If you analyze the scopes table scopeIdentifier field, you should find a scope identifier that matches the identifier located in the *\PhotoData\Photos.sqlite ZSHARE table ZSCOPEIDENTIFIER field. Based on my testing, a scope identifier for an iCloud Shared Photo Library will begin with “SharedSync-“ then be followed by a UUID.
This scopeIdentifier can be found in multiple files within a device that is the owner and / or participant of the iCloud Shared Photo Library (SPL).
If you analyze this database and an iCloud Shared Photo Library has been created, you will observe the db contains a lot of useful information about the SPL. This includes several embedded plists and other data. One thing that was discovered during the testing and research is the creation date located in store.cloudphotodb scopes table creationDate field and in *\PhotoData\Photos.sqlite ZSHARE table ZSCOPEIDENTIFIER field. The creation date of the iCloud Shared Photo Library in this instance was on 2024-02-19.
Note in the top half of the figure aboveis from *\PhotoData\Photos.sqlite ZSHARE table ZCREATIONDATE field matches the date the SPL was created and the date listed in *\CPL\storage\store.cloudphotodb scopes table creationDate field does not. For the purpose of this research and blog, I did not take the time to detail why this occurred but, it should be noted if the creation date of the SPL is critical to the investigation, you should reference the *\PhotoData\Photos.sqlite for a more accurate date timestamp.
Property Lists:
Parsers have been created within iLEAPP to assist with parsing and reviewing the data stored within the following property lists.
Below are some other fields within the com.apple.mobileslideshow.plist to search that allow you gain insight into how the device is setup and used in conjunction with iCloud Shared Photo Library (SPL):
com.apple.mobileslideshow.plist
This is a property list (plist) I have mentioned during the Optimized iPhone Storage and Shared with You research and blogs. During this iCloud Shared Photo Library research, it appears this plist will be one of the first files you will want to analyze when attempting to determine if this feature is active on an analyzed device. The plist can be found at the following location:
*\mobile\Library\Preferences\com.apple.mobileslideshow.plist
NOTE: During the research, some of the plist fields were hidden unless I manually made changes to the device settings. After setting up an owner device with iCloud Shared Photo Library (SPL) most of the fields listed below were initially hidden from view / not listed in the plist. It was only after I made changes to specific settings, would the related plist fields be visible in the plist. This behavior was different when reviewing the data for participant devices. Some of the hidden fields were automatically visible within the participant device. If you do not see the following fields within the plist, its likely due to the device using the default SPL settings. I have listed what I believe to be the default value for each field below.
PhotosSharedLibrarySyncingIsActive – The first key/field you will want to search for is
PhotosSharedLibrarySyncingIsActive. During testing, when a device and Apple ID were used to set up or participate in an iCloud Shared Photo Library (SPL) this field indicated True. During previous research and testing I have not observed this field which leads me to believe this field is a great indicator iCloud Shared Photo Library is active.
CameraSharingPreferencesState – While setting up the iCloud Shared Photo Library for this research, I was only prompted for two different options:
Share Automatically and Share Manually Only
During the SPL setups, I used both Smart Camera Share options Share Automatically and Share Manually Only. After setting up “owner” devices and “participant” devices, when making changes to the Smart Camera Share settings I was not able to trigger a change to the plist value after initial setup. Based on testing results, I believe the following values indicate the subsequent option was chosen at setup or after accepting a Shared Photo Library Invitation:
CameraAutoShareEnabled – This field was hidden within the SPL owner device when I chose Share Manually Only during SPL setup. This field was only revealed after I chose Share Automatically during the SPL setup or if I changed the setting after SPL setup. There is not a default setting for this field, it must be chosen during SPL setup.
True – Camera Auto Share setting is enabled
False – Camera Auto Share setting is off / disabled
SharedLibraryBadgingEnabled – This field will indicate if the iCloud Shared Photo Library icon will be visible on assets within the physical device UI that are being stored in the iCloud Shared Photo Library. Depending on the iOS version installed on the device, the on-device settings menu might list it as Shared Library Badge or Shared Library Indicator.
True – SPL indicator will be visible in camera roll on an asset thumbnail if the asset is in SPL
False – SPL indicator will not be visible in camera roll on an asset thumbnail if the asset is in SPL
CameraSharingEnabled – This field was hidden within the SPL owner device by default. I believe this is because a user only has two options to choose from when setting up an iCloud Shared Photo Library; Share Automatically and Share Manually Only. Therefore, a user cannot turn this off or make it False during setup, the default value for this field is True.
True – Default and not visible after iCloud Shared Photo Library owner setup
False – Share from Camera switch is off, occurs after setup via the device settings menu
CameraShareFromHomeEnabled – This field was hidden by default given a user cannot change this setting during the initial SPL setup. The default value for this field is False.
True – Camera Share from Home setting is enabled
False – Camera Share from Home setting is off / disabled – Default
What is Home Location?
If you are using the iLEAPP parsers and analyzing the ZADDITIONALASSETATTRIBUTES table ZREVERSELOCATIONDATA parsed plist data, you will notice a isHome field which will indicate if the media was captured from within what has been detected as the devices home.
PXSharedLibraryMoveItemsToSharedLibraryConfirmed – This field will be present after an owner or participant has shared assets from their personal photo library to the shared photo library. The default value for this field is False and was hidden from view until the device / Apple ID added files to the iCloud Shared Photo Library.
True – Indicates the device / Apple ID being analyzed has shared assets from their personal photo library to the shared photo library
False – Indicates the device / Apple ID being analyzed has not shared assets to the SPL. When this field was False it was hidden and could not be viewed with the plist.
com.apple.camera.plist
This is a property list (plist) I have mentioned during other blogs related to Photos.sqlite. During this iCloud Shared Photo Library research, it appears this plist will be one of the first files you will want to analyze if you are attempting to determine if this feature is active on a device.
The plist can be found here:
*\mobile\Library\Preferences\com.apple.camera.plist
NOTE: Parser has been created within iLEAPP to assist with com.apple.camera.plist analysis.
CAMUserPreferenceSharedLibraryLastDiscoveryDate – This field will contain a date timestamp string. During my testing, this date timestamp string would get updated after something (user actions or OS analysis) affected the settings that determine if a captured asset should be shared to a Shared Photo Library or to a Personal/Local Photo Library.
CAMUserPreferenceSharedLibraryLastDiscoveryLocation – This field will contain a NSKeyedArchive plist. This plist will contain location data and other location setting variables when the settings were last discovered by the OS.
CAMUserPreferenceSharedLibraryLastLocationAcquiredDuringTrip – This field will contain a True/False value.
During my testing, I only observed a False value for this field; additional testing and research are required.
CAMUserPreferenceSharedLibraryLastUserActionDate – This field will contain a date timestamp string. During my testing, this date timestamp string would get updated after something (user actions or OS analysis) affected the settings that determine if a captured asset should be shared to a Shared Photo Library or to a Personal/Local Photo Library. A user action could be any number of things including a user manually changing a setting or a device entering an area recognized as “home.”
CAMUserPreferenceSharedLibraryLastUserActionLocation – This field will contain a NSKeyedArchive plist. This plist will contain location data and other location setting variables for the last user action. During my testing I found the location, in conjunction with the horizontal accuracy, to be accurate for where the device was located during the last “user action.”
CAMUserPreferenceSharedLibraryMode – This field will exist if an iCloud Shared Photo Library exists, and the Camera Application has been launched. During testing, when changes were made via the settings menu, the changes to the plist would only be written after the Camera Application has been relaunched.
NOTE: The research and documentation for this field (CAMUserPreferenceSharedLibraryMode) was included in the blog for informational purposes only. I was unable to definitively determine each value and what caused the value to be recorded.
As you might have noticed in the screenshot (SPL_Blog#3.png) in the description for CameraSharingPreferencesState, there are variables which influence if an asset is shared from the camera application to iCloud Shared Photo Library. I spent a few hours working on this specific plist field and still could not narrow down the exact interpretation and decoding for each value. Based on my testing, the value stored within this field is dependent upon several settings within the Camera Application Settings > Share Library Settings and other variables that influence settings such as:
The device capturing the media file was in Bluetooth range of other devices that are participants of the iCloud Shared Photo Library
And/or
The device capturing the media file was within the geographical area of the recorded “Home” geofence as determined by iOS
At least for the time being though iOS17, the following settings can be changed via the settings menu located at: Settings > Camera > Shared Library >
The following table and definitions are provided for informational purposes only. Please ensure that you validate analysis findings when using for investigations. The values observed and my best interpretation of what caused the values to be populated are detailed below:
Other Notes:
When the Shared from Camera was changed from automatic to manual – location keys aren’t listed in the plist anymore.
When the setting Share When at Home was changed from on to off and the device was no longer within the home area lots of the fields for SPL are no longer visible in the plist(s).
camera_smart_sharing_metadata.plist
This is a property list (plist) containing some values after the iCloud Shared Photo Library was set up. In some acquisitions this plist existed and contained some valuable data, but in other device acquisitions using iCloud Shared Photo Library this plist was not present. The plist can be found at the following location:
*\mobile\Media\PhotoData\Caches\SmartSharing\camera_smart_sharing_metadata.plist
The following keys/values were observed during research and testing.
homeLocations – Based on my testing the value listed in this key/field will contain location data for a derived device “home.” There is additional data regarding “home” data found within the *\PhotoData\Photos.sqlite ZADDITIONALASSETATTRIBUTES table ZREVERSELOCATIONDATA embedded plist. There will be a key/value indicating if the related location “isHome.” During my testing, I observed the location data being stored in this key/field was correct for where my residence was located.
creationDate – Based on my testing the value listed in this key/field will contain a date and timestamp when the plist was created and the smart sharing feature was used.
frequentLocations – Based on my testing the value(s) listed in this key/field will contain location(s) that have been derived as frequent locations. During my testing I observed two different locations being stored in this field and they were both locations the test device frequented.
Identities – Based on my testing the value listed in this key/field will contain Phone Numbers and Emails for participants of the iCloud Shared Photo Library. This data will also be found in *\PhotoData\Photos.sqlite ZSHAREPARTICPANT table ZEMAILADDRESS and ZPHONENUMBER fields.
libraryScopeLocalIdentifier – Based on my testing the value listed in this key/field will contain a UUID that can be found in *\PhotoData\Photos.sqlite ZSHARE table ZUUID field for the Shared Library Invitation record.
System Logs During iCloud Shared Photo Library Set up:
After finding and reviewing the above property lists, I observed GUID’s and UUID’s that I believed could be linked to the iCloud Shared Photo Library set up. Thanks to the Hexordia team and their publicly available free tool called Evanole I was able to capture, analyze, and export device system logs created while setting up and interacting with files related to the iCloud Shared Photo Library.
iCloud Shared Photo Library Assets and shared from different participants:
Now that we have some artifacts that let us know we should be on the lookout for assets being shared from different participants, how can we determine which assets have been shared from a SPL owner versus a SPL participant?
After reading the above question and the device settings section I used a few terms such as “Owner” and “Participant.” Before we move on let’s get a definition for these terms.
Owner:
In the online documentation and within the device, Apple defines the Apple ID who owns the iCloud storage as the “owner” and/or “organizer” of the iCloud Shared Photo Library. Anytime you observe the term owner and/or organizer, this is referring to the Apple ID user who owns the iCloud Storage being used to store the iCloud Shared Photo Library.
Participant:
Anyone other person / Apple ID who was invited and/or is sharing with the iCloud Shared Photo Library is referred to as a participant.
SQLite queries and iLEAPP parsers:
During the research and testing I created several queries and iLEAPP parses to help with parsing the data from *\PhotoData\Photos.sqlite database pertinent to an iCloud Shared Photos Library. The following parsers have been published and are available via iLEAPP.
Listed below are the parser names and a general overview of what each parser is presenting:
Ph30iCloudShareMethodsNAD.py – Parses records for different methods which media files have been shared via iCloud Share. The data being parsed is focused on the share methods found in the *\PhotoData\Photos.sqlite ZSHARE table and supports iOS 14-18. This parser will parse iCloud Share methods and participant records only, no asset data will be parsed. The iCloud Share methods being stored in these records include Shared iCloud Links also known as Cloud Master Moments (CMMs) and iCloud Shared Photo Library (SPL).
Ph31iCloudSharePhotoLibraryNAD.py – Parses iCloud Shared Photo Library records and invites from the *\PhotoData\Photos.sqlite ZSHARE Table and supports iOS 14-18. This parser will parse iCloud Shared Photo Library records and invite records to participants only, no asset data will be parsed.
Ph32AssetsIniCldSPLwContrib.py – Parses assets that are in an iCloud Shared Photo Library. The results of this parser can be very large depending on the number of records in the SPL. The data being parsed will include basic asset data and contributor information from *\PhotoData\Photos.sqlite. This parser supports iOS 16-18. I would strongly recommend using iLEAPP to parse the database and opening the TSV generated report with Zimmerman’s Tools Timeline Explorer. https://ericzimmerman.github.io/#!index.md
Ph33AssetsIniCldSPLfromOtherContrib.py – Parses assets that are in an iCloud Shared Photo Library. The results of this parser can be very large depending on the number of records in the SPL. The data being parsed will include basic asset data and contributor information from *\PhotoData\Photos.sqlite. This parser will only parse the assets which have been contributed to the SPL by participants who are not the acquired device user. This parser supports iOS 16-18. I would strongly recommend using iLEAPP to parse the database and opening the TSV generated report with Zimmerman’s Tools Timeline Explorer.
iCloud Shared Photo Library Asset File paths:
This is just a quick note about where these files will be stored on the device. The quick answer is that there is not a change or new file paths to investigate with this feature. If a user contributes an asset / file to an iCloud Share Photo Library, the file will remain in its current file storage location and the appropriate data will be recorded in the Photos.sqlite and store.cloudphotodb databases. This can be verified by using the *\PhotoData\Photos.sqlite ZASSET table ZDIRECTORY field for the appropriate asset record.
Anti-Forensics:
Because of the complexity of the steps taken to use this feature for anti-forensics, I will be writing this up and sharing this information by request only. One of the main indicators of this feature was being used in an anti-forensics manner will be very few or no media assets being stored locally on the device. If you believe you might have a situation where this has occurred, please email me for this portion of the blog at forensicscooter@gmail.com
Conclusion:
As I started at the beginning, this blog has taken several months to publish, and I apologize for not getting it posted sooner. Even though this feature has been released to the public for some time, I believe it is important to understand these artifacts. To the best of my knowledge, not having every commercial tool available to me, I do not believe a lot of what has been discussed in this blog is being parsed by commercial forensic tools.
Having the ability to demonstrate media attribution could be a critical piece to a digital investigation. Using the data contained in *\PhotoData\Photos.sqlite and the property lists discussed, you should have the ability to locate indications if a media file was or was not shared to an iCloud Shared Photo Library and an Apple ID identifier indicating who shared the file to the SPL.
Additional Thoughts:
With the public release of iOS 18 additional research will be required to ensure any new data has not been overlooked or missed.
The property lists listed in this research could contain values and additional fields not yet observed. If additional data is discovered and you find it may be useful to others, please don’t hesitate to contact me and I would be happy to share you findings.
