A valid authentication token can only be extracted from a system if all of the following are true (in this case, we're discussing a Windows PC):
The user has iCloud for Windows installed
The user logged in to iCloud for Windows and did not sign out by the time of acquisition
The user did not change their Apple ID password by the time of acquisition
Elcomsoft Phone Breaker offers two different methods for extracting tokens. When extracting a binary authentication token from the currently logged in user on a live system, investigators can use the supplied command-line tool (atex.exe
). In all other cases, Elcomsoft Phone Breaker offers a convenient user interface.
The authentication token must be extracted from the user's computer, hard drive, or forensic disk image before it can be used. Elcomsoft Phone Breaker comes with tools allowing locating, extracting, and decrypting of binary authentication...