Blog >> iTunes

Investigating Windows iTunes Desktop Application

18/11/2022 Friday

Windows iTunes desktop application is a media management app developed by Apple. It is used for creating and customizing digital media library by allowing the user to download, play, organize, and manage audio and video files. It is also extremely useful when trying to set up an Apple device or manage its media content via a Windows computer.

Digital Forensics Value of iTunes

Apple devices are one of the widest selling portable digital devices on the market. It is also known for its encryption methods which are strong enough to thwart most of digital forensics’ efforts. Thanks to iTunes synchronization feature, there is an opportunity to get access to the backed-up data and extract information from it without being forced to break Apple’s encryption methods.

Location and Structure of iTunes Artifacts

The default location of the Artifacts left behind by iTunes:
C:\Users\%user%\AppData\Local\Apple Computer

C:\Users\%user%\AppData\Roaming\Apple Computer

Analyzing iTunes Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Windows iTunes artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select iTunes artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows itunes artifacts in ArtiFast.

iTunes Cookies Artifact

iTunes Devices Information Artifact

iTunes Applications Information Artifact

iTunes Backed Up Images Artifact

iTunes Voice Memos Artifact

For more information or suggestions please contact: [email protected]