iCloud Forensics

This week I breakdown iCloud forensic artifacts.

Show Notes

Forensic Value

Identifying iCloud Accounts:

  1. Another source as evidence for email, messages & remote storage of files
  2. Preservation orders

Identify Mobile documents

  1. Other versions of documents in iCloud and\or other devices
  2. Identify preview files of Mobile Documents to prove file use & knowledge

Plist to identify iCloud accounts

/Users/lemmac01/Library/Preferences/MobileMeAccounts.plist 

Identifying iCloud Accounts

screen-shot-2016-10-15-at-3-24-27-pm

User Options for iCloud Syncing

Users may turn different options on\ off through Preferences pane > iCloud

screen-shot-2016-10-15-at-2-48-16-pm

iCloud Drive: If iCloud Drive is turned on documents and data in may be stored in iCloud Drive

Photos: If iCloud Photos is turned on user may be using

▪iCloud Photo Library (available with OS X v10.10.3 or later)

▪My Photo Stream

▪iCloud Photo Sharing

Calendars, Reminders, Safari, Notes, Mail – If selected, App data is sync’d to iCloud. Possible same or different historical version of App data on other Apple devices.

Keychain: If iCloud Keychain is turned on the Users keychain is storage in iCloud.

Find My Mac: Geolocate an online Mac

Source: https://support.apple.com/kb/PH19004?locale=en_US

Identifying User Options in Plist

In Plist under SERVICES subkey will be an entry for each iCloud option an whether or not it is enabled.

screen-shot-2016-10-15-at-2-58-50-pm

screen-shot-2016-10-15-at-2-58-32-pm

Mobile Documents

Apple Mobile Documents is a feature that allows user to have co-equal copies of iWork documents (Pages, Numbers, Keynote & more) on all Macs and iOS devices linked to the iCloud account. Depending on the frequency of internet connectivity there may be different historical versions of such documents on connected devices.

Mobile documents are normally located at:

/Users/useraccount/Library/Mobile Documents

** Note these documents are within the user’s hidden Library folder making these documents only accessible “in-App” for the average user.

Within the Mobile Documents folder is located subfolders for each category of mobile document saved in iCloud. These files may be examined like any other file.

screen-shot-2016-10-15-at-3-09-12-pm

Note that Mobile Documents will have the appended file extension of “-tef.” In the GUI this is hidden but becomes apparent in Terminal and when viewing with forensic tools.

screen-shot-2016-10-15-at-3-15-03-pm

If a document has been been viewed on the device Mobile Documents will save a preview version of the document in the same directory. These are normally cleared from the file system when the device is shutdown.

SDF Training

Learn More

Windows Prefetch Forensics

Learn how to get evidence of file execution
Learn More