|
TECHNICAL-ADVISORY-2021-001
DECRYPTION OF FILES IN APPLE iCLOUD PRODUCTIONS
|
|
There are a growing number of cases in which little or no data can be extracted from iOS devices using available methods, requiring digital investigators to seek backups from Apple. These backups can contain information that is not accessible using some commercial tools. This technical advisory provides updated insights into forensic examination of iCloud data provided by Apple in response to search warrants for cloud data associated with iOS devices. |
|
Forensic examiners using commercial digital forensic tools might not be able to decrypt and access files in iCloud data provided by Apple that contain useful Digital/Multimedia Evidence. Forensic practitioners need to apply digital forensic methods that support decryption of these files. |
|
When forensic practitioners are provided with iCloud backups pursuant to proper legal requests, the data can include user information and files from iOS devices or Macintosh systems. This data can include Device Backups, Contacts, Safari Browser History, Apple e-Mail, Calendar, Bookmarks, Notes, iBooks, iCloud Photos, Photo Stream, iCloud Drive, Voice Memos, iMessages, text (SMS) and multimedia (MMS) messages, and Health data. This information is available without the need to bypass or crack device passcodes, or acquire device OTA, and no need to overcome device encryption. However, the production delivered by Apple includes some encrypted and compressed iCloud device data that requires special wprocessing. In addition, uncompressing the file provided by Apple will surpass Windows filename character length limitations, resulting in missed data. Some forensic tools have the capability to process iCloud backups, and to decrypt protected files not otherwise accessible. |
|
|
Do not overlook iCloud backups. In one case, an iCloud SW Production resulted in pictures of an alleged victim that were not contained on other iOS devices or computer systems. Furthermore, do not overlook encrypted protected files under the Backup directory in iCloud backups. In addition to user data, Apple can provide information about the Apple ID and IP address used to initiate a remote wipe of the device, the time of the wipe request and wipe success, and the Apple ID/e-mail where confirmation of the request was sent. More details about obtaining information from Apple are available at:
https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf
|
|
Contributors Acknowledgements
Technical Advisories provide a five-minute read that addresses an emerging trend in D/MM Forensics. This body of work was derived from subject matter research and in support of an actual DC3/CFL examination.
- Marc Freeman (DC3/CFL Examiner)
- DC3 Editorial Board (Curation, Review, & Publication)
For additional information and automated decryption capabilities please reach out to DC3 at hub@dc3.mil.
|
|
Relevant Forensic Artifacts
DC3 is building a crowdsourced catalog of forensic artifacts, created by practitioners for practitioners, to curate expertise across the digital forensic community, making it available as a user friendly, online knowledge management platform. In this context, a digital artifact is defined as a singular unit of interpretable data that can be extracted from a given data source.
|
|
|
|
