Downloading synced data from iCloud

<< Click to Display Table of Contents >>

Navigation:  Elcomsoft Phone Breaker > Working with Apple devices > Working with iCloud data >

Downloading synced data from iCloud

EPB allows downloading device data synchronized with an iCloud account. This data can then be viewed on your computer or in Elcomsoft Phone Viewer.

The following categories of the synced data are available:

Account Info

Apple Maps

Calendar

Calls

Contacts

FileVault2 token

Health

iBooks

Keychain

Messages

Notes

Photos

Safari

Screen Time

Voice Memos

Wallet

Wi-Fi

 

System requirements

1. For downloading iCloud Keychain, your computer has to meet the following requirements:

For macOS, you need macOS 10.12 or higher.

2. For downloading iCloud Photos, install iCloud for Windows version 4.0 or later from Apple's website (https://support.apple.com/en-us/HT204283):

Link_to_Apple's_website

 

NOTE: iCloud for Windows from the Microsoft Store is not supported.

To download iCloud synced data, do the following:

1. In the Tools menu, select the Apple tab.

2. Select Download Synced data.

Tools_new

3. On the Download synced data from iCloud page, define the authentication type:

Password: Select this option to use your Apple credentials (Apple ID and password)

Token: Select this option to use the Authentication token extracted from iCloud using Elcomsoft Apple Token Extractor. For more information about extracting the token, see the Extracting Authentication token topic.

Download_synced_data_from_iCloud_auth_type

4. Click Sign in.

NOTE: If you have entered the Apple ID in a wrong format, the message about the account being locked will be displayed. Close the message and try again. Please make sure to enter your apple ID in the standard format (i.e., example@example.com). 

NOTE: If the Apple ID is protected with two-factor authentication, you need to confirm sending the verification code to all of your trusted devices or to your phone.

You can select the Save credentials for future use option when logging in so that you don't need to enter them when you log in with this Apple ID again.

5. If the Apple ID is protected with two-step verification, verify your account by selecting one of the following authentication types:

Secure Code: in the Trusted device field, select a phone number or a trusted device to which the code will be sent, click Send code, and then enter the received 4-digit code in the Secure code field. Click Resend code for it to be sent again.

Recovery Key: enter a 14-character key generated defined in the Apple account settings.

6. Click Verify.

download synced data from iCloud 2

7. If the Apple ID is protected with two-factor authentication, perform authentication in one of the following ways:

Select Trusted Device and enter the 6-digit code in the Verification code field. Click Resend code for the verification code to be sent to all trusted devices.

Select Text message and enter the 6-digit code in the Verification code field. Click Send code for the verification code to be sent as a text message to the selected trusted phone number. Click Resend code for it to be sent again.

NOTE: macOS 10.12 or higher is required for sending text messages.

NOTE: Authentication via the Text message is available for the Forensic edition only.

Select Code generator and enter the 6-digit code in the Verification code field. The code is generated on the trusted device or via Cloud Panel.

2fa_sync_data_from_iCloud

8. Click Verify.

9. The following information is displayed after signing in: user name, DSID, Apple ID.

NOTE: To download synced data for a different user, click Change user.

Apple_categories_new

10. Select the data categories to download and click Download.

When downloading the Account info, Messages, Health, Screen Time, Voice Memos, Safari and Apple Maps data categories, consider the following limitations:

Category

Accounts with two-factor authentication

Accounts without two-factor authentication

Download data using authentication token

Account info

clip0038

clip0038

clip0065

Messages

clip0038

clip0065

clip0065

Health

clip0038

clip0038

Partially (without secured containers)

Screen Time

clip0038

clip0065

clip0065

Voice Memos

clip0038

clip0065

clip0065

Apple Maps

clip0038

clip0038

Partially (without secured containers)

Safari

clip0038

clip0038

Partially (without secured containers)

 

NOTE: The Apple Maps (from devices running iOS 13 and later), Account info, Messages, Health, Screen Time, Safari secured data, and Voice Memos data are available for downloading in the Forensic edition only. 

NOTE: The Apple Maps data from devices running iOS 13 and later can be downloaded only from iCloud accounts with two-factor authentication after entering the passcode.

The Messages category contains messages synced from devices with the following operating systems:

iOS 11.4 and higher

macOS 10.13.15 and higher

NOTE: When downloading data for categories marked orange, the decryption keys might become invalid or might not be generated on the environment that supports these data categories in iCloud and the data might not be downloaded. Make sure that you sign in to the Apple ID on the device with the latest iOS or macOS. Try to log out and log in to iCloud on your device, and then turn off and turn back on iCloud Keychain. Then try downloading messages again. You can also try using another trusted device.

Starting with EPB 6.40, the downloaded Safari history data includes the link status (Actual or Deleted) and the deletion date for the deleted records, which can be explored in EPV after the download.

Safari history data for the latest two weeks is available for download.

For the Calls category, only calls for the last month are available for download.

The Screen Time category contains information synced from devices with the iOS 12 and higher.

The Voice Memos category contains voice memos synced from devices with the following operating systems:

iOS 12.x.x and higher

macOS 10.14

11. The Select path to download synchronized data window opens.

12. In the Select path to download synchronized data window, define the location for storing downloaded data and click Select Folder.

13. If your account is not protected with two-factor authentication, you need to enter the iCloud Security Code to download the Keychain category data.

NOTE: iCloud Security Code is a code entered when iCloud Keychain was first synchronized with this device. The code is associated with a specific phone number.

14. Enter the iCloud Security Code and click Check. An SMS with a verification code will be sent to the phone number iCloud Keychain is associated with.

NOTE: If you enter the wrong iCloud Security Code too many times, your access to iCloud Keychain will be temporarily blocked. To unblock it, you can turn to Apple support. Once you get your access to iCloud Keychain unblocked, be very cautious entering the right iCloud Security Code. If you enter it wrong again after your access to iCloud Keychain was unblocked, the iCloud Keychain data will be deleted. 

iCloud_security_code_new

15. Enter the verification code you received in the SMS and click Proceed.

SMS_verification_code_new

16. If you select the categories marked orange for an account with activated two-factor authentication, select a trusted device and enter the passcode (for iOS) or the password to the user account in the operating system (for macOS).

NOTE: If you do not provide the passcode, data might be downloaded partially or not be downloaded at all.

NOTE: If you enter the wrong device passcode 10 times, the device will be blocked in EPB. This will not affect the device itself but you will not be able to use it for downloading data in EPB. To unblock the device, you need to change its passcode, confirm it, and synchronize iCloud Keychain with this device again. You can also download data using another trusted device and its passcode. 

Device_passcode_new

17. Click Proceed. The process of downloading synced data from iCloud begins. The progress is displayed in the program window. To skip downloading the current category, click Skip. To stop the downloading process, click Stop. (If some files have been downloaded before you stopped the process, you will be able to explore them.)

Downloading_new

18. When downloading is finished, you can see the following information:

Categories downloaded: The count of downloaded categories and the downloading status (no errors or with errors).

Count of records for the downloaded categories.

For the Calendars, Calls, Apple Maps, Wi-Fi, Messages, Health, Screen Time and Notes categories, you can also see the date range (from the earliest to the latest record).

NOTE: The Trial version of Elcomsoft Phone Breaker allows downloading only 10 most recent calls, notes, Wi-Fi hotspots, Apple Maps favorites and history searches, and Safari history records.

Downloaded_synced_data_final_page_new

You can do the following:

Click Explore files to open the folder with synced iCloud data.

Click See log to open the journal and view the start time and end time of downloading and the errors that occurred during downloading.

Click Open in EPV to view the synced iCloud data in Elcomsoft Phone Viewer.

NOTE: This option is available only if you have Elcomsoft Phone Viewer 3.10 or a higher version installed.

Click Change user to download iCloud synced data for a different Apple ID.

Click All tools to return to the list of tools for working with Apple backups.

Click Finish to exit the downloading wizard.

 

 

Viewing downloaded iCloud synced data

You can explore downloaded iCloud synced data using Elcomsoft Phone Viewer.

To view downloaded iCloud synced data in Elcomsoft Phone Viewer, click the Open in EPV link after the downloading process is complete. The Elcomsoft Phone Viewer will open and you will be able to investigate the iCloud synced data.

You can also view the content of the iCloud synced data folder on your computer.

To view the content of the iCloud synced data folder on your computer, open the folder on your computer to which the data was downloaded.

The name of the folder with iCloud synced data is iCloud_sync_<apple_id>_<time stamp>.

NOTE: The time stamp in the name of the folder with iCloud synced corresponds to the time zone of the local computer.

In the iCloud_sync_<apple_id>_<time stamp> folder, the following items are displayed:

Account Info folder containing files with the account data.

AppleMaps folder containing the AppleMaps.db file (a database in which the Apple Maps record attributes are stored).

Calendars folder containing the Calendars.db file (a database in which the calendar record attributes are stored).

Calls folder containing the calls.db file (a database in which the call record attributes are stored).

Contacts folder with the following contents:

oContacts.db file (a database in which the contact record attributes are stored).

oVcards subfolder containing contact cards.

NOTE: vCards of groups are included into the count of downloaded contacts in EPB. Therefore, the number of contacts displayed in EPB might be greater than the one displayed in EPV.

FileVault folder with the filevault2_token.xml file containing a recovery token to decrypt the macOS disk image in Elcomsoft Forensic Disk Decryptor.

Health folder containing the healthdb.db, healthdb_secure.db, locations.db files, etc.

iBooks folder containing a list of downloaded books.

Keychain folder containing keychain.data file.

Messages folder containing Messages.db file (a database in which the message record attributes are stored) and Attachments folder.

Notes folder containing Notes.db file (a database in which the note record attributes are stored) and note files.

Photos folder with the following contents:

oAll Photos folder: a folder to which the media files from all albums were downloaded.

oPhotos.db: a database in which the attributes of media files are stored.

NOTE: The names of photos in the folder correspond to their IDs in iCloud.

Safari folder containing Safari.db file (a database in which the Safari record attributes are stored).

ScreenTime folder containing ScreenTime.db file (a database in which the Screen Time record attributes are stored).

VoiceMemos folder containing a list of audio recordings and VoiceMemos.db file (a database in which the Voice Memos record attributes are stored)

Wallet folder containing multiple files associated with the user's wallet.

Wifi folder containing Wifi.db file (a database in which the Wi-Fi record attributes are stored).

CardPhoto.jpg file containing the user account photo.

icloud_synced.xml file containing the information about the Apple ID, start and end time of downloading, and the status of downloading (success, canceled, finished with errors).

 

Viewing downloaded iCloud Keychain data

You can explore the downloaded iCloud Keychain data using Keychain explorer. Navigate to the synced data folder with the keychain data and open the icloud_synced.xml file in the root of this folder.

NOTE: If you use EPB 9.50 or lower version, navigate to the folder with iCloud Keychain data (named in the following format: iCloud_keychain_account@icloud.com_YYYY.MM.DD_HH-MM-SS) and open the icloud_keychain.xml file in the root of this folder.