iCloud Forensics: Ignore at Your Own Risk

As the use of cloud-based storage and services continues to grow, forensic analysis of cloud data has become critical, including for iCloud, Apple’s cloud storage service. With over a billion active Apple devices, iCloud’s value as an evidence source is huge, as a vast repository of user data, such as photos, videos, documents, and more. Let’s dive into the basics of iCloud forensics to understand how attorneys can use it to aid in their investigations.

What is iCloud?
iCloud is Apple’s cloud-based storage and synchronization service that allows users to store and access their data across multiple devices. This is how one can buy a new iPhone and minutes later the new device will have all the data from the old one. iCloud stores a user’s data on Apple’s servers, making it easily accessible across all their devices- iPad, Macbook, iMac, etc. Users can store various types of data in iCloud, including photos, videos, music, documents, contacts, calendars, and more. And of course, text messages!

iCloud Forensics
iCloud Forensics is the process of extracting and analyzing synchronized data from an iCloud account for investigative purposes. Forensic analysis of iCloud data can provide critical evidence in various cases, such as investigations supporting litigation, intellectual property, employment, family law, etc. Investigators can extract various types of data from iCloud, such as photos, videos, messages, call logs, location data, and more.
A recent case showed that evidence existed in the iCloud account that was no longer on the phone, and interestingly, the phone was not even set to create iCloud backups. However, the option to synchronize the data was toggled on, which meant that we were able to recover over 200k text messages, many of which were not on the actual mobile device.

Tools and Techniques
There are various tools and techniques that forensic investigators can use to extract data from iCloud. Note that accessing iCloud data requires the account holder’s Apple ID and password, and also the account holder’s cooperation as two-factor authentication will likely be engaged. Also, some iCloud data, such as iMessage and FaceTime data, is end-to-end encrypted, meaning that only the sender and recipient can access the content. Various tools, such as Elcomsoft Phone Breaker, Forensic Email Collector and Magnet AXIOM, can extract data from iCloud backups. These tools can also recover deleted data and provide a comprehensive report of the extracted data. There are many tools available to pull down a back up, but accessing the synchronized data requires a knowledge of forensic applications.

iCloud Forensics can be critical to investigations, and iCloud stores a vast amount of data, making it an attractive target for forensic analysis. It can be a virtual treasure trove, and as an element of an investigation, acquiring data from the iCloud is a no-brainer. While there are limitations to iCloud Forensics, such as encryption and data deletion, the potential benefits are enormous, as it can provide critical evidence found no where else. With the continued growth of Apple devices and services, iCloud Forensics will continue to be a critical area of investigation for forensic investigators.