Elcomsoft Phone Viewer 3.30 Shows Unread Notifications Extracted from Device Backups

Elcomsoft Phone Viewer adds support for viewing unread device notifications included in iOS backups. Notifications are messages that are pushed onto device by instant messengers, taxi services, banking apps, as well as email applications. Depending on the usage scenario, unread notifications can go several years back. More often than not, information extracted from notifications is not available elsewhere.

Elcomsoft Phone Viewer 3.30 enables support for iOS notifications extracted from iCloud backups as well as local backups produced with iTunes. The tool can display notifications going several years back, unless they are read or dismissed by the user.

Notifications are an essential part of the system, and may contain large amounts of volatile highly sensitive information. Nearly all applications that are of forensic significance make use of notifications. Email clients, instant messengers, taxi and travel apps, social networks and many other applications can push notifications. Unless dismissed, these notifications are included into both local and cloud system backups.

Notifications are meant to serve as interactive, real-time alerts. While they often contain just a few lines of text, they still present information that may not be available elsewhere. In iOS, developers have full control over which information that gets saved into a backup. Email clients, messengers, social networks and many other apps only allow very limited amounts of data (mostly authentication tokens) to be saved in backups. Messages, conversations, updates and other sensitive information is never saved into cloud or local backups. As a result, investigators must resort to jailbreaking and physical acquisition to access data from those apps, which is not always possible. Notifications can provide valuable insight into the user’s communications and other day-to-day activities even if physical acquisition is not available for a given device, or if iCloud credentials are all that’s known about the user.

Vedi anche