through their local computer and point it to the external drive or create an image via FTK Imager from their default iTunes folder to the external HDD. Then, the client ships that external HDD to you for parsing in your preferred tool.

2 sensible options!

A third option for consideration - carefully use a specialist but "non-forensic" tool which allows access to manage iCloud data.

I say carefully because the tool I used within the last few days to do this gave me access to the full iCloud backup data, but obviously has the facility to delete data from the account remotely. Basically you just need to avoid certain buttons!

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

Cheers,

Ben

 
Posted : 26/09/2018 7:25 pm
(@zeroonezero)
Posts: 16
Active Member
Topic starter
 

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

From Magnet's release notes

"l You can acquire iCloud backups from accounts that have two-factor authentication for iOS versions 11.1 and lower"

and under known issues

"If you attempt to acquire iCloud backups that have two-factor authentication, AXIOM Process fails to acquire the image."

 
Posted : 26/09/2018 9:13 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Also, any news from Magnet regarding AXIOM's cloud capabilities on this front?

From Magnet's release notes

"l You can acquire iCloud backups from accounts that have two-factor authentication for iOS versions 11.1 and lower"

and under known issues

"If you attempt to acquire iCloud backups that have two-factor authentication, AXIOM Process fails to acquire the image."

Thanks for that - I totally missed it.

It's weird that AXIOM, Cellebrite and Elcomsoft's capabilities are all currently not working, but some of the commercial (i.e. "non-forensic") third-party iCloud management utilities are working fine.

I wonder what's going on there…

 
Posted : 27/09/2018 7:24 am
Page 1 / 2
Share: