Elcomsoft Extracts Deleted Notes from iCloud

The team behind the Russian hacking tool creator Elcomsoft, which also revealed earlier this year that Apple keeps a separate iCloud record in which deleted Safari history is stored for syncing across devices, and also discovered that deleted photos are kept in iCloud Photo Library last year, has now confirmed that deleted Notes are also being stored in iCloud. 

Epv notes

Using the latest Elcomsoft Phone Breaker version 6.50, the hackers were able to extract deleted notes from iCloud, which they say are actually left in the cloud by Apple way past the 30-day period, even if they no longer appear in the “Recently Deleted” folder. 

We discovered that Apple apparently retains in the cloud copies of the users’ notes that were deleted by the user. Granted, deleted notes can be accessed on iCloud.com for some 30 days through the “Recently Deleted” folder; this is not it.

Syncing notes is normal practice employed by pretty much every significant note taking app. Evernote, Microsoft OneNote, Google Keep, Simplenote and many smaller products offer their users the ability to sync notes with the cloud and across devices. None of those services are known for holding onto notes that users delete.

When the discovery about deleted photos being kept in iCloud was made, Apple was prompt to making those images disappear. Similarly, when it was found that Safari browsing history records are never deleted from the cloud, Apple patched that as well. So there is no doubt Apple will fix the notes issue soon as well.

To extract your deleted notes from iCloud, simply follow these steps:

  • Launch Elcomsoft Phone Breaker 6.50 or newer
  • Click “Download Synced Data from iCloud”
  • Authenticate with Apple ID/password or binary authentication token
  • Wait for the download to complete

To view deleted notes using Elcomsoft Phone Viewer:

  • Launch Elcomsoft Phone Viewer
  • Open iCloud synced data you downloaded
  • Navigate to “Notes”
  • Apply filter to specify records for existing or deleted browsing history (or All to view all records)

Of course this will stop working once Apple patches the hole.