 Good morning. Glad to see some responsible adults in the audience. You guys did not party hard enough, apparently. But hey, that's great for me. Sunday speakers are always get a little bit worried that nobody's going to show up, or everybody's sleeping or hungover and whatnot. So welcome to Ubiquity Forensics, your iCloud and you. Kind of a little PSA announcement here. So who am I? I am Sarah Edwards. By day, I'm a test engineer at Parsons Corporation. We do some government contracting work for other people. We are hiring. I know the car hacking village has been incredibly popular the last few days, and I know it's closing up soon after this talk, but if you're interested in anything like that, go talk to these people. They're great people, they're fantastic to work with. I've really been enjoying myself there. By night, I'm a Sands instructor and author. I'm a huge Mac fan girl, so I created the Mac analysis course. I do have a bunch of different dates that I've listed here, including September. So if you haven't quite gotten enough Vegas yet, come back next month. It'll be a great time. Latest and greatest version of this presentation will always be at my website. So if I do updates or run into other conferences and do additional research, you'll always have the most up-to-date version of the presentation at mac4n6.com. So a little bit about the scope of what I'm actually presenting here today. So I'm gonna be doing some iCloud basics, getting into some acquisition and storage of the data on particular devices. Some synced preferences. So little configuration files that get synced to the iCloud. And then to wrap it all up, I'm gonna be going over some application data. So let's start off with the basics. So Apple uses the term ubiquity. Obiquity basically means everything everywhere, where so iCloud really does describe best how iCloud works. You can get your Word documents, your email, your contacts, messages, preferences, configurations, all sorts of stuff that you probably don't know about is hidden under a lot of the underbelly of OS X and iOS. So I'm here to at least do a public surface announcement to say, hey, if you use iCloud, and I do, I like it, I find it very convenient to use. You should know what else it's syncing, things that you do not have the choice to opt out of. So I will point that out in a couple of different places. So moving on. The OS X, I have a lot of screenshots in here. So we've got OS X on the left-hand side and iOS on the right-hand side. They tend to look a lot of the very similar GUI-based-wise, and you can deselect various components that you want to sync. But again, there are some things not listed in here that do get synced automatically. So I want you to be aware of that. Just to give you another overview, you can also access it over the web. So this is iCloud.com, so if you're running Linux or something, or another operating system that's not exactly iCloud friendly, this is likely the way that you're gonna be interacting with this data. And then we have Windows. I had to boot up my old Windows VM, dust it off, do about a bajillion different updates, way too many updates that I don't even wanna think about, just to get a bunch of these screenshots done. So this is iCloud for Windows. You can see the options are a slightly less user-based. So you get certain things like your iCloud drive, your photos, and some other bookmarks with Chrome, which is kind of a weird option to have, but it is available. So different account identifiers. So we got the Apple ID, and this is gonna be what you sign into your iTunes account, your Mac App Store account to download various applications, usually an email address of some sort. This email address also has an associated numeric person ID associated with that. So I've redacted mine throughout the slides here, but you can see it starts something like 247 or 274, something like that. There is a numeric ID, which is gonna be important for us once we start looking at these files on disk. So now also with iCloud, you can have associated email addresses, they're called vetted aliases. So different email addresses you might wanna have the same information synced to, or different phone numbers that you might wanna have synced to through iCloud data. So now some credentials. So we're gonna talk a little bit about how do we access this information. So there's a couple of different ways. We can use the Apple ID and password. We can use two factor authentication if it's enabled. It is not enabled by default. In fact, last time I checked there was a three day waiting period to enable it, which I'm not entirely sure that's the best option, because if I see something I'll have to wait for three days, I'm gonna forget about doing this in three days. So hopefully Apple maybe can look into fixing that, making it more available to us. And there's also a token. So a token is basically a little data blob, a little file that's associated. So I log into my OS 10 machine. I have iCloud running in the background. It's not doing authentication each and every time that it's syncing. There is this little token file on there that does the authentication for me. So we can actually take that file off using specialized software and actually use that to our advantage. Now how much data could we possibly have? By default, we're looking at five gigs. You can purchase up to a terabyte. So we're gonna be talking about downloading this information from the iCloud servers. This could take a long time to download. If this person has one terabyte in various photographs, it's gonna take a really long time to download all that information. So some configuration. This is how you check a system real quickly to see if it has iCloud enabled or not. So a couple of different data paths on OS 10 and iOS, as well as a registry key on Windows. So there's a lot of different files, file paths and different locations on the file system you could check. But these are kind of the quick and dirty places. Throughout this presentation, I throw in some incredibly long file names and file paths. This is purely for documentation. I am definitely not gonna be reading out these file paths for you, because I will just trip over my words. But I do tend to like to document my presentations incredibly well. So if you go back and do forensics investigations, go to these data paths in your own systems, go to them on your investigative systems. If you are doing more of the opsec security type things, take a look at these files. See what data is leaking from these files. I think you might be kind of worried about what some of the data might be. That might be leaking from your enterprise environment. So let's actually get to this iCloud data. So on disk. So disk images, forensics related, relatively easy to get. Use DD in case, whatever your favorite imaging tool is. So OS 10 in your Windows, no problem, we can get the data. You might have encryption or whatever, but that's a whole other talk. So iOS is gonna be the interesting one. We can do physical acquisition type analysis now. And it's gonna be most important to get to that physical access. So 64 bit and data protection and all that good stuff has really limited forensics, but it's not impossible. If there is a jailbreak out there, you can get this data. So jailbreak your phone, look at the logical file system, grab the files that you need. I do tend to like Alcomsoft EIFT. It's a piece of Russian software, but it's very highly used in the forensics community to actually do a physical logical, which is a giant tar ball of all the user related files. So not quite a full physical, but enough to get the job done. So iCloud.com, we're gonna go over some various download tools. Some are more sketchy than others. Then I also wanna go over various downloadable storage types. So we have iCloud backups. iCloud backups are very similar to iTunes style backups. So it bundles all these files up, renames them with a hash and then stores them up in the iCloud versus say on your system, on your Windows system, on your OS X system through iTunes. But it has very similar data structures in there. We also have iCloud specific data. So stuff that's not put into the iCloud backups, things like mobile documents, photos, synced preferences. So I'm gonna be pointing these two locations out there. So for instance, iCloud backups, you might have certain backups, snapshots in time. So you might have one from a year ago, but it's definitely gonna be different than one that you've done today. So you could have three, four, five, 10 different backup files. So backup tools. Some are definitely more sketchy than others. If you just do a Google search for iCloud backup or iCloud download or anything like that, you're gonna get a ton of different hits. These cost anywhere from 10 bucks to 50 bucks to 80 bucks and download, it does download your software. But how much do you really trust a lot of these tools? Is it really just taking your credentials and storing them for later on? We don't know. We kind of have to look into that a little bit further. Slightly less sketchy. We have iLoot, which was created in open source that is actually pretty useful. I'll get into that a little bit more later on, as well as the forensic level. This is gonna be Elkumsoft phone breaker, EPBB. So I'll get into these each in a little bit more detail. So iLoot. iLoot, you have to have the Apple ID. It does not have two-factor support. It does not have token support, but it does run on Python. So while I might be a Mac fan girl and I pretty much run everything on a Mac, those Windows users and Linux users can still pull down their iCloud data. Command line only, which is perfect for me. I like to script out a bunch of stuff. Open source, nobody's ever complained about that. And it's free, which is excellent. So if you are doing research, you do wanna play around with your own data and see what this looks like, go ahead and use it. It's actually, it's very, very useful. But again, it does not have two-factor support. So unless your account is non-two-factor support, you can actually get the data. So what does have two-factor support is the Elkumsoft phone breaker. And this can take anything from your Apple ID and password to authentication tokens. It supports two-factor authentication as well. So depending on what type of data identifiers and passcodes and things like that that you have, you should be good to go. It does cost quite a bit more. You throw forensic on any sort of product and you can just charge hundreds of dollars more. You know, we're looking at $200 to $800. So this runs on Mac or Windows. Each version does have different capabilities to it. They just came out with the Mac version, actually, maybe a few months ago. So the Windows and professional versions have slightly more capability with like, breaking iCloud, excuse me, breaking iTunes backups and encrypted backups and things like that. So take a look at it. But it is one of my favorite tools out there. All right, so that's the basics. Now we're gonna get into the actual nitty gritty of the data. So we're gonna be looking at a lot of P-Lists. So if you have never done Mac analysis before, there's these little files called P-Lists. The only thing I can really compare them to is registry type files. They're key data values, basically describing a lot of the configuration and data saved across the systems. And these are found on OS X and iOS. So synced preferences, these are little data files for configurations, saving various preferences, saving weather configurations, stock configurations. And those are some of the relatively more boring ones. So let's get into a few of these. So email. So iCloud does save your recent email information. So in the data pass, sorry. In the data pass above, you can see a lot of these different P-List files. So I'll have an example of one here. So under the values key, you see this GP or MR underscore and some hash like value. Under each one of these keys holds a lot more different pieces of data. Now this one's really called mail, let me see, comapplemail.reasons.P-Lists. I have the arrow there, showing you how many recent emails I have. It stores a lot of them. It's basically calling through all your mail and breaking out different pieces and storing that information in there. So I don't email a whole lot, or at least I don't consider myself to be emailing a whole lot, but it sure is saving 680 different conversations. Now let me get into this a little bit more in detail. So the MR is data for a single contact. So if I'm talking point to point with one other person, that data's gonna be stored in there. For group emails, it's gonna use GP. So it does mark these things and are relatively easy to figure out what kind of way. So I got two examples up on the screen. Example on the left shows us a point to point contact. So I'm talking with Heather Maholic, but it saves all of this information associated with it. So it saves who I contacted, when I contacted them, best I can tell it's the last five, the most recent five dates associated with that contact. And that's messages going to and from. So not just to a certain person, but both directions. And it also has the client that's been used. In this case, it's comAppleMail, which is the default mail application on OS 10. On the right of the screen, we have very similar data. It looks very close to being the same. That's T value here. I'm gonna try to see that there. This T value here holds the different times and dates for all of those recent contacts. So I've only been contacting this particular group three different times, you know, max of five here. So down here, we also have the key over here. Now this key is what holds the actual contact information. So in this group conversation, who was I having it with? I was talking with Henry Van Gogh them. I was talking with Rob Lee, because I do a lot of sand stuff. I have to communicate with multiple people quite often. So it stores all that information in there. You know, really nice information to head if you're trying to track who's talking with who. You can even set up VIP senders. And this is a default Mac mail type of thing. You basically star a certain contact and they are now your VIP. You know, their emails get bumped up to the top. They get flagged, they get whatever just to draw your attention to them. So same kind of markup here. T for time, A for address, and some other information associated. So it does have the VIP underscore flag here. So you can tell it is a VIP contact. I haven't seen a whole lot of people use this in reality, but the data is there. So not just with email messages, also text messages, SMS messages, Jabber messages, A messages, ICQ if you're that old school. I think that's still supported. All of those messages also get the same data associated with it. So in the appcom, Apple messages, Recents P list, depending on which operating system you're looking on, stores the same type of data. You got the GP underscore, you got the MR underscore. So it's storing all that same information. The times and dates of that contact was last messaged. And that, this is not just iMessage. I wanna make a note of that. You can sort of see in here, let me try to highlight it with here, this iMessage here and mobile SMS over here. So different protocols will show you different data within these property list files. But again, the same format, you got the address, you get the times, the protocol, and with messaging you also get phone numbers and email addresses. So I can send a iMessage to somebody else's phone number because that's just how the protocol works. So good data collection there. So next up we have sync devices. So Safari has this thing where if you open up a bunch of tabs on your OS X system, then maybe you're like, I just wanna chill on my couch, maybe do some web browsing there. You open up your iPad and it syncs all those tabs down. So you can sort of see in the screenshots to the right there, the different tabs are open on different systems. So if I open one tab on one, I move to a different device, I can open that same tab. All of that is getting synced in real time. So under the sync tabs, again it's another P list. I often say you get sick of P lists really quick, but then you find the value in them. There's some great, great data to be found. So in the sync tabs, we get a bunch of different GUIDs. So under each GUID is a different device. So under the value here, we have last modified and device name. So I call my mini my pad, mini my pad. That is the device name that I provided it. You might have so and so's MacBook Air or so and so's Mac mini, something like that. You also had a time and date that that was last synced. So you can do some temporal correlation with this as well. So now we're gonna get into this tabs key down here. So under the tabs key is data for each tab open. It's relatively simple data. It's basically just whatever the title of the webpage was, as well as the URL that it was for. So think about this. If you're being investigated for whatever bad thing you're being investigated for, the cops come by and they get a copy of your iPhone. You still have, say, five different other Mac devices or iDevices that they don't know about. If you're using iCloud and you're syncing all of that data, they can potentially see what Safari tabs you have open at a given period, because it's syncing in real time, assuming it has a data connection. So maybe you open some tabs on your web browser at home that maybe you shouldn't have. Whatever the case may be, that's gonna get synced down. If they have a copy of one, they might as well have a copy of all of them at this point. So this is one of my favorites. Synced access points. So Wi-Fi configurations are also synced across various devices. In OS 10, this is the screenshot to the right. You can see the various hotspots that you have connected to, attempted to connect to. And it basically saves this information for all time until you delete it or do a complete clean reinstall. So in this Wi-Fi panel here, you can see I've connected to Hyatt guest room, H Honors, Logan Wi-Fi, airports and hotels and all sorts of stuff. But there are some other ones that I do not show you here that could potentially be more sensitive. Maybe to corporate environments to internal Wi-Fi to places that are very specific, that have an access point name that could be considered sensitive information. So naturally, this also gets synced across all the devices. So a couple of other P lists here. On the left, you can see all the things that I've connected to fairly recently. And I like to keep a lot of my data in here purely for science. I do not like to keep this up here, but I do like to have good data to show you all when I do my presentations. So let's take a look at Reagan National Wi-Fi. I'm from the DC area. I hang out at National Airport and I like to connect their free Wi-Fi because why the heck not? So this, of course, gets synced back. So what kind of data is getting synced? The BSS IDs, EAP mode, all that good Wi-Fi stuff. But specifically about the device information, we get the name of the device. In this case, it's my phone 5S, as well as when this was synced. So add it at. So this string right here basically says hey, I was at National Airport on February 9th, 2014 at a very specific time. This is very, very specific. Now if you look at all of your access points, you do data correlation. You can make a beautiful timeline of everywhere this person connected to at a certain point in time. Very scary stuff. So next up, we have map information. So I was always kind of curious why the maps application came down on OS X. I don't find it particularly useful, but I guess they sort of brought it in to sync all the iCloud map data with. Now I use maps on my phone, sometimes better off than others, but I do use Apple Maps. Not exactly known as the most reliable, but I do use it. So that data also gets synced to OS X maps on my system or on my laptop and my desktop systems at home. So favorite, excuse me, favorite locations. Now these are user-created favorite locations. You might have your home address in there, your work address, whatever places you want to just go to very quickly. That's saved in its own list. Again, it's a P-list file and it's called under sync underscore bookmark, some item and again a GUID. A lot of these items are based upon various GUIDs, some sort of good identifying information. So we can search across the drive for these various GUIDs to find certain information as well. So the meat of this is actually under the data key. Now this is kind of a proprietary data blob, I guess you could say. Apple does this every once in a while. I haven't taken the time out to parse it because you can pretty much just see what the data's supposed to be just using the strings on there. So I throw it into a hex editor. You can see I was in Denmark, I was at Copenhagen doing some touristy type stuff. If you've never not been to Nyhaven in Copenhagen, highly recommend it. It's very pretty. Are you from there? That's awesome. Am I lying? It's a beautiful place. Kind of touristy but really pretty. So a lot of the other map data, we have recent addresses and recent location and searches. One note on the recent addresses. This is not user driven. This is being extracted from your email files, extracted from various web addresses, extracted from all sorts of stuff. If you take a look at it, I have a couple of examples in here. I was condo searching. So I was hooked up with Redfin. I was looking at all sorts of different condos in Arlington and Fairfax and wherever. Every time I got a Redfin email and those things, they come in daily. It's scraping the addresses for all of those emails and throwing them into this database. So this is not a choice that the user can disable. So be aware of that. Now recent location and searches, this is definitely something that the user can do. So wherever they search, maybe they're looking for a pharmacy in San Diego, let's say, or they're looking for a burger place, directions to a burger place in Fairfax. All sorts of good tracking information in there. Where has this person been? So that extracted information follows the same structure that we've seen in a lot of other property list files before. It's got the date and times of these emails. So it's extracting that timestamp from them. The core recents under this M key here basically is showing us this information was scraped from a Redfin email on April 26, 2015. There's the URL, there's the information that was scraped, the subject of the email and all sorts of related information. So recent location and searches. Again, this file is the same type of data structure that we're proprietary data blob. But you can just look at it, look at the strings and you can see, oh hey look, this person was searching for a pharmacy in San Diego. You get some timestamps in there as well that you can go back and actually figure out when was this person specifically looking for a pharmacy in San Diego. So moving on to some more application level data. So various applications, things like mail, notes, various documents, all that stuff also gets synced through iCloud. So just to give you a little screenshot of what the documents might look like. On the left here we have the OS 10 screenshot of me saving a document to my iCloud drive. You can save it through the text iCloud drive or just the plain iCloud drive. And I'll get into that a little bit more in a few more screenshots. If you are on the web, on the other side, you see different file folders pre-populated in there for various document formats, numbers, keynotes. But you can also just drag files into that white space. Works very much like Dropbox might work. So all these documents are really under a directory called mobile documents, both on the OS 10 operating systems as well as through the underlying file system. So different document types like pages and keynotes will get their own directory. So that tilde library mobile documents, com, tilde, apple, tilde pages, is specifically for pages and so on and so forth. So you can have some organization there that's been pre-populated by Apple itself. But that other category right at the bottom, that's basically for anything that's not a pages document or a keynote document. If I wanna throw a PDF in there, if I wanna throw a Windows executable in there, if I wanna throw in whatever file in there, it will actually take it. Very Dropbox-like is not Apple specific documents. So looking more on the disk, taking a more forensic look at this, these are all stored in that mobile documents directory under the specific application. Now the one thing about iWork type documents is that they're actually bundled files. So they're actually a directory of other files. So they are presented to the user as a single file, but when you look on disk, or if you look in the terminal, let's say, you'll see a bunch of other files associated with it. So different pictures in the document, different pages, different texts, metadata, all sorts of good stuff, all bundled into one. So that's why you might see multiple files under one document. On iOS, file is the same sort of file structure. Under private bar mobile library, you have that mobile documents directory. And that's gonna look very similar to what we saw on OS 10. Calm till the Apple, till the text editor, or whatever other app you might have. On Windows, same thing. This is one of the few things that Windows does sync down to a Windows device. Again, same similar structure. You get the mobile documents directory under your user directory through Windows. So photos. This application is probably more popular than not. If you have an iPhone, you tend to take a lot of photos. We can get some giant disks now on iOS devices, up to 128 gigs. And people love to fill them up with pictures of their kids, their cats, food, whatever is happening in Vegas last night, I don't even wanna know. All of those are stored and synced up if you have that particular function selected. So there's two different applications right now for photos. So there's the legacy photos application, as well as photos that came out in 10.10.2 or 10.10.3, I can't recall right now. So two different applications. And on the underlying side of them, they look completely different to us. So I'm gonna go over the legacy one first, because people are still using that. It's not exactly that old to begin with. So there is this data structure under applications for iLife Asset Management. Under this particular directory is all the iCloud related information associated with photos. One particular database. This is a SQLite database. It's a ilifeassetmanagement.db. This is where the bulk of the metadata for each photo is stored. And we're gonna get into that a little bit more in depth in one slide or two. But you also have the actual photos located underneath here. So that assets directory, which has pub, sub, subshared, holds a lot of the actual photo information. And this is gonna be very different than what we see on the new photos application. So this ilifeassetmanagement database holds a ton of different pieces of metadata, height, width, iCloud person ID, so we can actually associate it to a particular iCloud user. The photo UUID, the device UDID. This one's gonna be particularly interesting because we can tie it back to a certain device. File name, file size, timestamps, all sorts of great metadata associated with each particular photo. You also have photo stream photos. So photo stream photos or your photo stream photos are stored in slash sub. If you have a shared album, those are gonna be in sub-shared. And each one is stored under this hash. And this is that UUID for each particular photo. So if you're looking for a particular one, you find some interesting metadata in that database. You can go find it by that UDID. Search for that file name, for that directory, and you get the photo that's particularly interesting to you. The new photos application, this one's stored again in a bundle, has photos with lots of other stuff underneath it. So the photos library again is one of those bundled files. So underneath here we have all sorts of stuff. Stuff I haven't even had time to take a look at. Attachments, masters, plugins, previews, whatever. So the new photos application actually stores information for all the photo stuff on that OS 10 disk. All the previous one stored information just for the iCloud photos. iCloud is now being more integrated into the OS 10 subsystem. So now it's containing everything associated with it. So the actual photos are stored under the masters directory. They might be stored under other directories if they had some edits made to them, if they were modified in some way, maybe they added text to it or something like that. But the general photo themselves are under the masters directory. And we have timestamp file paths, which just makes it pretty easy to find photos that were taken for a certain time period. But how do we actually tell, because this is all the photos, how do we actually tell which are iCloud specific photos? So I could have a camera, I could have a nice digital SLR, hook it up here, and those photos would also be in those directories. If we look at the extended attributes, we can tell if it's an iCloud photo or not. So one of my favorite commands is X-A-T-T-R. I like the flags X and L, just to show me the data in a hex format. We can actually see what this quarantine value is. So the comApple quarantine, these metadata values get populated every time you download a file, every time an attachment comes in. You download a file through a web browser. This comApple quarantine information gets tagged with specific files. Forensically speaking, this stuff is gold. This tells you when that file is downloaded. That hex value in there is a timestamp. It tells you what process downloaded this photo. So in this particular instance, we see Cloud Photos D, but say we downloaded something from Safari or Chrome or Firefox, it's actually gonna show you that it came from Safari, Chrome or Firefox. So on a side note, forensically speaking, take a look at this information. It is one of my favorite pieces. So metadata. On the legacy photos application, we had the iLife photo, iLife Asset Management Database, and that stored all the metadata associated with each iCloud photo. And this one, we have a library APDB file. This is also a SQLite database. If you see anything on Mac, it's either a PLIST file or a SQLite database. Generally speaking, I would say 95% of everything is one of those two file types. So the photos metadata. We get a lot more metadata on the new photos application. Various timestamps, height, width, whatever. But we also get locational information. So it's pulling this data outside of the XF data. We're getting kind of like a reverse DNS lookup of this particular data. So we don't have to pull that information from XF data and have to throw it into Google or whatever GPS core in that thing we like. It's actually showing this. Oh, hey, this thing. This photo came from Denmark on a certain date and time or wherever. So really good information in there. So we can actually just scroll through the database, find a picture from a certain location that's of particular interest to us and go looking for that without having to do a lot of the background work for it. So the new photos application. All that photo stream data is also stored in these particular files. So I got an example of here of iOS. A lot of the data is stored in here as well. So you get the height with a lot of the other metadata associated with it. A lot of the stuff that we've already seen in that database on iOS 10, but as well as on iOS. Shared albums on iOS. We have there are certain file path for them. It does contain a lot of the same information. So I can see who shared this photo album with me and other related information. So my email address or their email address when they shared it. Various identifying information associated with it. As well as the title of the shared album. Now on Windows. Again, one of the few things that is synced down to the Windows. You still have my photo stream and shared directory. And these are all located under the photos application on Windows. Or in the photos directory on Windows. Again, another screenshot of my photo stream. These files are stored in just a straight up JPEG or paying format depending on the type of, if it's a photo or screenshot. Pretty easy to get to. If it's a shared album, you're gonna find that's in again, another hash type thing. We can correlate this back to other databases as well. So passbook passes. This one is particularly interesting. I like to use passbook a lot. I do a lot of travel. I like, I don't like United. I use United to basically get my passbook, my pass to get onto certain flights. So each flight I take has a ticket associated with that. All of those get stored in the ubiquitous cards directory. In this directory, we have these PK pass directories. So in these directories stores all the information associated with each card. Now these could be airline cards, they could be Starbucks gift cards, Target cards, what have you. What you won't see here is Apple Pay related information. So you're not gonna see your Mastercard, your AmEx card or anything like that. This is not Apple Pay specific information. So in these files, we have pass.json. This is just a JSON file, not an XML or anything, not a PLIST file for some reason, but a past JSON file. So Apple's gotta switch it up every once in a while. So this stores all the metadata associated with each pass. So in this one, it shows me what flight I was on, what seat I was on, my United Mileage Plus number, what gate I was at, all sorts of interesting metadata. The notes application. So each note that you take, whether on iOS or Android or Android, OS 10, you see a lot of the same information getting synced up. Now you can choose to make it an iCloud note or not, but many people do because it's almost like an automatic backup of that data. So all that data is stored in these particular directories in a SQLite database. So iOS or OS 10, the SQLite database is very, very similar. I've done one little query here just to show you some general information. Each note has associated timestamps when the note was created, when it was last modified and just an HTML rendering of the note contents. So very easy to get to that data. Calendar and reminders. Calendar and reminders, while two separate applications on OS 10 and iOS, they're actually integrated as one in the backend. Just a calendar view there. And again, I've done the same thing. So again, they are SQLite database. You could pull out very quick information out of them. So when was the calendar item created? What was the reminder for? Alarm information, all sorts of metadata. These databases are incredibly large databases. Really makes for awful screenshots. Thus I made a tiny little query just to show you the general information. Contact information. So all your Apple contacts, all the phone contacts, your messaging contacts, those are all synced up back up to the iCloud. So every time you add a new contact, maybe you've added a lot of contacts at this conference. It's likely. Those are getting pushed up to the iCloud and maybe saved on your OS 10 systems back at home. And those are again stored in a SQLite database. So I pulled out one of the records, a lot of information associated with it. So while here I have a creation date, modification date, first, last name for Andrew, and thankfully I blocked out his number, otherwise I'm sure he'd be receiving some calls. I don't think he'd appreciate that, but there could be also a ton more information associated. Things like social media accounts, physical addresses, digital addresses, all sorts of great contact information depending on what the person put in there. Now we're down to third-party applications. So if you've looked in some of these screenshots here, you've seen things like iCloud, com, get Dropbox, Microsoft Office PowerPoint, OneNote, SkyDrive. It looks like these could be reserved for future use. I took a look at mine, I tried playing with the application to populate that data, but they all seem to be empty. So even the absence of data can still tell us a little bit of something. So you can see what applications I actually use just by looking at this. So maybe you don't have my iPhone, but you can tell some of the applications that I do use. So I'm assuming this is kind of a reserved for future use type of thing. And last but not least, iCloud Keychain. iCloud Keychain can be extremely useful. People do not like typing in passwords to their iOS devices. I can barely type on these things. I have small hands and I don't like doing it. So maybe I wanna save all my passwords to Amazon or social media accounts into this database. So this keychain2.db is just a SQLite database. You can look in there, you might be able to find some strings of interest. If you get access to the user's OS X system, along with their password, you can actually dump their iCloud Keychain, which is incredibly useful to do. Have not yet found a tool or a way to do it on an iOS specific device, but if you do get access to the user's desktop or laptop system, it does make it a lot easier. It's only protected by the user's login password. And this can contain anything from email accounts, certificates, keys, credit card information, saved form data, addresses. There's really no limit to what could be saved in the iCloud Keychain. It works just like the Keychain on OS X. It's just synced to all of your devices. Just a screenshot of the Keychain access program. So if you do have the user's password, you can go ahead and click this lockup at the top, input that password, and you can now unlock that Keychain, and you can go ahead and browse the data at your leisure. So that's it for the presentation. Hopefully the goons are not gonna kick me off stage. I do thank you for coming to the presentation. If you have any questions for me, I will be here for maybe a couple minutes in the outside of the hall. Feel free to email me any questions you might have. I'm also on Twitter, I am EVL Twin. I do a lot of the Twittering, if you will. It's probably the only social thing that I probably do. So feel free to hit me up on that as well. So thank you for coming. I hope this was informative, and I hope you have a great rest of the conference.