News We Recently Launched an Export Tool for G Suite, Exchange, Office 365, O365 Archive.

Get Evidences With iCloud Forensics

Acquire Evidences from iCloud – Digital Forensics Approach

iCloud is a service designed by Apple which offers a free cloud storage space. With iCloud user can save all their data such as documents, pictures, videos and applications on remote server. In addition, it also allows users to synchronize their data between different devices like iPhone, iPad, etc. There are many other advantages of iCloud service, it provides the track of lost phone, can lock the device remotely and wipe the data remotely. We can also look iCloud data from the point of digital forensics, One can perform forensics on data which is collected in iCloud (or backup) to get the forensics evidences for any suspected activity.

Table of Content:

How To Acquire Evidences From iCloud Service

iCloud User Account

By getting the existing icloud account leads investigators to find more evidences for any suspected activity. Apple integrates number of services between iOS and OS X devices, with iCloud users can sync all data items such as documents, messages, contacts, pictures, calendar entries. An investigator following the Apple iCloud Forensics approach can find out other devices that are synced with suspected device.

An examiner can find user’s iCloud id information from the system running OS X in

/Users/username/Library/Preferences/MobileMeAccounts.plist

this file holds information of iCloud ID for each user synced with the device.

With Continuity Feature

Internet history plays great role for collecting the iCloud forensics evidences. sometimes it is very important to identify the websites that have been visited by the suspected person. There is one feature of iCloud called Continuity that provides a record to view all the web pages that suspect user was previously visited on the device or on another iCloud connected device.

It displays the web pages that are viewed by the user on first device that allows user to select same web page on second device.

From iCloud Backup

iCloud service allows it’s users to backup their iphone data to cloud with a registered Apple account. Users can get & analyse iCloud backup with all important data such as photos, application data, mails, messages, etc. iCloud backup is also treated as remote backup service by which user can transfer data between different Apple devices. User can turned on/off the cloud backup storage by navigating to Settings -> iCloud -> Storage & Backup. iCloud backup gives an opportunity to the investigator to collect as possible evidences. To get the proofs from the iCloud backup, investigator can go through the all data that have been stored in the backup.

Performing Forensics On Apple Device

iCloud User Account

Use of iPhones and iPad is in trend these days, users are deploying these devices not only for personal use but also for enterprise use. However, today people are following BYOD(Bring Your Own Device) policies and practices in which user can deploy the apple device for both personal as well corporate purpose.

Therefore, it is very important for Mac and iOS forensic examiners to be aware of the differences they may came across when examining a device used in a BYOD organization environment and a device that is used for personal use only. The IT administrator applies different settings and configurations to an iPhone or iPad device when adding the device into an enterprise environment that may change the way a user handles the device, and may change the way the iOS device appears upon iCloud forensics examination.

Key Areas that a iOS forensics Examiner must focus when seizing and analyzing a BYOD apple device:

Application Installed

The application installed on iOS device can be visible on BYOD or may not be visible, it does not mean that an application is not executing on Apple Device. The application may be disabled, hidden or substituted with enterprise application that may hiding or limiting installed application.

Data Syncing

IT admin can syn the BYOD iOS device to a particular computer or can activate an iOS device via Wifi connection. Therefore with the help of iCloud backups are residing on server or iCloud server, a Mac and iOS iCloud forensic examiner can determine which data is corporate and which is personal to collect the evidences.

iMessage

If the iCloud digital forensic examiner not able to find data of applications such as App store, Maps, YouTube on a device running in BYOD environment, then with the help of iMessage application that initiate a chat session on a device that includes transfer of text, audio, video and pictures to other device.

With the examination of iMessage application, forensics examiner will definitely get evidences.

Conclusion

Today many organizations are increasingly deploying iCloud configured Apple devices. Mac and iOS forensic examiners must get these devices for investigation in order to find clues of any suspected activity. There are may wide areas in iCloud service that may provide evidences to the apple iCloud forensics examiner.