Forensic Software for iOS Devices
ElcomSoft offers an easy-to-use forensic tool for quick access to information extracted from local and mobile cloud backups. The updated version from ElcomSoft - a privately held Russian IT company - integrates device notifications in the Elcomsoft Phone Viewer (EPV) that can even go back several years.
Operating system developers can decide exactly what data to store in a backup. However, with many instant messenger applications, neither conversations nor individual messages are ever stored in the cloud or in local backups. Even downloaded emails are not kept in a backup. So extracting such messages is only possible via a physical capture like Jailbreak. However, such specialized software is not always a given. However, extracting iOS notifications provides forensic analysts with valuable insights into a user's daily activities.
In the sphere of push information
Google Trips, Booking, and Expedia apps display upcoming travel events, while Skype, Facebook, Twitter, LinkedIn, Pinterest, and many other apps send push notifications about recent activity such as comments, likes, friend requests, or retweets. Meanwhile, many iOS apps use push notifications to deliver time-sensitive, text-based information to the user.
Push notifications are used by apps such as email clients, instant messengers, two-factor authentication apps, and travel apps for booking airline tickets, hotels, or taxis. The app Uber, for example, just like many local taxi services, uses such notifications to inform the user of the taxi's arrival, often with the exact time and location and sometimes even the car's license plate number. Similarly, banks send real-time information about credit transactions and account updates in the form of push notifications rather than SMS messages.
It's not uncommon for banking apps to send sign-in confirmation codes to customers via the notification feature.
Highly sensitive information
Shopping apps, such as Amazon, use push notifications to communicate information about the delivery status of shipments. Such ephemeral, real-time information is often overlooked by investigators, even though it can play a significant role in investigations. But if iOS notifications are not read or deleted by the user, they are automatically stored in local and cloud backups. Once backed up, notifications can be kept in the cloud or in newly created local backups for years. Examining one particularly old account, ElcomSoft researchers were able to extract no fewer than 1,200 notifications from 2012 to 2017.
Elcomsoft Phone Viewer 3.30
"Notifications are an essential part of mobile operating systems and can contain large amounts of highly sensitive information," said Vladimir Katalov, CEO of ElcomSoft. "They are automatically stored in iCloud and local backups and can be viewed with Elcomsoft Phone Viewer 3.30. This data is of particular importance to investigators because it is no longer stored in any other place and can only be viewed in this way."
Elcomsoft Phone Viewer 3.30 can automatically identify notifications in iOS backups and displays their full content along with metadata (date, time, app package name).
The software is available for Windows PC and Mac. It runs on both 32-bit and 64-bit versions of Windows 7, 8, 8.1, and 10, as well as Windows 2008, 2012, and 2016 server operating systems, and supports macOS 10.8 and later. EPV works without installing iTunes or BlackBerry Desktop software.
Elcomsoft Phone Viewer 3.30 is available now. The standard edition is already available for 79 Euro. Local prices may vary.
