Extracted Notifications Offer Valuable Insight for iOS Forensics

Elcomsoft Phone Viewer for Windows and macOS adds support for viewing unread device notifications that are included in iOS backups. Unread notifications can go several years back; on one occasion, ElcomSoft were able to extract some 1200 notifications going back to 2012.

Notifications are an essential part of iOS. They can contain a lot of sensitive information. Notifications are extensively used by instant messaging apps, email clients, online banking, shopping and delivery tracking apps, booking
and taxi services. Unread notifications are saved automatically to iCloud and local backups, and can be viewed with Elcomsoft Phone Viewer. The tool can display notifications going several years back, unless they are read or dismissed by the user. These bits of data are not available elsewhere.

iOS developers are free to choose what data exactly gets into a backup. For example, most instant messengers flag their data so that neither conversations nor individual messages are ever saved into cloud or local backups. Downloaded mail is not saved into a backup either. As a result, extracting messages would be only possible via physical acquisition (with jailbreak), which may or may not be available. Extracting iOS notifications can provide valuable insight into the user’s communications and other day-to-day activities.

Elcomsoft Phone Viewer: Reading iOS Notifications

iOS relies heavily on notifications to deliver time-sensitive, text-based information. Notifications can be thrown by email clients, instant messengers, two-factor authentication apps, as well as apps used by travelers to book airplane tickets, hotels and taxis.

The Uber app as well as many local taxi services can push notifications about the cab arriving (often including precise time and place and even the car license plate number). Many banks push real-time information about credit transactions and account updates as notifications as opposed to using text messages. It’s not uncommon for banking apps to deliver sign-in confirmation codes as push notifications.

Shopping apps such as Amazon can push delivery status information about orders. Google Trips, Booking and Expedia apps can display notifications about upcoming travel events. Skype, Facebook, Twitter, LinkedIn, Pinterest and many other apps push notifications about current activities such as comments, likes, friend requests or retweets.

This volatile, real-time information is frequently overlooked by investigators, yet it can pose a significant value during investigations. Unless read or dismissed, iOS notifications are included to local and cloud backups. Once backed up, notifications can be kept in the cloud (or in newly made local backups) for years. When analyzing one particularly old account, ElcomSoft researchers discovered as many as 1200 notifications received between 2012 and 2017 (although most notifications belong to the period starting in August 2015).

Elcomsoft Phone Viewer can automatically discover notifications in iOS backups, displaying their full content along with metadata (date and time, app package name, as well as the full text content).

Get more information on Elcomsoft Phone Viewer and download free trial version:
https://www.elcomsoft.com/epv.html

Leave a Reply

Your email address will not be published. Required fields are marked *