Saturday, 14 March 2015

Forensic Tool Can Extract All Data From iCloud Drive

A forensic tool of Russian Elcomsoft in the last year news came because that would be used to steal nude photos of celebrities, is now able to extract all kinds of data from both Apple iCloud as iCloud Drive.It involves all the Apple data and data from third party applications.

In addition, the new version of Elcomsoft Phone Breaker can now also the keychain in iCloud backups decrypt. For this, it is required that the "securityd-key" of the device is physically removed. Russian software company would have spent almost half a year to write the new communication protocols iCloud Drive to reverse engineer and software to communicate with the iCloud Drive servers.

ICloud Drive

ICloud Drive is an upgrade from Apple iCloud and allows users to store all sorts of data in the cloud. Data are accessed via a Windows or Mac computer. Some data such as iOS backups and stored iOS appdata however stored separately. These data are only accessible by a backup on a new iOS device to replace. Elcomsoft's software is now able to access application data from user accounts that have been upgraded to iCloud Drive. In addition, the software also offers access to iOS backups.


Another major adjustment is the ability to decrypt the keychain from iCloudback-ups. The keychain contains all kinds of sensitive information such as account passwords and certificates. On the device itself, the keychain is encrypted by a combination of hardware and software. As soon as the keychain is stored in a back-up change the security level depending on the type of backup. If the user makes a local password-protected backup through iTunes, the keychain is encrypted with a key that is dependent on the backup password.

Through the backup password most things in the keychain can be decrypted. If the local backup is created without a password, the keychain will be encrypted with a hardware-dependent key, which is unique for each device. This device will probably not change over the lifetime of the device. Once the key is superseded that can be used for future backups.

These keychains however, can only be put back on the same physical device, and to decrypt with the same hardware-dependent decryption key. If this key is retrieved from the physical device, it is then possible to decrypt all of the data from the outside of the keychain device. Finally there is the possibility to have a iCloudback up where the keychain is secured with the device password. This is similar to the iTunes backups without a password. All three kinds of keychains are according to decrypt Elcomsoft now, provided that the hardware-dependent key is present.

No comments:

Post a Comment