ElcomSoft Phone Breaker fixes iCloud backups downloading for iOS 11.2-12.4

Elcomsoft Phone Breaker 9.10 introduces experimental support for iCloud backups created with iPhone and iPad devices running iOS 11.2 through 12.4 even if two-factor authentication is enabled.
Download Now

ElcomSoft Tool Extracts Android WhatsApp Backups from Google

Recently, ElcomSoft Co. Ltd. released a major update to Elcomsoft eXplorer for WhatsApp. Elcomsoft Explorer for WhatsApp 2.30 adds the ability to extract and decrypt WhatsApp stand-alone backups created by Android users in Google Drive. The tool obtains a WhatsApp cryptographic key by registering itself as a new device.

The decryption is possible with access to a verified phone number or SIM card, and requires authenticating into the user's Google account. A WhatsApp encryption key must be only obtained once, and can be used to access all previously created and all future backups for a given combination of Google Account and phone number. The tool provides automatic download and decryption for WhatsApp backups and comes with a built-in viewer.

Notably, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.

WhatsApp for Android: Not an Easy Target

For several years, WhatsApp has been encrypting its backup databases. Both stand-alone and cloud backups produced by the Android app and are securely protected with industry-standard AES256 encryption. The encryption key is generated by WhatsApp at the time of the first backup. The key is unique per account and per phone number. If the user has multiple WhatsApp accounts and only one Google Account, each WhatsApp account will use a unique encryption key.

The encryption keys are generated by WhatsApp servers; they are never stored in Google Drive. Extracting the encryption keys from a local Android may or may not be possible depending on the phone's root status and the version of Android it is running.

Making things even more complicated is the fact that the many versions of WhatsApp released during the last years are employing different encryption algorithms. This makes it difficult to build an all-in-one acquisition tool compatible with all versions of WhatsApp.

Elcomsoft Explorer for WhatsApp 2.30 gains the ability to download WhatsApp backups for Android devices directly from the user's Google account, retrieve cryptographic keys from WhatsApp servers and decrypt the content of WhatsApp backups including conversation histories and messages.

In order to obtain the encryption key from WhatsApp, access to the user's trusted phone number or SIM card is required. The authentication code is requested and delivered as a text message. Based on that authentication code, Elcomsoft Explorer for WhatsApp automatically creates a cryptographic key that will be used to decrypt all existing and future backups for a given combination of Google Account and phone number. In addition, the user's authentication credentials are required to log in to their Google Account.

If the expert does not have access to the user's SIM card or trusted phone number, Elcomsoft Explorer for WhatsApp can access contacts and media files (pictures and videos) the users send and receive with WhatsApp.

Step-by-step WhatsApp acquisition guide: https://blog.elcomsoft.com/2018/01/extract-and-decrypt-whatsapp-backups-from-google/

For more information, please visit https://www.elcomsoft.com/exwa.html

Download Now

Extracting Unread Notifications from iOS Backups

In the world of no jailbreak, acquisition opportunities are limited. Experts are struggling to access more information from those sources that are still available. Every little bit counts. In Elcomsoft Phone Viewer, we've added what might appear like a small bit: the ability to view undismissed iOS notifications. Unexciting? Hardly. Read along to discover how extracting notifications from iOS backups can make all the difference in an investigation!

As you may already know, Elcomsoft Phone Viewer has a useful feature: support for iOS notifications extracted from cloud and local backups. It can show several years' worth of undismissed iOS notifications, which can account for hundreds or thousands of messages.

Why notifications? Because they may contain sensitive information that won't be available anywhere else. Several months ago, a French man filed a lawsuit after his wife learned of his affair from Uber app notifications. According to BBC, "The man says he once requested an Uber driver from his wife's phone. Despite logging off, the application continued to send notifications to her iPhone afterwards, revealing his travel history and arousing her suspicions."

Notifications are an essential part of iOS. Notifications are pushed by pretty much every app that has any forensic significance. Email clients and instant messengers are easy to spot, but that's not all. Notifications are pushed by Uber and taxi apps, booking and travel services, online shopping and delivery services, social networks and banking apps. Unless read or dismissed, these notifications are stored in local and cloud backups. This is where Elcomsoft Phone Viewer extracts them from.

Why "undismissed" notifications only? If the user reads, dismisses or otherwise interacts with a notification (by e.g. replying to an email or instant message), the corresponding file is deleted from the system and is therefore not included into a backup. One more thing. Unlike calls or browsing history, notifications are not shared between iOS devices. There is no real-time sync for them. As a result, analyzing backups (local or iCloud) is the only way to extract notifications.

When using an iOS device, you'll be only able to access notifications going up to one week back - regardless of the actual number of notifications. If you read or dismiss a notification, you won't be able to go back to it. Inside, iOS keeps each notification in a separate file. Reading or dismissing a notification deletes that file, so there's no way to access it afterwards. The good thing, however, is that iOS backs up all unread/undismissed notifications even if they are older than one week. The reason for this is not exactly clear (there is no way to access those notifications when using an iOS device), but we can definitely benefit from this behavior.

For each individual application up to 100 notifications are stored. Older notifications are automatically deleted by the system.

Elcomsoft Phone Viewer allows filtering notifications by application; the default view places apps with most notifications to the top.

Finally, you can export all or select notifications into a CSV file for further analysis or reporting.

What can you expect to see when viewing undismissed notifications? We checked several accounts, and discovered as many as 1200 individual messages going back all the way to 2012. Here's what we've got:

  1. Online banking updates. Our banking app pushes account updates, statement availability, daily balance and transaction alerts as notifications as opposed to sending insecure emails or text messages.

  2. A slew of social network updates including Facebook, Twitter, LinkedIn and Pinterest. This included likes, retweets, friend requests, comments and updates.

  3. Instant messages. We've been able to view complete messages for Skype, WhatsApp and Viber (the only three messengers installed on that device).

  4. Uber: lots of "you've got a car" notifications.

  5. Amazon: delivery notifications and order updates.

  6. eBay: messages, order updates.

  7. DHL: tracking updates.

  8. Home security app: engaging and disengaging alarms.

  9. Email: subject and a few lines of message body.

  10. A bunch of Google Maps and Google Trips updates.

Is this enough to profile a user? Not quite, but it can help a lot. Is there a chance to get all of that data elsewhere? Not if you jailbreak the device and perform physical acquisition. Downloaded mail, banking updates, instant messaging and pretty much everything else on our list is excluded from iOS backups except for notifications, and can only be obtained via physical acquisition or by analyzing notifications with Elcomsoft Phone Viewer.

Learn more about Elcomsoft Phone Viewer and download free trial version at https://www.elcomsoft.com/epv.html

Download Now

Extract and Decrypt WhatsApp Backups from iCloud

WhatsApp decryption is essential for the law enforcement since due to its popularity and extremely tough security it is a common choice among the criminals. However, the need for WhatsApp decryption is not limited to law enforcement. Us mere mortals may need access to our own communications when re-installing WhatsApp, changing devices or extracting conversations occurred on a device we no longer possess. Since WhatsApp data is not always available in iOS system backups, using WhatsApp' own stand-alone cloud backup system is the more reliable choice compared to pretty much everything else.

Elcomsoft Explorer for WhatsApp can now access iPhone users' encrypted WhatsApp communication histories stored in Apple iCloud Drive. So you can circumvent the encryption and gain access to iCloud-stored encrypted messages, if you have access to the user's SIM card with a verified phone number.


WhatsApp 2.16.17 was released in December 2016. In this build, the company started encrypting its stand-alone backups stored in iCloud Drive, instantly rendering existing extraction methods ineffective. Before the change, Elcomsoft Explorer for WhatsApp could be used to successfully access WhatsApp chat archives by logging in to the user's iCloud account using their valid authentication credential. WhatsApp encryption dropped a significant roadblock, effectively preventing this practice and only allowing WhatsApp extraction from iOS system backups (local and iCloud-based).

How It Works

Since last year, both manual and daily stand-alone backups stored by WhatsApp in iCloud Drive are automatically encrypted. The encryption key, generated by WhatsApp when the user makes a backup for the first time, is unique per each combination of Apple ID and phone number. Different encryption keys are generated for different phone numbers registered on the same Apple ID. These encryption keys are generated and stored server-side by WhatsApp itself; they are never stored in iCloud, and they cannot be extracted from the device.

Elcomsoft Explorer for WhatsApp gains the ability to generate encryption keys for WhatsApp's iCloud backups, successfully bypassing encryption and gaining access to WhatsApp conversation history and underlying messages. In order to generate the encryption key, experts must be able to receive a WhatsApp verification code sent to the phone number for which a given backup was created. In addition, the user's Apple ID and password (or binary authentication token) are required to gain access to the backup itself.

By using the associated phone number and iCloud authentication credentials, Elcomsoft Explorer for WhatsApp initiates the process of registering itself as a new "device" with WhatsApp. After passing the verification process, the tool can request the encryption from WhatsApp and use that key for decrypting the backup.

The decryption key received by Elcomsoft Explorer for WhatsApp is permanent and does not change even if the user changes their Apple ID password. The decryption key remains valid even after re-authenticating WhatsApp with the same phone number and Apple ID. The same key can be used to decrypt older backups created before the key was retrieved.

Elcomsoft Explorer for WhatsApp employs a smart workaround for processing WhatsApp extraction from iCloud. In order to generate an encryption key do the following:

  1. In Elcomsoft Explorer for WhatsApp, observe 2 green icons "iOS" and "Android" in the bottom left part. Click on the iOS icon.

  2. Click on the iOS icon again. Select "Download files from iCloud Drive".

  3. If the Apple ID account has two-factor authentication, you'll be prompted for a code. Enter it.

  4. The downloading process begins.

  5. Once the download completes, you'll see a message that warns that the data is encrypted.

  6. You can use the Decrypt option to instantly decrypt data. Or you may click Open to have data loaded into the viewer. At this time, you can only access media files; text conversations are still encrypted.

  7. If you attempt to access encrypted data, you'll be prompted for a code.

  8. Click Send to request a code. It will be delivered to the phone number. Enter the code into the "Verification code" box.

  9. Once the correct code is entered, the data is instantly decrypted. If you have other encrypted data, click on the lock sign to instantly decrypt. Newly downloaded data will be decrypted automatically.

  10. Cloud backups remain one of the few vectors of attack allowing to remotely access WhatsApp communication history. If you have cloud backups enabled in WhatsApp and your iPhone is suddenly de-registered from your WhatsApp account, watch out as someone could have accessed your data. As always, we recommend activating two-factor authentication to protect your Apple ID.
Download Now