Authors: Kurt Oestreicher



The acquisition of data stored on cloud services has become increasingly important to digital forensic investigations. Apple, Inc. continues to expand the capabilities of its cloud service, iCloud. As such, it is critical to determine an effective means for forensic acquisition of data from this service and its effect on the original file data and metadata. This research examined files acquired from the iCloud service via the native Mac OS X system synchronization with the service. The goal was to determine the operating system locations of iCloud-synched files. Once located, the secondary goal was to determine if the file hash values match those of the original files and whether file metadata, particularly timestamps, are altered.