top of page
Search

Understanding macOS Document Versions and iCloud Storage, Syncing

  • Apr 17
  • 4 min read
ree

macOS introduced the Versions feature in macOS 10.7 as an automatic backup system for certain document types. This allows users to revert to earlier versions of their documents, which can be helpful for restoring lost work or tracking changes over time.


How Document Versions Work

macOS automatically saves multiple "generations" of a document under specific conditions:


  • Every time the document is opened, saved, duplicated, locked, renamed, or reverted.

  • Every hour while the document remains open.

  • Whenever significant changes are made to the file.


Applications that support this feature include:


  • TextEdit

  • iWork apps (Pages, Keynote, Numbers)

  • Preview

  • Some third-party applications


However, Microsoft Office does not support macOS Versions, as it has its own autosave functionality.


Where Are These Versions Stored?

macOS stores document versions in a hidden system directory named .DocumentRevisions-V100. This directory can be found at:

These folder are hidden so you might not able to see if you navigate through mac so click windows+shift+. to view hidden content.
ree


/System/Volumes/Data/.DocumentRevisions-V100 (macOS 10.15 and later)

Versions are stored differently depending on the type of storage: (Under folder DocumentRevisions-V100.)

  • Internal storage: Versions are stored under directories named PerUID/ (per user ID)

  • External media: Versions are grouped under AllUIDs/


Each file has a unique directory structure, often formatted in a reverse DNS style 
com.apple.documentVersions for local documents, 
com.apple.ubiquity for iCloud-synced files, 
com.apple.thumbnails for QuickLook previews).

Investigating Historical Versions

If you need to analyze historical document versions (for example, in digital forensics or file recovery), you can:

  • Identify the document’s inode number and owning user using the command:

    ls -li <file_path>

  • Locate the metadata database at:

    /.DocumentRevisions-V100/db-V1/db.sqlite

    • This SQLite database contains file versions, timestamps, and storage locations.

      ree

      Output:

      ree

  • Query the database to list all available versions for a given inode:

SELECT * FROM FILES WHERE inode = '<inode_number>';

  • Use xattr -lp to check extended attributes, which may include:

    • Original display name (com.apple.genstore.origdisplayname)

    • System where the file was created (com.apple.genstore.info)



Understanding Chunk Storage

Instead of storing full document copies, macOS uses Chunk Storage to save only changed parts of a file. These chunks are found in:


  • /.DocumentRevisions-V100/.cs/ directory

  • Stored in ChunkStorageDatabase (SQLite-based system)

ree

Each chunk has a structured format:

  • First 4 bytes: Size of the chunk record

  • Next 21 bytes: Unique Chunk ID (CID)

  • Remaining bytes: Chunk data (actual file content)


For recovery or analysis, chunks can be reconstructed using the CSChunkTable and CSStorageFileTable in the ChunkStoreDatabase.
ree

Conclusion

The Versions feature in macOS provides an automatic way to track document changes and recover previous versions. By understanding how macOS stores document versions, users can take advantage of this feature for data recovery, forensic analysis, or simply managing revisions more effectively.

For forensic investigators, tools like TruffleShuffle can help extract and analyze these document versions efficiently.


------------------------------------------------------------------------------------------------------------


What is iCloud?

iCloud provides Apple users with cloud storage and synchronization services. Each user has an iCloud account linked to their Apple ID, and a unique identifier called a Person ID. Apple offers 5GB of free storage, with options to upgrade up to 2TB.


With iCloud, users can store and sync:

  • Photos and videos

  • Documents and app data

  • Messages

  • Contacts and calendars

  • Email and notes

  • Health data

  • HomeKit configurations

  • Device settings and backups


This data is stored on Apple servers, and while Apple maintains strict security protocols, forensic tools can help analyze and extract data when needed.


Accessing iCloud Data

Users can access iCloud data through:


  • macOS and iOS devices (natively integrated)

  • Windows systems via the iCloud app

  • Any web browser by logging into iCloud.com


For forensic investigators, accessing iCloud data requires the right credentials—Apple ID, password, and sometimes two-factor authentication (2FA) or security tokens. Due to Apple's continuous security enhancements, forensic tools need to evolve to keep up with changes in iCloud’s communication protocols.



Tools for Extracting iCloud Data

  • Oxygen Forensics Cloud Extractor

  • Cellebrite UFED Cloud Analyzer

  • Axiom Cloud


Forensic Analysis of iCloud Data

iCloud Synced Accounts

Each iCloud account has a Person ID, a numeric identifier that links a user to their iCloud data. On macOS, this information is stored in:

~/Library/Application Support/iCloud/Accounts/

This directory contains:

  • A file with the numeric filename (Person ID)

  • Link files connecting the numeric ID to associated email accounts


iCloud Synced Preferences

Apple synchronizes user preferences across devices via iCloud. These preferences are stored in:


 ~/Library/SyncedPreferences/

These files contain synced settings for applications such as Safari, Mail, Messages, Wi-Fi, and Finder.


iCloud Mobile Documents

iCloud stores documents from various apps


On macOS,

~/Library/Mobile Documents/

Each application has its own directory, formatted in a reverse DNS naming scheme.



iCloud Desktop & Documents Sync

With macOS Sierra (10.12) and later, users can sync their Desktop and Documents folders to iCloud Drive. This allows files to be accessible across all linked devices.


When enabled, forensic analysis can detect this setting through extended attributes, such as:
com.apple.icloud.desktop (containing the iCloud Person ID)


Hidden iCloud Files

Some files stored in iCloud may not be fully downloaded to a local device. These are represented as hidden .icloud files.

These files indicate that a document exists in iCloud but is not physically present on the local system.


------------------------------------------------------------------------------------------------------------

Conclusion


By understanding how macOS stores document versions and understanding where and how iCloud stores data is crucial for digital forensic investigations, making it possible to retrieve valuable evidence while respecting legal and ethical boundaries.


-------------------------------------------------Dean------------------------------------------------------

 
 
 
bottom of page