It is possible to extract data from iCloud into our forensic software. Ofcourse we are not allowed to hack anybody his or her account, but when provided with the username and password it is possible to get the data out of iCloud.

EPPB

once we have the access to the iCloud, we can subtract the data from the device (if multiple devices are found).
user-met-devices

The backup can then be downloaded to our own environment to be able to investigate the data using our forensic software.
In the example below we use Lantern to make the iCloud backup visible, but we can also do this using the Ufed Physical Analyser.

icloud-backup-Lantern

After reading the data into our software, we can generate a report of the found results.

Report

The data can be data like Whatsapp-messages, SMS-messges, iMessages, Calendar information, internethistory, voicememos, pictures, video’s chatsessions and so on. In some cases the iCloud backup is relatively old and can provide information that cannot be found on the mobile phone anymore.