Data Forensics Company Recovers Notes Data Apple Claims is Deleted

2 minute read
| News

Files deleted from Apple’s Notes app shouldn’t be recoverable after 30 days, but the security and data forensics company Elcomsoft found they could access records that were deleted months—or even more than a year—ago. That sounds pretty bad, but recovering those files requires some pretty specific elements, including knowing your iCloud login and password.

Elcomsoft recovers Notes files deleted months ago

Elcomsoft discovers long ago deleted Notes files are recoverable

iCloud offers data recovery for files that have been deleted in the lat 30 days. That’s a feature, not a bug, and TMO’s Melissa Holt recently detailed how that works. After 30 days, however, and those files are supposed to really be deleted and unrecoverable.

Elcomsoft found it’s possible to restore long deleted Notes data in some cases, saying, “We discovered that deleted notes are actually left in the cloud way past the 30-day period, even if they no longer appear in the ‘Recently Deleted’ folder.”

How Elcomsoft Notes Data Recovery Works

While restoring Notes files that were deleted more than 30 days ago does pose a privacy threat, it’s not necessarily a gaping hole any hacker can use. Accessing the deleted files requires the Apple ID and password linked to the iCloud account and Elcomsoft’s forensic software, both of which aren’t likely in the hands of a hacker.

The company’s tools can download all Notes data associated with an iCloud account, including those that no longer appear as recently deleted. Once the Notes files are downloaded, they can be viewed and searched without any restrictions.

Behind Elcomsoft’s Motivation

Detailing the flaw in Apple’s Notes recovery feature is, on one hand, a community service because now users and the company are aware of the problem. Apple can work on a server-side patch that truly deletes files that fall outside the recovery feature’s 30-day window, and users can decide if syncing Notes through iCloud is something they want to keep doing.

On the other hand, talking about the issue is essentially a big commercial for Elcomsoft’s data forensic products. These are tools law enforcement agencies use in criminal investigations, and telling the world about the Notes issue is akin to hanging a big neon “buy me” sign over Elcomsoft’s products.

What the Notes Data Recovery Issue Means for You

Despite the foreboding tone that goes along with hearing Notes data can be recovered well after is should really be gone, Elcomsoft’s announcement isn’t likely a big deal for most iCloud account users—unless you’re under criminal investigation and police already have your Apple ID user name and password. That’s not to say don’t worry if there’s nothing you need to hide; your personal data should simply stay private.

Apple will likely patch the issue that shouldn’t have been there, and Elcomsoft’s forensic tools won’t be able to get at those deleted records any more. The fix most likely will happen on Apple’s iCloud servers, so we won’t even have to wait for a security patch for your iPhones, iPads, and Macs.

For the average user, this is an issue that they most likely won’t ever encounter. For TMO’s John Kheit, however, this is no doubt a big dose of personal validation for his argument against cloud services in general.

2 Comments Add a comment

  1. gnasher729

    Thanks for actually stating clearly what is actually happening.

    So if someone manages to access _everything_ in my iCloud account, for example if I hand over my AppleID and my iCloud password, then they can read basically everything in my iCloud account, including my undeleted notes (as you would expect), and my notes that I deleted in the last 30 days (as you would expect), and notes that I deleted earlier. So what they can read in addition to what you thought they could read is minimal.




    0
  2. jhorvatic

    So basically there claim is pretty worthless except if they know your Apple ID and password.
    A lot of hackers claim they can do this and that. But in reality most need physical access or already have account info to do what they claim.




    0
Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account