iCloud Advanced Data Protection: A challenge for law enforcement

February 12, 2024
Back to Blog
Featured image for “iCloud Advanced Data Protection: A challenge for law enforcement”

Apple iPhones have always posed a significant challenge for law enforcement investigations and digital forensics.  When a device’s passcode is unknown and forensic tools are unable to break in, the solution has been to collect the suspect’s data from the cloud.  Apple’s Advanced Data Protection ends this investigative technique.

iCloud encryption and data security

Apple uses encryption to protect user information and two-factor authentication for newly created Apple IDs. To understand how encryption affects law enforcement investigations, let’s take a look at how encryption and data protection works within the Apple ecosystem.

All user data stored in iCloud is encrypted, however, there are two types of encryption used to secure user data: Standard Encryption and End-to-end Encryption.

Standard encryption: Files that are secured with standard encryption are accessible by Apple as they hold a key to the file.  Files like phone backups and photos have traditionally used standard encryption.  

End-to-end encryption: End-to-end encrypted data can be decrypted only on trusted devices that the user has signed into with their Apple ID. Trusted hardware is used in the encryption process to generate the encryption keys. When end-to-end encryption is used, not even Apple, can read a user’s data as they don’t have a copy of the key.

What evidence can be read when collected with a search warrant depends entirely on the level of data protection that the user selects.

iCloud Standard Data Protection

All iCloud accounts come with Standard Data Protection as the default configuration. The bulk of a user’s data is secured with standard encryption and can be decrypted by Apple using their copy of the key.  If you are familiar with iCloud search warrant productions, all the categories of data you are familiar with seeing were secured with standard encryption.

Standard Data Protection uses end-to-end encryption for 15 data categories including passwords stored in their iCloud Keychain.

iCloud Advanced Data Protection 

Apple released Advanced Data Protection as an optional level of security in December of 2022.  ADP increases the number of data categories that use end-to-end encryption to 25.  If a user has enabled ADP, an iCloud search warrant will produce Apple email, contacts and their calendar. The remainder of the production is encrypted; the folder structure of the production is the same as ever, however, the folder contains encrypted blob files along with Chunkdetails.csv with hexadecimal checksum values.

The table below show what iCloud evidence items use standard or end-to-end encryption and where the encryption keys are stored.

Standard data protectionAdvanced Data Protection
EncryptionKeysEncryptionKeys
Apple Card transactionsEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
CalendarsStandardiCloud Advanced Data ProtectionStandardiCloud Advanced Data Protection
ContactsStandardiCloud Advanced Data ProtectionStandardiCloud Advanced Data Protection
FreeformStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Health dataEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Home dataEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
iCloud BackupStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
iCloud DriveStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
iCloud MailStandardiCloud Advanced Data ProtectionStandardiCloud Advanced Data Protection
Journal dataEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Keyboard learned vocabularyEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
MapsEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
MemojiEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Messages in iCloudEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
NotesStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Passwords and KeychainEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Payment informationEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
PhotosStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
RemindersStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
SafariEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Safari BookmarksStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Screen TimeEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Siri informationEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Siri ShortcutsStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Voice MemosStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
W1 and H1 Bluetooth keysEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Wallet passesStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Wi-Fi passwordsEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection

Note: Content that is shared via iCloud with others does not benefit from end-to-end encryption. However, Advanced Data Protection ensures that shared content remains end-to-end encrypted, provided all involved parties have Advanced Data Protection activated.

File metadata: a hint of what is inside the encrypted backup

Metadata is essentially data about data. It provides detailed information about a file’s characteristics without referring to the file content itself. Despite ADP being enabled, file metadata can provide a hint as to what user content has been encrypted.  Metadata uses standard encryption with the keys stored by Apple, for now…

Many Apple files don’t have descriptive filenames.  For example, img_0695.heic is an Apple live photo, but there is no way of knowing what the photo is of.  The iCloud Drive contains a variety of user files that can be descriptively named because the user may name the file themselves.  Metadata can be useful in knowing what files are inside the encrypted iCloud Drive.  For example, the metadata may identify a file stored in iCloud Drive named criminal_plans.docx.  Without the decryption key, law enforcement will never know what the content of this document is.  In investigations like Child Sexual Abuse Material (CSAM) or fraud, filenames may indicate what the file may contain.  

Investigative considerations

When considering writing a search warrant for iCloud data, here are some key points to consider:

  • Do you have the suspect’s trusted device that may contain the decryption keys?
  • Advanced Data Protection suggests writing down your key and storing it in a safe place; can it be found in their home or work space?
  • Advanced Data Protection alternately suggests setting up a recovery email; can you determine what email was used and discover the keys in that account?

Apple’s Law Enforcement Response Team has stated that they will not confirm the status of Standard or Advanced Data Protection without a warrant.  Without access to the decryption keys, a search warrant for iCloud data may be fruitless and a waste of time for the investigator and Apple. At this point, you roll the dice when writing a warrant when it comes to data protection.

Share: