Kurt Oestreicher

Abstract

The acquisition of data stored on cloud services has become increasingly important to
digital forensic investigations. Apple, Inc. continues to expand the capabilities of its cloud
service, iCloud. As such, it is critical to determine an effective means for forensic acqui-
sition of data from this service and its effect on the original file data and metadata.
This research examined files acquired from the iCloud service via the native Mac OS X
system synchronization with the service. The goal was to determine the operating system
locations of iCloud-synched files. Once located, the secondary goal was to determine if the
file hash values match those of the original files and whether file metadata, particularly
timestamps, are altered.