1 October, 2019

Elcomsoft Extracts More Data from iCloud: Screen Time Passwords and Voice Memos

ElcomSoft Co. Ltd. updates Elcomsoft Phone Breaker, the company’s forensic extraction tool. Version 9.20 gains the ability to remotely extract Screen Time passwords, list applications installed on devices sharing Screen Time data, and to download Voice Memos from iCloud.

Elcomsoft Phone Breaker becomes the first forensic tool on the market to extract Screen Time passwords from the cloud. Screen Time data and Voice Memos audio clips are added to the long list of extractable information, which includes call logs, photo libraries, iCloud passwords, messages and multiple other types of information that can be obtained from iCloud. Elcomsoft Phone Viewer was also updated to support the new data categories.

Background

The Screen Time passcode is an optional feature that can be used to secure the Content & Privacy Restrictions. Once the password is set, iOS will prompt for the Screen Time passcode if an expert attempts to reset the device backup password (iTunes backup password) in addition to the screen lock passcode.

Apple makes active use of cloud sync, and is continuously expanding the amount of information synchronized with iCloud. Starting with iOS 12, Apple began synchronizing Screen Time data with iCloud, making device usage information and access restrictions sync through all devices registered on the same Apple ID. Once the user activates the “Share across devices” feature, iOS Screen Time synchronizes information on enrolled devices connected to iCloud. The Screen Time sync also synchronizes passwords.

Extracting Screen Time Passwords from iCloud

In many cases, Screen Time passwords can be only extracted from the cloud. End-to-end encryption makes it impossible for Apple to release Screen Time data and passwords when serving law enforcement or GDPR requests, while extracting the data from the device may not be possible if the device is damaged or unavailable or if an unknown password protects local (iTunes) backups.

Elcomsoft Phone Breaker 9.20 can extract Screen Time passwords from the user’s iCloud account. The tool can access passwords from all devices on the user’s account on which the “Share across devices” feature has been activated. To access that data, experts must use a combination of Apple ID and password, pass two-factor authentication, and enter the user’s device screen lock passcode. Screen Time extraction is available in the Forensic edition of Elcomsoft Phone Breaker.

Screen Time passwords are not only a vital piece of evidence. They can be the missing key to start the logical acquisition process. Even if no specific restrictions are configured, the Screen Time password, if enabled, protects devices against resetting the local backup password, effectively blocking logical acquisition on devices with unknown backup passwords.

Users can configure a separate restriction to prevent installing new apps, which will in turn block the ability to install a jailbreak and perform physical acquisition. While Screen Time passwords may be extracted from encrypted local backups, a deadlock occurs preventing further acquisition attempts if the backup itself is protected with a password. By extracting the Screen Time password, experts can work around the deadlock and proceed with file system extraction.

The List of Installed Apps Across Devices

In addition to Screen Time passwords, Elcomsoft Phone Breaker 9.20 extracts the list of apps installed on all enrolled devices that have the “Share across devices” feature enabled (including Mac computers and Apple Watch). This information is exclusively available for 2FA accounts through Screen Time analysis.

Downloading Voice Memos from iCloud

Apple’s Voice Memos app allows users record audio using the iPhone’s built-in microphone. Voice Memos is frequently used to record lectures and presentations, interviews and auditions. iOS 12 and 13 can synchronize the recorded audio clips to iCloud.

Elcomsoft Phone Breaker 9.20 adds the ability to download Voice Memos clips from iCloud synced data, while Elcomsoft Phone Viewer provides a view on the audio clips extracted from local and cloud backups as well as from iCloud synced data.

About Elcomsoft Phone Breaker

Elcomsoft Phone Breaker is an all-in-one mobile acquisition tool to extract information from a wide range of sources. Supporting offline and cloud backups created by Apple, BlackBerry and Windows mobile devices, the tool can extract and decrypt user data including cached passwords and synced authentication credentials to a wide range of resources from local backups.

Pricing and Availability

Elcomsoft Phone Breaker 9.20 is immediately available for Windows and macOS. This update is free to existing users with currently valid licenses. Screen Time support is exclusively available in the $799 Forensic edition. The affordable Professional edition is available to individual and business customers for $199 with support for a limited set of data categories. Local pricing may vary. Support for Two-Factor Authentication is available in all editions.

System Requirements

Elcomsoft Phone Breaker supports Windows 7, 8, 8.1, and Windows 10 as well as Windows 2008, 2012 and 2016 Server. The Mac version supports macOS X 10.8 and newer. Elcomsoft Phone Breaker operates without Apple iTunes or BlackBerry Link being installed. In order to access iCloud Keychain, Health and Messages, Windows users must have iCloud for Windows installed, while Mac users must run macOS 10.11 or newer.

About ElcomSoft Co. Ltd.

Founded in 1990, ElcomSoft Co. Ltd. develops state-of-the-art computer forensics tools, provides computer forensics training and computer evidence consulting services. Since 1997, ElcomSoft has been providing support to businesses, law enforcement, military, and intelligence agencies. ElcomSoft tools are used by most of the Fortune 500 corporations, multiple branches of the military all over the world, foreign governments, and all major accounting firms.

Contatos

Elcomsoft s.r.o.

Československé armády 371/11,
Praha 6-Bubeneč,
Czech Republic, PSČ 160 00

Formulário de feedback com os representantes oficiais da Elcomsoft.

As one of the industry leaders, our job involves complex research and constant monitoring of industry news. We love sharing our findings with our followers. Follow us on a social network of your choice, and we’ll deliver quality content straight to your news feed.