File Provider & iCloud Drive Metadata

Location

Common Names

Description

Metadata caches and synchronization state for File Provider-backed storage on macOS, including iCloud Drive and other providers that surface content through CloudStorage and File Provider frameworks.

Forensic Value

These stores help determine which cloud-backed documents, folders, and providers were visible to the user even when the actual file contents were not fully hydrated on disk at collection time. They are valuable in exfiltration, insider threat, and cloud storage investigations because they can show file names, sync state, provider identifiers, and timestamps for recently accessed or staged content. They also help distinguish local files from placeholders that were only materialized on demand.

Tools Required

Collection Commands

find ~/Library/Application\ Support/FileProvider ~/Library/Application\ Support/CloudDocs ~/Library/CloudStorage -maxdepth 4 -print > /forensics/file_provider_inventory.txt 2>/dev/null

cp -R ~/Library/Application\ Support/FileProvider /forensics/file_provider/ 2>/dev/null && cp -R ~/Library/Application\ Support/CloudDocs /forensics/clouddocs/ 2>/dev/null

find ~/Library/Application\ Support/FileProvider -name "*.plist" -exec plutil -p {} \; > /forensics/file_provider_plists.txt 2>/dev/null

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •Hydration state, provider layout, and cache coverage vary by provider and macOS release. Placeholder files may exist without full content, and some metadata is only meaningful alongside provider-specific logs.

MITRE ATT&CK Techniques

References