This week I breakdown iCloud forensic artifacts.
Identifying iCloud Accounts:
- Another source as evidence for email, messages & remote storage of files
- Preservation orders
Identify Mobile documents
- Other versions of documents in iCloud and\or other devices
- Identify preview files of Mobile Documents to prove file use & knowledge
Plist to identify iCloud accounts
Identifying iCloud Accounts
User Options for iCloud Syncing
Users may turn different options on\ off through Preferences pane > iCloud
iCloud Drive: If iCloud Drive is turned on documents and data in may be stored in iCloud Drive
Photos: If iCloud Photos is turned on user may be using
▪iCloud Photo Library (available with OS X v10.10.3 or later)
▪My Photo Stream
▪iCloud Photo Sharing
Calendars, Reminders, Safari, Notes, Mail – If selected, App data is sync’d to iCloud. Possible same or different historical version of App data on other Apple devices.
Keychain: If iCloud Keychain is turned on the Users keychain is storage in iCloud.
Find My Mac: Geolocate an online Mac
Identifying User Options in Plist
In Plist under SERVICES subkey will be an entry for each iCloud option an whether or not it is enabled.
Apple Mobile Documents is a feature that allows user to have co-equal copies of iWork documents (Pages, Numbers, Keynote & more) on all Macs and iOS devices linked to the iCloud account. Depending on the frequency of internet connectivity there may be different historical versions of such documents on connected devices.
Mobile documents are normally located at:
** Note these documents are within the user’s hidden Library folder making these documents only accessible “in-App” for the average user.
Within the Mobile Documents folder is located subfolders for each category of mobile document saved in iCloud. These files may be examined like any other file.
Note that Mobile Documents will have the appended file extension of “-tef.” In the GUI this is hidden but becomes apparent in Terminal and when viewing with forensic tools.
If a document has been been viewed on the device Mobile Documents will save a preview version of the document in the same directory. These are normally cleared from the file system when the device is shutdown.