ElcomSoft Co. Ltd. updates Elcomsoft Phone Breaker, the company’s forensic extraction tool. Version 9.0 gains the ability to remotely access Apple Health data stored in Apple iCloud, becoming the first forensic tool on the market to extract Health information from the cloud. Health data is added to the long list of extractable information, which includes call logs, photo libraries, passwords, messages and multiple other types of data. Elcomsoft Phone Viewer received an update to support the new data category.
Background
Apple makes active use of cloud sync, and is continuously expanding the amount of information synchronized with iCloud. Synchronized information is removed from iCloud backups. Starting with iOS 11, Apple began synchronizing Health data with iCloud, making Health information available on all devices registered on the same Apple ID.
Elcomsoft Phone Breaker 9.0 can automatically extract Apple Health data from the user’s iCloud account just moments after they arrive. To access that data, experts must use a combination of Apple ID and password. Entering the user’s lock screen password allows Elcomsoft Phone Breaker to retrieve significantly more Health information than available without a passcode.
Health data is a vital piece of evidence. Heartrate, sleeping habits, location points, workouts, steps and walking routines are just a few things that come to mind speaking of Apple Health. Introduced in September 2014 with iOS 8, the Apple Health app is pre-installed on all iPhones. The app makes use of low-energy sensors, constantly collecting information about the user’s physical activities. With optional extra hardware (e.g. Apple Watch or Bluetooth fitness trackers), the Health app can aggregate significantly more information. Additional information can be manually added by the user or imported via CDA documents.
Accessing Apple Health Data
In many cases, Apple Health can be only extracted through the cloud. End-to-end encryption makes it impossible for Apple to release most of Health data when serving law enforcement or GDPR requests, while extracting Health data from the device may not be possible if the device is damaged or unavailable.
Extracting Apple Health data from iCloud is possible with Elcomsoft Phone Breaker 9.0 Forensic Edition. Apple ID and password are required as well as access to the secondary authentication factor as well as the user’s screen lock password. In some configurations, Health data may not employ any additional encryption; therefore, a device passcode is not always required to access Health information. However, entering the user’s screen lock password helps retrieve significantly more information than available without a passcode. More information about Health data protection and acquisition in ElcomSoft Blog: Apple Health Is the Next Big Thing: Health, Cloud and Security.
Elcomsoft Phone Breaker 9.0 is available for Windows and macOS at https://www.elcomsoft.com/eppb.html