iCloud Blog

Investigating iCloud

14/05/2021 Friday

iCloud is an Apple Inc. cloud management and cloud computing application launched in October 2011. iCloud allows users to store, share, and send data, files, and documents among users and devices. iCloud is available for Windows, iOS, and macOS devices. In addition, iCloud wirelessly backs up iOS devices directly to iCloud. By connecting accounts via AirDrop wireless, service users are also able to exchange images, songs, and games instantly.

Digital Forensics Value of iCloud

Cloud computing has opened up new digital forensics challenges. iCloud file contains information about files that users upload and sync to iCloud, cloud data, when iCloud was enabled, when iCloud account was deleted, when iCloud data was deleted, and when the devices were wiped, and configuration. This information is critical during the forensic analysis process, as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of iCloud Artifacts

In Windows 10 iCloud artifacts are located at C:\Users\username\iCloudDrive

Structure of iCloud Artifacts

iCloud drive contains databases and plist files that store logs, cloud items, photos, albums, shared and local documents, and server items.

Analyzing iCloud Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract iCloud artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select iCloud artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iCloud artifacts in ArtiFast software.

iCloud Drive Local Items Artifact

Desired Item Size - Desired item size in bytes.
Item File Name - Item file name.
Item Mode - Indicates item mode (write, read or both).
Item Modified Date - Date and time when the item version was modified.
Item Version Size - Item version size in bytes.
Item Type - Item type.
Item Version Name - Item version name.
Item Absolute Path - Item absolute path.
Item Local Name - Item local name.
Item Birth Date - Date and time when the item was created.

iCloud Drive Local Paths Artifact

My Photo Stream - Indicates the status of my photo stream to sync (enabled/disabled).
Upload File - Upload path.
iCloud Photo Sharing - Indicates the status of iCloud photo sharing (enabled/disabled).
Shared Path - Drive shared path.
Account Name - Account name.
Download Path - Drive download path.
Last Modified Date - Date and time when database file was last modified.

iCloud Drive Local Shard Documents Artifact

Desired Item Size - Desired item size in bytes.
Item File Name - Item file name.
Item Mode - Indicates item mode (write, read or both).
Item Modified Date - Date and time when the item version was modified.
Item Version Size - Item version size in bytes.
Item Type - Item type.
Item Version Name - Item version name.
Item Absolute Path - Item absolute path.
Item Local Name - Item local name.
Item Birth Date - Date and time when the item was created.

iCloud Photos Album Assets Artifact

Batch Creation Date - Date and time when the album was created.
File Name - Asset File Name.
File Path - Asset File Path.
Asset Uti - Asset Uti.
File Caption - The caption of the file.
Owner Name - Owner Name.
Owner Email - Owner Email.
Parent Album - Parent Album.
Is Downloaded - Indicates whether the album is downloaded.
Is Deleted - Indicates whether the album is deleted.
Contributor Can Delete - Indicates whether a contributor can delete the album.
Created By Owner - Indicates whether the album is created by owner.
Size - Asset size in bytes.
Width - Asset Width in Pixels.
Height - Asset Height in Pixels.
Has Comments - Indicates whether the album has comments.
Last Comment Position - Last Comment Position.
Comments - The content of the comment.
Last Read Comment At - Date and time when the comment was last read.
Unread Comments - Indicates whether the album has unread comments.

iCloud Photos Shared Albums Artifact

Last Update Date - Shared album last update date and time.
Album Name - Album name.
Album Guid - Album guid.
Album Location - Album location.
Sharing Type - Indicates the statues of the shared album (subscribed, owned or pending).
Public Token - Public Token.
Allow Contributions - Indicates whether contributions are allowed.
Owner Name - The album owner name.
Owner Email - The album owner email.
Sharing Info - Sharing info.

iCloud Photos Shared Asset Comments Artifact

Creation Date - Comment creation date.
Comment Message - Comment message content.
Is Caption - Indicates whether the comment is caption.
Comment Type - Indicates the comment type.
Deleted Comment Position - Deleted comment position.
Created By Owner - Indicates whether the comment is created by owner.
Can be Deleted by Owner - Indicates whether the comment is deleted by the owner.
Asset Guid - Asset guid.
Is Important - Indicates whether the comment is important.
Parent Album - Parent album.
Parent File - Parent file.
Sender Email - Sender email.
Sender Name - Sender name.

iCloud Photos Timeline Events Artifact

Event Date - Event date.
Event Type - Indicates the event type (Asset Commented/Created Asset).
Parent File - Parent file.
Parent Album - Parent album.
Owner Name - Owner name.
Comment - Comment content.
Created by Owner - Indicates whether the comment is created by the owner.
Can Be Deleted by Owner - Indicates whether the comment can be deleted by the owner.

iCloud Drive Server Items Artifact

Item Modified Date - Date and time when the item version was modified.
Item Mode - Indicates item mode (write, read or both).
Item Type - Item type.
Item Version Name - Item version name.
Item Version Size - Item version size in bytes.
Item File Name - Item file name.
Item Birth Date - Date and time when the item was created.

iCloud Drive Server Shard Documents Artifact