In addition, ElcomSoft updates Elcomsoft Phone Viewer, the company's lightweight forensic tool to help experts view and analyze information extracted with Elcomsoft Phone Breaker. The updated Viewer adds the ability to filter existing and deleted browsing history records.
"In this release, we added the ability to pull Safari browsing records going back more than one year, and this includes records that've been deleted a long time ago", says Vladimir Katalov, ElcomSoft CEO. "The user does not have a chance to see these records anywhere on their device or in the cloud, and may not have a clue they even exist."
"Any data that's supposed to be deleted but can still be extracted is always interesting, especially for the law enforcement", adds Per Thorsheim, a renowned security expert and organizer of the PasswordsCon conference.
Access to Synced Data
Apple has an option to sync certain types of data across devices sharing the same Apple ID. Information such as phone calls, contacts, Safari tabs, browsing history and favorites can be synchronized across devices. Unlike daily cloud backups, syncing works near instantly with little or no delay.
Many users disable iCloud backups for privacy reasons. However, those same users rarely disable cloud sync as there is no clear way to do this. Most users rely on iCloud for their daily activities, and they have synchronization enabled by default.
Safari Browsing History
Safari is the default browser in Apple's mobile and desktop operating systems, iOS and macOS. Safari syncs its browsing history across devices that are registered with the same Apple ID. This sync is optional and can be disabled by the user; however, it is enabled by default. Safari sync allows seamless transition between the user's devices, allowing to access Web sites opened on the user's iPhone on their Macbook or iPad, and vice versa. This sync is completely separate from iCloud backups, and works in real-time. Once the user deletes a certain entry, that entry disappears from all other synced devices (assuming they are online).
The browsing history goes back to as long as one month; at least this is what the user sees on their iPhone or iPad. While the actual browsing database may keep more records (ElcomSoft tests show 3 to 4 months' worth of browsing records available in a local SQLite database pulled via iTunes or iCloud backup), this is not the point.
The point is that Apple keeps synced Safari browsing history in the cloud for much longer than one, three or four months - even for deleted entries. ElcomSoft researchers were able to access records that've been deleted more than a year ago, which means that deleted records are not actually cleaned up from iCloud.
Elcomsoft Phone Breaker 6.40 adds the ability to extract deleted browsing history records from iCloud, while Elcomsoft Phone Viewer 3.25 receives the ability to view those records and apply filters for existing and deleted browsing history items. Two timestamps are extracted along with the Web link: information about the date and time on which the record was last accessed as well as the date and time on which the record has been deleted.
What Else Is New
The complete changelog for Elcomsoft Phone Breaker 6.40:
- added password recovery for encrypted iTunes 10.2 backups
- fixed an issue with synced "open tabs" data
- fixed an issue with downloading and decrypting data from iCloud Drive (some files were missing)
- unified password cracking engine (same as in Distributed Password Recovery)
- bug fixes and performance improvements
About Elcomsoft Phone Breaker
Elcomsoft Phone Breaker is an all-in-one mobile acquisition tool to extract information from a wide range of sources. Supporting offline and cloud backups created by Apple, BlackBerry and Windows mobile devices, the tool can extract and decrypt user data including cached passwords and synced authentication credentials to a wide range of resources from local backups. Cloud extraction with or without a password makes it possible to decrypt FileVault 2 containers without lengthy attacks and pull communication histories and retrieve photos that've been deleted by the user a long time ago.
Pricing and Availability
Elcomsoft Phone Breaker 6.40 is available immediately for both Windows and Mac OS X. Home, Professional and Forensic editions are available. iCloud recovery is only available in Professional and Forensic editions, while password-free iCloud access as well as the ability to download arbitrary information from iCloud and iCloud Drive are only available in the Forensic edition. Elcomsoft Phone Breaker Pro is available to North American customers for $199. The Forensic edition enabling over-the-air acquisition of iCloud data and support for binary authentication tokens is available for $799. The Home edition is available for $79. Local pricing may vary.
Elcomsoft Phone Breaker 6.40 supports Windows Vista, Windows 7, 8, 8.1, and Windows 10 as well as Windows 2003, 2008 and 2012 Server. The Mac version supports Mac OS X 10.7 and newer. Elcomsoft Phone Breaker operates without Apple iTunes or BlackBerry Link being installed.
About ElcomSoft Co. Ltd.
Founded in 1990, ElcomSoft Co. Ltd. develops state-of-the-art computer forensics tools, provides computer forensics training and computer evidence consulting services. Since 1997, ElcomSoft has been providing support to businesses, law enforcement, military, and intelligence agencies. ElcomSoft tools are used by most of the Fortune 500 corporations, multiple branches of the military all over the world, foreign governments, and all major accounting firms. ElcomSoft is a Microsoft Partner (Gold Application Development), Intel Premier Elite Partner and member of NVIDIA's CUDA/GPU Computing Registered Developer Program.
SOURCE ELCOMSOFT Co. Ltd.