iCloud Advanced Data Protection: A challenge for law enforcement

February 12, 2024
Featured image for “iCloud Advanced Data Protection: A challenge for law enforcement”

Apple iPhones have always posed a significant challenge for law enforcement investigations and digital forensics.  When a device’s passcode is unknown and forensic tools are unable to break in, the solution has been to collect the suspect’s data from the cloud.  Apple’s Advanced Data Protection ends this investigative technique.

iCloud encryption and data security

Apple uses encryption to protect user information and two-factor authentication for newly created Apple IDs. To understand how encryption affects law enforcement investigations, let’s take a look at how encryption and data protection works within the Apple ecosystem.

All user data stored in iCloud is encrypted, however, there are two types of encryption used to secure user data: Standard Encryption and End-to-end Encryption.

Standard encryption: Files that are secured with standard encryption are accessible by Apple as they hold a key to the file.  Files like phone backups and photos have traditionally used standard encryption.  

End-to-end encryption: End-to-end encrypted data can be decrypted only on trusted devices that the user has signed into with their Apple ID. Trusted hardware is used in the encryption process to generate the encryption keys. When end-to-end encryption is used, not even Apple, can read a user’s data as they don’t have a copy of the key.

What evidence can be read when collected with a search warrant depends entirely on the level of data protection that the user selects.

iCloud Standard Data Protection

All iCloud accounts come with Standard Data Protection as the default configuration. The bulk of a user’s data is secured with standard encryption and can be decrypted by Apple using their copy of the key.  If you are familiar with iCloud search warrant productions, all the categories of data you are familiar with seeing were secured with standard encryption.

Standard Data Protection uses end-to-end encryption for 15 data categories including passwords stored in their iCloud Keychain.

iCloud Advanced Data Protection 

Apple released Advanced Data Protection as an optional level of security in December of 2022.  ADP increases the number of data categories that use end-to-end encryption to 25.  If a user has enabled ADP, an iCloud search warrant will produce Apple email, contacts and their calendar. The remainder of the production is encrypted; the folder structure of the production is the same as ever, however, the folder contains encrypted blob files along with Chunkdetails.csv with hexadecimal checksum values.

The table below show what iCloud evidence items use standard or end-to-end encryption and where the encryption keys are stored.

Standard data protectionAdvanced Data Protection
EncryptionKeysEncryptionKeys
Apple Card transactionsEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
CalendarsStandardiCloud Advanced Data ProtectionStandardiCloud Advanced Data Protection
ContactsStandardiCloud Advanced Data ProtectionStandardiCloud Advanced Data Protection
FreeformStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Health dataEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Home dataEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
iCloud BackupStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
iCloud DriveStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
iCloud MailStandardiCloud Advanced Data ProtectionStandardiCloud Advanced Data Protection
Journal dataEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Keyboard learned vocabularyEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
MapsEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
MemojiEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
Messages in iCloudEnd-to-endiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection
NotesStandardiCloud Advanced Data ProtectionEnd-to-endiCloud Advanced Data Protection