Apple Data Download
IntaForensics Principal Cell Site Analyst Carl Osborne looks at the potential value of the Apple Data Download. Digital Media Investigators, the detectives of the digital world are continuously looking at different ways to source information as part of digital forensics. One of the methods that has recently come to light, is the use of the ‘Apple Data Download’ option, I was excited when this was first announced as, not surprisingly, Apple have the potential to hold a vast amount of data on us.
Firstly, I was shocked to see how easy the process of requesting a data download was, albeit the potential to wait 7 days for the download may cause a problem if I wanted my data urgently.
I was astonished by the amount of data that I received from the download, my next task though was to see how useful the data was to me, as a Digital Media Investigator!
To request the download of the data, you need to click the following link https://privacy.apple.com/ and once you access the site you are then requested to enter the Apple ID and password.
Be aware that if Two-Factor (2FA) authentication is “on” this may cause an issue if you don’t have the linked device with you.
You are then given 4 options, the one I am going to cover here is “obtain a copy of your data option”.
It is claimed that the download will include:
- App usage and activity information as spreadsheets or files in JSON, CSV, XML or PDF format
- Documents, photos and videos in their original format
- Contacts, calendars and bookmarks in VCF, ICS or HTML format
The data options can be seen below:
Once you have ticked all the boxes relating to the data you want to obtain, you can select the maximum file size of the download which ranges from 1 to 25GB….potentially lots of data then!
My selected data arrived in 5 days, which I guess is not a great deal of time considering the amount of data I requested but the website suggests that data downloads can take up to 7 days to arrive.
So, what did I find?
I won’t go into all the data we can obtain as I clearly do not want to spoil your fun, however I will highlight some of the data that I believe may assist you.
If any of you know me personally, it will be no surprise that I went to the Wi-Fi data first (it relates to Radio Frequency after all); I was pleased with the XML document that came as part of the download, this contained not only Wi-Fi access points that my phone had connected to but it also included any of the access points my other Apple devices had connected to using my Apple ID and, in some cases, associated dates and times.
I then looked at the Mail data; this would be of benefit if you were looking to show contact with an email address of interest. As a minimum you are supplied a contact email address and dates/times of contact made. You can also obtain a list of VIP email address contacts which may prove useful.
Store Transaction History.csv is a very interesting file to look out for, this file in the wrong hands could seriously harm my street cred as, over time, I have arguably downloaded some truly horrific songs (Womanizer by Britney Spears) and to add to that ‘my’ movie purchases indicate a rather strange obsession with Patrick Swayze films that I was completely unaware of……
Joking aside, this file has a wealth of information including purchased date/time, how the item was purchased, what device was used to purchase, the IP address used and the amount the item cost which was also an eye opener and reveals that I have spent over £3k in 11 years.
There is also a similar file called Store Free Transaction History.csv which obviously shows the free downloads, this file also offers the same detailed information.
Other useful files include iCloud usage data set, which is a file that shows items that are automatically backed-up to the Cloud from such apps like “photos” and the like. The back-up also geolocates where you have backed up from which again could be useful.
The data download potentially offers a wealth of data that could highlight several lines of enquiries such as unknown devices that have used the Apple ID and attribution to the Apple ID/device or lifestyle movements. It may not solve all the questions you may have, but certainly exploring the possible impacts this download could bring may well be of some benefit to the DMI community.
Currently this feature is only available for the users residing in the European union, but Apple is said to have concerns about extending this worldwide. This sudden decision is due to the European Union’s General data Protection Regulation (GDPR).
To find out more about our services Tel: 0247 77 17780 to speak with a member of the team or fill-in our online contact form.