Over-the-air acquisition

Many mobile devices come with the ability to back up their contents into the cloud. Depending on the platform, cloud backups may contain as much as the full content of the device complete with the call histories and messages (Apple iOS 7.x through 9.x, Windows RT, and Windows 8/8.1/10); as little as a list of installed applications and a few random settings (Android 4.4 and Android 5.x); or something in between (Windows Phone 8 and Android 6.0).

For some devices, cloud forensics may be the only acquisition method available due to full-disk encryption and hardware lock. For example, cloud forensics is the only viable process for locked 64-bit iPhones running iOS 8+ and some Windows Phone 8 and Windows 10 Mobile devices.

Compared to other acquisition methods in general, cloud backups tend to contain the least amount of information.

For cloud acquisition to work, the expert will have to possess the user's authentication credentials. While a login and password are the most commonly used credentials, two-factor authentication may become an obstacle if there is no access to the secondary authentication factor.

Cloud acquisition benefits are as follows:

• Device is not required
• Independent of device model, OS version, and jailbreak status
• Remote acquisition
• Can be performed without the suspect being aware
• Can be used to track the suspect (location tracking)
• One of the easiest acquisition methods
• No special expertise required
• Device disassembly not required
• Non-destructive process

Major drawbacks of cloud acquisition include the following:

• Limited amount of information extracted
• iOS keychain extraction may be unavailable
• Must know user ID and password (or have a binary authentication token)
• Large amount of data can be very slow to download
• Two-factor authentication presents additional challenges
• Binary authentication tokens may expire
• No unallocated space extraction

Apple iCloud

In the case of Apple iCloud, binary authentication tokens created by software on the user's computer (via Apple iCloud for Windows or its macOS counterpart) can be used in place of the login and password. The use of binary authentication tokens currently bypasses Apple's two-factor authentication. However, these authentication tokens may have limited lifespan (Apple tweaks token expirations all the time), and may have already expired when it comes to the actual acquisition. We will be giving you more information about the tokens and their expiration in Chapter 6, iOS Logical and Cloud Acquisition.

Windows Phone 8, Windows 10 Mobile, and Windows RT/8/8.1/10

Windows Phone 8 and Windows 10 Mobile have a comprehensive cloud backup system. Cloud backups can be downloaded with forensic tools if the user's Microsoft account login and password are known. Windows 8, 8.1, 10, and Windows RT automatically back up user data, Modern UI apps, and their data into the user's Microsoft account (OneDrive), but only if the user logs in with their Microsoft account credentials as opposed to using a local Windows account.

Google Android

A very limited amount of information from Android devices can be backed up into the user's Google Account. However, Google collects and stores a large quantity of information about its users. The data originates from all devices, Android or not, on which a particular Google service was used. As a result, large amounts of highly valuable information can be obtained from the suspect's Google Account.

Law enforcement may have an option of requesting the full content of a suspect's cloud accounts from the service provider (Apple, Microsoft, or Google) with a court order. Since cloud backups are generally not encrypted (or encryption keys are stored alongside the backup), there are no technical obstacles to obtaining the data. This may very well change in the near future, if these organizations were to implement encrypted cloud backups.

More information about over-the-air acquisition of Google Accounts is available in Chapter 3, Acquisition - Approaching Android Devices.