iOS Forensics References
Last update: April 17th 2023
DATA Partition (/private/var)
"/.fseventsd/" folder
-
/.fseventsd
- Understanding MacOS File System Events with FSEventsParser http://www.osdfcon.org/presentations/2017/Ibrahim-Understanding-MacOS-File-Ststem-Events-with-FSEvents-Parser.pdf
- Mac OS X and iOS Forensics - Looking into the past with FSEvents https://papers.put.as/papers/macosx/2017/summit_archive_1498158287.pdf
- FSEvents Parser https://github.com/dlcowen/FSEventsParser
"/containers/" folder
- /containers/Data/System/"GUID"/Documents/storeSystem.db
-
/containers/Shared/SystemGroup/"GUID"/Library/BatteryLife/CurrentPowerlog.PLSQL
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice http://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving http://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis http://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis
- On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage http://www.mac4n6.com/blog/2018/12/20/on-the-seventh-day-of-apollo-my-true-love-gave-to-me-a-good-conversation-analysis-of-communications-and-data-usage
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
- APOLLO CurrentPowerLog Modules https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_accessory_connection.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_airdrop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_audio.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_deletion.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_info.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_nowplaying.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage_by_hour.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_assertion.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_audio_routing.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_awdl_states.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backcamera_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backlight_brightness.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level_ui.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_bluetooth_device_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_button_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_camera_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_coalition_interval.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_lock_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_screen_autolock.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_registration.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_volume.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display_brightness.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_frontcamera_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_ids_messages.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_incallservice.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_kernel_task_monitor.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightning_connector_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightnining_connector_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_client_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_tech_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_mobilebackup.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_network_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_paired_device_config.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_power_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_powernap.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_data_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_id.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_monitor_dynamic.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_push_message_received.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_rapport_received_message.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_bulletins.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_notifications.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_timezone.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_torch_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmfile.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmhls.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_vtsession.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_card.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_transaction.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wifi_properties.txt
- Time Well Spent: Precision Timing, Monotonic Clocks, and the PowerLogs Database for iOS https://www.forensicfocus.com/webinars/time-well-spent-precision-timing-monotonic-clocks-and-the-powerlogs-database-for-ios/
- Oh no! I have a wiped iPhone, now what? https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.other.db
- Bluetooth – iOS https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/
- How to Use iOS Bluetooth Connections to Solve Crimes Faster https://dfir.pubpub.org/pub/frknihlg/release/1
- How to Use iOS Bluetooth Connections to Solve Crimes Faster https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/
- iLEAPP Bluetooth Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db
- Bluetooth – iOS https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/
- How to Use iOS Bluetooth Connections to Solve Crimes Faster https://dfir.pubpub.org/pub/frknihlg/release/1
- How to Use iOS Bluetooth Connections to Solve Crimes Faster https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/
- iLEAPP Bluetooth Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py
- EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/containers/Shared/SystemGroup/"GUID"/Library/Preferences/com.apple.MobileBluetooth.devices.plist
- Bluetooth – iOS https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/
- How to Use iOS Bluetooth Connections to Solve Crimes Faster https://dfir.pubpub.org/pub/frknihlg/release/1
- How to Use iOS Bluetooth Connections to Solve Crimes Faster https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Cellebrite CTF 2020: Juan Mortyme https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iLEAPP Bluetooth Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
"/db/" folder
-
/db/biome/
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1 https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html
- iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html
- iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..." https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html
- Bringing it Back With Biome Data https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/
- iLEAPP Biome Plugins https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py
-
/db/dhcpd_leases*
- iLEAPP DHCP Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcphp.py
-
/db/dhcpclient/
- MAC Apt Networking Plugin https://github.com/ydkhatri/mac_apt/wiki/NETWORKING
- Cellebrite CTF 2020: Juan Mortyme https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
- Apple TV Forensics 03: Analysis https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iLEAPP DHCP Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcpl.py
-
/db/diagnostics/
- Apple Unified Logging and Activity Tracing formats https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc
- Browsing the unified log in difficult circumstances https://eclecticlight.co/2017/09/25/browsing-the-unified-log-in-difficult-circumstances/
- Reviewing macOS Unified Logs https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs
- Finding Waldo: Leveraging the Apple Unified Log for Incident Response https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/ https://objectivebythesea.org/v3/talks/OBTS_v3_jMusunuri_eMartin.pdf
- Unified Log Reader https://github.com/ydkhatri/UnifiedLogReader
- Upgrade From NULL—Detecting iOS Wipe Artifacts https://dfir.pubpub.org/pub/6i7d593n/release/1
- Logs Unite! - Forensic Analysis of Apple Unified Logs https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf
- Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0] https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0
"/installd/" folder
-
/installd/Library/Logs/MobileInstallation/mobile_installation.log.*
- CyberDefenders - Jailbreak CTF https://www.netscylla.com/blog/2022/06/09/Cyberdefenders-Jailbreak-CTF.html
- iOS Mobile Installation Logs https://dfir.pubpub.org/pub/e5xlbw88/release/2
- iOS Mobile Installation Logs https://dfrws.org/wp-content/uploads/2019/10/2019_review-ios_mobile_installation_logs.pdf
- iOS Mobile Installation Logs Parser https://abrignoni.blogspot.com/2019/01/ios-mobile-installation-logs-parser.html
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- Apple TV Forensics 03: Analysis https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
- iLEAPP Mobile Installation Log Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileInstall.py
-
/installd/Library/Logs/MobileInstallation/LastBuildInfo.plist
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- iLEAPP Last Build Info Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/lastBuild.py
-
/installd/Library/Logs/MobileInstallation/MigrationInfo.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
-
/installd/Library/Logs/MobileInstallation/RoleUserMigration.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
"/logs/" folder
-
/logs/lockdownd.log
- So Long Lockdown! http://www.doubleblak.com/m/blogPosts.php?id=9
- KnowledgeC (and Friends) http://www.doubleblak.com/m/blogPosts.php?id=2
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- /logs/usermanagerd.log.*
- /logs/wifimanager.log
"/mobile/Containers/" folder
-
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Caches/com.apple.mobilesafari/Cache.db
- Getting Started with iOS Forensics https://www.systoolsgroup.com/forensics/sqlite/ios.html
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Containers/Data/Application//Library/Caches/com.apple.WebAppCache/ApplicationCache.db
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Containers/Data/Application//Library/Cookies/Cookies.binarycookies
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/ImageCache/Favicons/Favicon.db
-
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Preferences/com.apple.mobilesafari.plist
- iOS 14 - First Thoughts and Analysis https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
- iLEAPP Recent Web Searches Safari Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariRecentWebSearches.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Downloads/Downloads.plist
- iOS / macOS - Tracking Downloads from Safari Without Downloads https://blog.d204n6.com/2021/05/ios-macos-tracking-downloads-from.html
- Safari and iPhone Internet History Parser http://az4n6.blogspot.com/2014/07/safari-and-iphone-internet-history.html
-
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Thumbnails/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/WebKit/WebsiteData/LocalStorage/
- Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS https://www.mdpi.com/2076-3417/12/21/11180
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
-
/mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Maps/GeoHistory.mapsdata
- Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
- HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM? https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/
- FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING? https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- Find Me If You Can: Mobile GPS Mapping Applications Forensic Analysis & SNAVP the Open Source, Modular, Extensible Parser Analysis & SNAVP the Open Source, Modular, Extensible Parser https://commons.erau.edu/cgi/viewcontent.cgi?article=1414&context=jdfsl
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Preferences/com.apple.Maps.plist
- HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM? https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/
- FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING? https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Containers/Shared/AppGroup/"Apple Maps GUID"/Maps/MapsSync_0.0.1
- What Apple Maps Activity Can be Found Using a Logical Extraction https://lordtemplar1.wordpress.com/2022/05/08/what-apple-maps-activity-can-be-found-using-a-logical-extraction/
- iOS14 Maps History BLOB Script http://cheeky4n6monkey.blogspot.com/2020/11/ios14-maps-history-blob-script.html https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/iOS/ios14_maps_history.py
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
- iLEAPP Maps Sync Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mapsSync.py
"/mobile/Library/" folder
-
/mobile/Library/Accounts/Accounts3.sqlite
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS - Tracking Device Migration https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- Cellebrite CTF 2022 - Beth's iPhone https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html
- Magnet Forensics Virtual Summit 2023 CTF – iOS https://www.forgottennook.com/blog/magnet-ios-2023
- Case Study: Forensic Analysis of TikTok on iOS https://dfir.pubpub.org/pub/h6vyh33u/release/1
- iLEAPP Accounts Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/accs.py
- Accounts3.sqlite query https://github.com/kacos2000/Queries/blob/master/Accounts3_sqlite.sql
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/AddressBook/AddressBook.sqlitedb
- Getting Started with iOS Forensics https://www.systoolsgroup.com/forensics/sqlite/ios.html
- Identification and analysis of email and contacts artefacts on iOS and OS X https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf
- TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11 https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
- How To Identify When an IPhone or iPad was Factory Reset https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf
- Upgrade From NULL—Detecting iOS Wipe Artifacts https://dfir.pubpub.org/pub/6i7d593n/release/1
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- AddressBook.sqlitedb query https://github.com/kacos2000/Queries/blob/master/AddressBook_sqlite.sql
- iPhone Artifacts - Champlain College https://www.champlain.edu/Documents/LCDI/iPhone%20Artifacts.pdf
- iLEAPP Address Book Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/addressBook.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/AddressBook/AddressBookImages.sqlitedb
- Identification and analysis of email and contacts artefacts on iOS and OS X https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf
- IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/
- AddressBookImages.sqlitedb query https://github.com/kacos2000/Queries/blob/master/AddressBookImages_sqlite.sql
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb
- Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite) https://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite
- On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful! https://www.mac4n6.com/blog/2018/12/18/on-the-fifth-day-of-apollo-my-true-love-gave-to-me-a-stocking-full-of-random-junk-some-of-which-might-be-useful
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- Forensics Tools: Stop Miscalculating iOS Usage Analytics! https://www.zdziarski.com/blog/?p=2686
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- APOLLO ADDataStore Modules https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_scalars.txt https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_distributed_keys.txt
-
/mobile/Library/AppConduit/AvailableApps.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/mobile/Library/AppConduit/AvailableCompanionApps.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Cloud.sqlite
/mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Local.sqlite- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- ScreenTimeController https://github.com/Evian-Zhang/ScreenTimeController/blob/master/README.md
- Data Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts https://cellebrite.com/en/data-quality-and-quantity-how-to-get-the-best-of-both-worlds-part-2-examining-screen-time-artifacts/
- A Look Into Apple’s Screen Time Feature and What Insights It Lends To Digital Intelligence https://cellebrite.com/en/a-look-into-apples-screen-time-feature-and-what-insights-it-lends-to-digital-intelligence/
- iOS Screentine And Android Digital Wellbeing Apps https://www.forensicfocus.com/webinars/ios-screentine-and-android-digital-wellbeing-apps/
- Getting Evidence from iOS Screen Time Artifacts https://www.magnetforensics.com/blog/getting-evidence-from-ios-screen-time-artifacts/
- Plaso iOS SceenTime Parser https://plaso.readthedocs.io/en/latest/_modules/plaso/parsers/sqlite_plugins/ios_screentime.html
- A Look Into Apple’s Screen Time Feature and What Insights It Lends To Forensics https://www.goldencelle.com/post/a-look-into-apple-s-screen-time-feature-and-what-insights-it-lends-to-forensics
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- Magnet Forensics Virtual Summit 2023 CTF – iOS https://www.forgottennook.com/blog/magnet-ios-2023
- Magnet 2022 CTF – iOS15 https://bakerstreetforensics.com/2022/07/28/magnet-2022-ctf-ios15/
- MAC Apt SceenTime Plugin https://github.com/ydkhatri/mac_apt/blob/master/plugins/screentime.py
- APOLLO ScreenTime Modules https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_timed_items.txt https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_counted_items.txt https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_hour.txt https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_category.txt
-
/mobile/Library/ApplicationSync/AssetSortOrder.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/mobile/Library/Assistant/SiriAnalytics.db
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
-
/mobile/Library/Biome/
- Analyzing iOS Biome AppIntent Files https://bluecrewforensics.com/2022/03/07/ios-app-intents/
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1 https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html
- iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html
- iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..." https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html
- Bringing it Back With Biome Data https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/
- An Alternate Location for Deleted SMS/iMessage Data in Apple Devices https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/ https://dfir.pubpub.org/pub/yp6efc8q/release/1
- Lagging for the Win: Querying for Negative Evidence in the sms.db https://belkasoft.com/lagging-for-win
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
- Magnet Forensics Virtual Summit 2023 CTF – iOS https://www.forgottennook.com/blog/magnet-ios-2023
- Magnet Virtual Summit 2023 CTF - iOS 16 iPhone https://www.stark4n6.com/2023/03/magnet-virtual-summit-2023-ctf-ios-16.html
- iLEAPP Biome Plugins https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py
-
/mobile/Library/BulletinBoard/ClearedSections.plist
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- /mobile/Library/Caches/com.apple.Pasteboard/*
-
/mobile/Library/Caches/com.apple.findmy.fmipcore/
- Stored AirTag (and Other) Aritfacts https://blog.d204n6.com/2022/04/airtag-youre-it.html
- AirTags within iOS File Systems https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f
- iLEAPP AirTags Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/airtags.py
-
/mobile/Library/Caches/com.apple.routined/Cache.sqlite
- Locations, Locations, Locations https://doubleblak.com/blogPosts.php?id=14 https://doubleblak.com/BlogArticles/14/PDF2.pdf
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- iOS Location Artifacts Explained https://cellebrite.com/en/ios-location-artifacts-explained/
- Location Data on iOS and Android Devices https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/
- Apple Probably Knows What You Did Last Summer https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/
- UAV Forensics: DJI Mini 2 Case Study https://www.researchgate.net/publication/352058134_UAV_Forensics_DJI_Mini_2_Case_Study
- Magnet User Summit 2022 CTF - iPhone https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
- Building a Pattern of Life - Leveraging Location and Health Data https://www.youtube.com/watch?v=eU7THDwFkiM
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table https://theforensicscooter.com/2021/09/22/iphone-device-speeds-in-cache-sqlite-zrtcllocationmo/
- Vehicle and iPhone Speed Comparison https://theforensicscooter.com/2022/07/01/vehicle-and-iphone-speed-comparison/
- Cache.sqlite query https://github.com/ScottKjr3347/iOS_Cache.sqlite_Queries
- APOLLO iOS Routined Cache Modules https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrtcllocationmo.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrthintmo.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrvisitmo.txt
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Caches/com.apple.routined/Cloud.sqlite
/mobile/Library/Caches/com.apple.routined/Cloud-V2.sqlite- Locations, Locations, Locations https://doubleblak.com/blogPosts.php?id=14 https://doubleblak.com/BlogArticles/14/PDF2.pdf
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- iOS Location Artifacts Explained https://cellebrite.com/en/ios-location-artifacts-explained/
- Location Data on iOS and Android Devices https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Apple Probably Knows What You Did Last Summer https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- Building a Pattern of Life - Leveraging Location and Health Data https://www.youtube.com/watch?v=eU7THDwFkiM
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- APOLLO iOS Routined Cloud Modules https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_entry.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_exit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_start.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_stop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_start.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_stop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_address.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_mapitem.txt
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Caches/com.apple.routined/Local.sqlite
- Locations, Locations, Locations https://doubleblak.com/blogPosts.php?id=14
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- iOS Location Artifacts Explained https://cellebrite.com/en/ios-location-artifacts-explained/
- Location Data on iOS and Android Devices https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/
- Building a Pattern of Life - Leveraging Location and Health Data https://www.youtube.com/watch?v=eU7THDwFkiM
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- Cellebrite CTF 2022 - Beth's iPhone https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- APOLLO iOS Routined Local Modules https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_entry.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_exit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_start.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_stop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked_history.txt
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
https://doubleblak.com/BlogArticles/14/PDF2.pdf -
/mobile/Library/Calendar/Calendar.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Magnet User Summit 2022 CTF - iPhone https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
- Calendar.sqlitedb query https://github.com/kacos2000/queries/blob/master/calendar_sqlitedb.sql
- iLEAPP Calendar Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/calendarAll.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- /mobile/Library/Calendar/Extras.db
-
/mobile/Library/CallHistoryDB/CallHistory.storedata
- Missing SQLite Records Analysis https://dfir.pubpub.org/pub/33vkc2ul/release/1
- A GLIMPSE OF IOS 10 FROM A SMARTPHONE FORENSIC PERSPECTIVE https://smarterforensics.com/2016/09/a-glimpse-of-ios-10-from-a-smartphone-forensic-perspective/
- TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11 https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
- How To Identify When an IPhone or iPad was Factory Reset https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
- iOS 14 - First Thoughts and Analysis https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
- Cellebrite CTF 2022 - Marsha's iPhone https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html
- Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs. https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- CallHistory Query https://github.com/kacos2000/queries/blob/master/callhistory_storedata.sql
- APOLLO CallHistory Module https://github.com/mac4n6/APOLLO/blob/master/modules/call_history.txt
- iLEAPP CallHistory Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/callHistory.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/CallHistoryDB/CallHistoryTemp.storedata
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /mobile/Library/CallHistoryTransactions/
-
/mobile/Library/com.apple.ClipServices.clipserviced/ClipData.db
- iOS 14 - Tracking App Clips in iOS 14 https://blog.d204n6.com/2020/09/ios-14-tracking-app-clips-in-ios-14.html
-
/mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
-
/mobile/Library/com.apple.itunesstored/kvs.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
- Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage http://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage
- Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db https://www.mac4n6.com/blog/2018/9/12/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb
- Extensive knowledgeC APOLLO Updates! https://www.mac4n6.com/blog/2020/6/17/extensive-knowledgec-apollo-updates
- Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules https://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules
- Providing Context to iOS App Usage with knowledgeC.db and APOLLO https://www.mac4n6.com/blog/2020/1/13/apollo-into-the-details-with-application-activities
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice https://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving https://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis https://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- Apple TV Forensics 03: Analysis https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
- iOS KnowledgeC.db Notifications https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-notifications/
- iOS KnowledgeC.db Notifications https://dfir.pubpub.org/pub/g2v1z97i/release/1
- KnowledgeC: Now Playing entries https://www.forensicmike1.com/2019/10/07/knowledgec-now-playing-entries/
- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG https://dfir.pubpub.org/pub/v19rksyf/release/1 https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
- KnowledgeC (and Friends) http://www.doubleblak.com/m/blogPosts.php?id=2
- Building a Pattern of Life - Leveraging Location and Health Data https://www.youtube.com/watch?v=eU7THDwFkiM
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1 https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html
- iOS - Tracking Traces of Deleted Applications https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019 https://www.youtube.com/watch?v=4LcQm4ErXpA
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Magnet User Summit 2022 CTF - iPhone https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
- KwnoledgeC queries https://github.com/ScottKjr3347/iOS_KnowledgeC.db_Queries
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- APOLLO KnowledgeC Modules https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level_feedback.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_airplay_prediction.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_calendar.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_clock.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_mail.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_maps.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_notes.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_passbook.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_photos.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_safari.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_weather.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_inFocus.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_install.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_intents.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_location_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_media_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_relevantshortcuts.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_webusage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_bluetooth_connected.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_input_route.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_media_nowplaying.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_output_route.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_calendar_event_title.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_charging_smart_topoff_checkpoint.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_activity_profile.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_battery_temperature.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_control_effort.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_battery_saver.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_batterylevel.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_carplay_connected.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_inferred_motion.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_is_backlit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_keybag_locked.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked_imputed.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_low_power_mode.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_orientation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_pluggedin.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_watch_nearby.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_signals.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_disk_subsystem_access.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_event_tombstone.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_family_prediction.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_inferred_microlocation_visit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_knowledge_sync_addition_window.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_notification_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_paired_device_nearby.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_all.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_recent.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_edit_all.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_engagement.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_favorites_other.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_airdrop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_all.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_extension.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_entity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_topic.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_safari_browsing.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_segment_monitor.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_settings_doNotDisturb.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sharesheet_feedback.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_activites.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_flow_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_service.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_spotlight_viewer_event.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_standby_timer.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_addition_window.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_deletion_bookmark.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_airplane_mode.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_tlc.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_userwakingevent.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_first_backlight_after_wakeup.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_interaction_app_directory.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_refresh.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_view.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widgets_viewed.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_wifi_connection.txt
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/CoreDuet/People/interactionC.db
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- KnowledgeC (and Friends) http://www.doubleblak.com/m/blogPosts.php?id=2
- Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules http://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules
- Local Photo Library Photos.sqlite Query Variations & WHERE statements https://theforensicscooter.com/2022/02/21/photos-sqlite-update/
- Comparison of iOS backups: Encrypted vs Unencrypted https://www.arcpointforensics.com/news/comparison-of-ios-backups
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- APOLLO interactionC Modules https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions.txt https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions_keywords.txt
- iLEAPP interactionC Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/interactionCcontacts.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/DataAccess/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf
-
/mobile/Library/DeviceRegistry.state/activeStateMachine.plist
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT? https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
- Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices
-
/mobile/Library/DeviceRegistry.state/historySecureProperties.plist
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT? https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
- Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices
- /mobile/Library/DoNotDisturb/DB/Settings.sqlite
-
/mobile/Library/DoNotDisturb/DB/IDSSyncEngineMetadata.plist
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
-
/mobile/Library/DuetExpertCenter/streams/userNotificationEvent/local
- Peeking at User Notification Events in iOS 15 https://gforce4n6.blogspot.com/2022/05/peeking-at-user-notification-events-in.html
- Peeking at User Notification Events in iOS 15 https://dfrws.org/presentation/dfir-review-showcase-peeking-at-user-notification-events-in-ios-15/
- iOS 16 - "Paul unsent a message." ... OR DID HE?! https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html
- Magnet Forensics Virtual Summit 2023 CTF – iOS https://www.forgottennook.com/blog/magnet-ios-2023
- iLEAPP User Notifications Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsDuet.py
-
/mobile/Library/FrontBoard/applicationState.db
- Identifying installed and uninstalled apps in iOS https://abrignoni.blogspot.com/2018/12/identifying-installed-and-uninstalled.html
- iOS - Tracking Traces of Deleted Applications https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019 https://www.youtube.com/watch?v=4LcQm4ErXpA
- iOS Application Groups & Shared data http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html
- iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins https://blog.d204n6.com/2020/09/ios-tracking-bundle-ids-for-containers.html
- iOS – Tracking Bundle IDs for Containers, Shared Containers, and Plugins https://www.magnetforensics.com/blog/ios-tracking-bundle-ids-for-containers-shared-containers-and-plugins/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Magnet Virtual Summit 2020 CTF (iOS) https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html
- iLEAPP Application State Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/applicationstate.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Health/ActivitySharing/contacts.dat
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
-
/mobile/Library/Health/healthdb.sqlite
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database https://dfir.pubpub.org/pub/xqvcn3hj/release/1
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- Apple Health https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf
- Health and Activity https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf
- Making a Murderer: Health Activity Edition https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- Audio and App Usage in Apple Health https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- healthdb.sqlite query https://github.com/kacos2000/Queries/blob/master/healthdb.sql
-
/mobile/Library/Health/healthdb_secure.sqlite
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data https://www.mac4n6.com/blog/2018/12/15/on-the-second-day-of-apollo-my-true-love-gave-to-me-holiday-treats-and-a-trip-to-the-gym-a-look-at-ios-health-data
- Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics
- The iPhone Health App from a forensic perspective: can steps and distances registered during walking and running be used as digital evidence? https://www.sciencedirect.com/science/article/pii/S1742287619300313 https://dfrws.org/sites/default/files/session-files/2019_EU_paper-the_iphone_health_app_from_a_forensic_perspective.pdf
- The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780
- Interpreting the location data extracted from the Apple Health database https://www.sciencedirect.com/science/article/pii/S2666281723000057
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- Apple Health https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf
- Health and Activity https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf
- Making a Murderer: Health Activity Edition https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
- Audio and App Usage in Apple Health https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html
- Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database https://dfir.pubpub.org/pub/xqvcn3hj/release/1 https://sqlmcgee.wordpress.com/2022/04/01/enriching-investigations-with-apple-watch-data-through-the-healthdb_secure-sqlite-database/
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- Securing and Extracting Health Data: Apple Health vs. Google Fit https://blog.elcomsoft.com/2019/01/securing-and-extracting-health-data-apple-health-vs-google-fit/
- Building a Pattern of Life - Leveraging Location and Health Data https://www.youtube.com/watch?v=eU7THDwFkiM
- Health Data Types https://www.doubleblak.com/blogPosts.php?id=21
- Personal Injury & Insurance Fraud Investigation: Get the Mobile Device! http://prodigital4n6.blogspot.com/2017/07/personal-injury-insurance-fraud.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- healthdb_secure.sqlite query https://github.com/kacos2000/Queries/blob/master/healthdb_secure.sql
- APOLLO health_secure.sqlite Modules https://github.com/mac4n6/APOLLO/blob/master/modules/health_distance.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_ecg_average_heart_rate.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_flights.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_heart_rate.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_steps.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_stood_up.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_weight.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_cadence.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_elevation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_general.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_humidity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_indoor.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_latitude.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_longitude.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_max_ground_elevation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_mets.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_min_ground_elevation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_temperature.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_timeofday.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_weather.txt
-
/mobile/Library/Health/Client/HealthApp.sqlite
- Health Data Types https://www.doubleblak.com/blogPosts.php?id=21
-
/mobile/Library/homed/datastore.sqlite
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!) https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html
- Forensic Analysis of Apple HomePod & Apple HomeKit Environment w/ Mattia Epifani - SANS DFIR Summit https://www.youtube.com/watch?v=D8AOXCBkaTY
-
/mobile/Library/Keyboard/-dynamic.lm/dynamic-lexicon.dat
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- iLEAPP Keyboard Lexicon https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardLexicon.py
-
/mobile/Library/Keyboard/app_usage_database.plist
- iLEAPP App Usage Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardAppUsage.py
-
/mobile/Library/Keyboard/langlikelihood.dat
- Cellebrite CTF 2021 Writeup https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
-
/mobile/Library/Keyboard/UserDictionary.sqlite
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
-
/mobile/Library/Logs/AppConduit/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- iOS Sysdiagnose AppConduit script https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-appconduit.py
- iLEAPP AppConduit Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appConduit.py
- /mobile/Library/Logs/AppleSupport/general.log
- /mobile/Library/Logs/mobile_installation_helper.log*
-
/mobile/Library/Logs/mobileactivationd/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!) https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html
- Apple TV Forensics 03: Analysis https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
- iLEAPP Mobile Activation Logs Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileActivationLogs.py
-
/mobile/Library/Mail/
- iOS Mail https://www.doubleblak.com/m/blogPosts.php?id=10
- Identification and analysis of email and contacts artefacts on iOS and OS X https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf
- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Getting Started with iOS Forensics https://www.systoolsgroup.com/forensics/sqlite/ios.html
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/MedicalID/MedicalIDData.Archive
- Magnet Virtual Summit 2020 CTF (iOS) https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html
- iLEAPP MedicalID Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/medicalID.py
- /mobile/Library/NanoBackup/
- /mobile/Library/NanoMusicSync/
-
/mobile/Library/NanoPreferencesSync/
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- /mobile/Library/NanoTimeKit/
-
/mobile/Library/Passes/passes23.sqlite
- Pocket Litter A Peek Inside Your Apple Wallet https://objectivebythesea.org/v4/talks/OBTS_v4_sEdwards.pdf
- Analysing Apple Pay Transactions https://blog.elcomsoft.com/2018/08/analysing-apple-pay-transactions/
- Cellebrite CTF 2020: Juan Mortyme https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
- Cellebrite CTF 2021 Writeup https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts) http://www.mac4n6.com/blog/2019/1/17/apple-pattern-of-life-lazy-outputer-apollo-updates-amp-40-new-modules-location-chat-calls-apple-pay-transactions-wallet-passes-safari-amp-health-workouts?rq=passes23.sqlite
- APOLLO passes23.sqlite Modules https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_unique_passes_cards.txt https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_passes.txt https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_transactions.txt
- iLEAPP passes23.sqlite Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWalletTransactions.py
-
/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db
- Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database http://www.mac4n6.com/blog/2020/6/2/guest-post-by-bizzybarney-a-peek-inside-the-ppsqldatabasedb-personalization-portrait-database
- Lucky (iOS) #13: Time to Press Your Bets w/ Jared Barnhart - SANS DFIR Summit 2020 https://www.youtube.com/watch?v=8Fy83iQ4f8Q
-
/mobile/Library/Preferences/.GlobalPreferences.plist
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- /mobile/Library/Preferences/addaily.plist
-
/mobile/Library/Preferences/com.apple.accountsettings.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- /mobile/Library/Preferences/com.apple.ActivitySharing.plist
- /mobile/Library/Preferences/com.apple.AdLib.plist
- /mobile/Library/Preferences/com.apple.aggregated.plist
-
/mobile/Library/Preferences/com.apple.AppStore.plist
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Hacking and Securing iOS Applications by Jonathan Zdziarski, Chapter 4 https://www.oreilly.com/library/view/hacking-and-securing/9781449325213/ch04.html
-
/mobile/Library/Preferences/com.apple.assistant.backedup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
-
/mobile/Library/Preferences/com.apple.assetsd.plist
- Shared with You Syndication Photo Library – Message Attachments & Linked Assets https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/
-
/mobile/Library/Preferences/com.apple.atc.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
- /mobile/Library/Preferences/com.apple.BatteryCenter.BatteryWidget.plist
-
/mobile/Library/Preferences/com.apple.camera.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
-
/mobile/Library/Preferences/com.apple.carplay.plist
- Ridin’ With Apple CarPlay https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/
- They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
- Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlay https://www.mdpi.com/1424-8220/22/19/7196/pdf
- Cellebrite CTF 2021 Writeup https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
- Cellebrite CTF 2021 - Marsha's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-iphone.html
- Auto-Parser: Android Auto and Apple CarPlay Forensics https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
-
/mobile/Library/Preferences/com.apple.celestial.plist
- Ridin’ With Apple CarPlay https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/
- Auto-Parser: Android Auto and Apple CarPlay Forensics https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
-
/mobile/Library/Preferences/com.apple.cloud.quota.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/mobile/Library/Preferences/com.apple.cloudphotod.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
-
/mobile/Library/Preferences/com.apple.cmfsyncagent.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
-
/mobile/Library/Preferences/com.apple.commcenter.shared.plist
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- /mobile/Library/Preferences/com.apple.conference.plist
- /mobile/Library/Preferences/com.apple.contacts.donation-agent.plist
- /mobile/Library/Preferences/com.apple.contextstored.plist
- /mobile/Library/Preferences/com.apple.CoreDuet.plist
- /mobile/Library/Preferences/com.apple.CoreDuet.QueuedDenials.plist
- /mobile/Library/Preferences/com.apple.coreduetd.batterysaver.state.plist
-
/mobile/Library/Preferences/com.apple.coreduetd.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- /mobile/Library/Preferences/com.apple.corerecents.recentsd.plist
- /mobile/Library/Preferences/com.apple.corespotlightui.plist
- /mobile/Library/Preferences/com.apple.FeedbackAssistant.plist
-
/mobile/Library/Preferences/com.apple.homesharing.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- /mobile/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist
-
/mobile/Library/Preferences/com.apple.icloud.fmfd.plist
- iOS - Tracking Device Migration https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
-
/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist
- How iOS Properties Files Can Confirm a Suspect’s Contacts Even If Deleted https://cellebrite.com/en/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- Making the most of Property Lists https://forensicskween.com/research/making-the-most-of-property-lists/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- /mobile/Library/Preferences/com.apple.imservice*.plist
-
/mobile/Library/Preferences/com.apple.locationd.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Location Services and System Services are they ON or OFF https://dfir.pubpub.org/pub/4sv4kxyh/release/2
- iOS Location Services and System Services ON or OFF? https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.madrid.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Preferences/com.apple.messages.pinning.plist
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
-
/mobile/Library/Preferences/com.apple.migration.plist
- iOS - Tracking Device Migration https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- /mobile/Library/Preferences/com.apple.mmcs.plist
-
/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.mobilegestalt.plist
- WHO IS THE OWNER OF THE MOBILE DEVICE? https://www.digitalforensics.com/blog/articles/who-is-the-owner-of-the-mobile-device/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.mobilephone.plist
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.mobileslideshow.plist
- How to find iOS Hidden Assets https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
-
/mobile/Library/Preferences/com.apple.MobileSMS.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- What is the likelihood of recovering deleted iPhone messages? https://improsec.com/tech-blog/what-is-the-likelihood-of-recovering-deleted-iphone-messages
- Missing Pieces: Tips and Tricks on how to ensure your acquisitions aren’t missing critical data https://static1.squarespace.com/static/62ab5b933d903d4c55e5d716/t/62fa28d8fd3a89429f8a9a80/1660561630138/MissingPieces_Hyde_Quezada_Final.pdf
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /mobile/Library/Preferences/com.apple.mt.lastLaunch.plist
- /mobile/Library/Preferences/com.apple.nano.plist
- /mobile/Library/Preferences/com.apple.nanoregistry.plist
-
/mobile/Library/Preferences/com.apple.preferences.datetime.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.preferences.network.plist
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- Wireless Network Preferences – iOS https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/
-
/mobile/Library/Preferences/com.apple.Preferences.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.purplebuddy.plist
- iOS - Tracking Device Migration https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
- Putting a User Behind an iOS Device https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf
- How was an iPhone set up? https://dfir.pubpub.org/pub/2q177smo/release/5
- Upgrade From NULL—Detecting iOS Wipe Artifacts https://dfir.pubpub.org/pub/6i7d593n/release/1
- How was an iPhone set up? https://smarterforensics.com/2019/01/how-was-an-iphone-setup/
- How To Identify When an IPhone or iPad was Factory Reset https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
-
/mobile/Library/Preferences/com.apple.sharingd.plist
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge http://www.mac4n6.com/blog/2020/6/5/analysis-of-apple-unified-logs-quarantine-edition-entry-11-airdropping-some-knowledge
- EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/mobile/Library/Preferences/com.apple.springboard.plist
- Recover your iPhone Screen Time or restrictions passcode (supports iOS 14) https://www.iphonebackupextractor.com/guides/recover-screen-time-parental-restrictions-passcode/
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- Auto-Parser: Android Auto and Apple CarPlay Forensics https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Library/Preferences/com.apple.timed.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- /mobile/Library/Preferences/com.apple.weather.plist
-
/mobile/Library/Recents/Recents
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- Recents query https://github.com/kacos2000/queries/blob/master/recents.sql
-
/mobile/Library/Reminders/
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- iLEAPP Reminders Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/reminders.py
-
/mobile/Library/Safari/Bookmarks.db
- iOS 14 - First Thoughts and Analysis https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
- Getting Started with iOS Forensics https://www.systoolsgroup.com/forensics/sqlite/ios.html
- iLEAPP Safari Bookmarks Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariBookmarks.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Safari/BrowserState.db
- Examining mobile devices: identiffying private internet browking activity in Mobile Safari https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf
- iOS 14 - First Thoughts and Analysis https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
- iLEAPP Safari Tabs Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Safari/CloudTabs.db
- iLEAPP Safari Tabs Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Safari/History.db
- Missing SQLite Records Analysis https://dfir.pubpub.org/pub/33vkc2ul/release/1
- Examining mobile devices: identiffying private internet browking activity in Mobile Safari https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf
- KnowledgeC (and Friends) http://www.doubleblak.com/m/blogPosts.php?id=2
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- Magnet User Summit 2022 CTF - iPhone https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
- Magnet User Summit 2022 CTF - iPhone https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Reading Your Browser's History with SQLite http://2016.padjo.org/tutorials/sqlite-your-browser-history/
- APOLLO Safari History Module https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/iconsScreen.py
- iLEAPP Safari History Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariHistory.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/Safari/SafariTabs.db
- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html
- iOS 16: What Digital Investigators Need to Know https://www.magnetforensics.com/blog/ios-16-what-digital-investigators-need-to-know/
- Checking in on iOS 16 in Magnet AXIOM 6.8 https://www.magnetforensics.com/blog/checking-in-on-ios-16-in-magnet-axiom-6-8/
-
/mobile/Library/SMS/Attachments/
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
- Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with? https://dfir.pubpub.org/pub/v19rksyf/release/1 https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
- Shared with You Syndication Photo Library – Message Attachments & Linked Assets https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/SMS/Drafts/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- iLEAPP Draft SMS Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/draftmessage.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/SMS/sms.db
- The Meaning of Messages https://www.magnetforensics.com/blog/the-meaning-of-messages/
- iOS16 iMessages https://doubleblak.com/blogPosts.php?id=27
- iOS 16 - "Paul unsent a message." ... OR DID HE?! https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html
- Message Reactions https://doubleblak.com/blogPosts.php?id=24
- Sharing Locations in iOS Messages https://thebinaryhick.blog/2021/09/29/sharing-locations-in-ios-messages/
- iOS 14 - Message Mentions and Threading https://blog.d204n6.com/2020/09/ios-14-message-mentions-and-threading.html
- Cellebrite CTF 2020: Juan Mortyme https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- Lagging for the Win: Querying for Negative Evidence in the sms.db https://belkasoft.com/lagging-for-win
- An Alternate Location for Deleted SMS/iMessage Data in Apple Devices https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/ https://dfir.pubpub.org/pub/yp6efc8q/release/1
- Missing SQLite Records Analysis https://dfir.pubpub.org/pub/33vkc2ul/release/1
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- How To Identify When an IPhone or iPad was Factory Reset https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
- KnowledgeC (and Friends) http://www.doubleblak.com/m/blogPosts.php?id=2
- Temporal Analysis Anomalies with iOS iMessage Communication Exchange https://personal.cis.strath.ac.uk/george.weir/cyfor14/papers/4_govan_ovans.pdf
- iLEAPP SMS Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/sms.py
- APOLLO SMS Modules https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat.txt https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_delivered.txt https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_read.txt
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Library/SMS/sms-temp.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /mobile/Library/SpringBoard/HomeBackgroundThumbnail.jpg
-
/mobile/Library/SpringBoard/IconState.plist
- Today, Widgets, & Ignored Apps in iOS https://thebinaryhick.blog/2021/07/25/today-widgets-ignored-apps-in-ios/
- Recover iOS App Screen Layouts with the New iOS Home Screen Items Artifact https://www.magnetforensics.com/blog/recover-ios-app-screen-layouts-with-the-new-ios-home-screen-items-artifact/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iLEAPP Icon State Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/iconsScreen.py
- A Few Interesting iOS Forensic Artefacts https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/
- iOS - Tracking Traces of Deleted Applications https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019 https://www.youtube.com/watch?v=4LcQm4ErXpA
- Auto-Parser: Android Auto and Apple CarPlay Forensics https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
- They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf
- /mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- /mobile/Library/SpringBoard/LockBackgroundThumbnaildark.jpg
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- /mobile/Library/SpringBoard/TodayViewArchive.plist
-
/mobile/Library/SpringBoard/PushStore/
- pushstore_parser https://github.com/jakev/pushstore-parser
- iLEAPP PushStore Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXI.py
-
/mobile/Library/Suggestions/query_predictions.db
- iLEAPP Query Predictions Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/queryPredictions.py
- APOLLO Query Predictions Module https://github.com/mac4n6/APOLLO/blob/master/modules/query_predictions.txt
-
/mobile/Library/TCC/TCC.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module http://www.mac4n6.com/blog/2020/6/1/analysis-of-apple-unified-logs-quarantine-edition-entry-10-you-down-with-tcc-yea-you-know-me-tracking-app-permissions-and-the-tcc-apollo-module?rq=tcc
- iLEAPP TCC Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/tcc.py
- APOLLO TCC Module https://github.com/mac4n6/APOLLO/blob/master/modules/tcc_db.txt
-
/mobile/Library/UserConfigurationProfiles/PublicEffectiveUserSettings.plist
- iOS Settings Display Auto-Lock & Require Passcode https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/
- iOS Settings Display Auto-Lock & Require Passcode https://dfir.pubpub.org/pub/khnqi0ff/release/1
- Cellebrite CTF 2021 - Beth's iPhone https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
- Cellebrite CTF 2021 Writeup https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
- /mobile/Library/UserConfigurationProfiles/UserSettings.plist
-
/mobile/Library/UserNotifications/
- Magnet User Summit 2022 CTF - iPhone https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
- iLEAPP User Notifications Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXII.py
- Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS https://www.mdpi.com/2076-3417/12/21/11180
-
/mobile/Library/Voicemail/voicemail.db
- iOS Voicemail Transcripts https://www.linkedin.com/pulse/ios-voicemail-transcripts-charlie-rubisoff/
- Dude, Where's My Banana? Retrieving data from an iPhone voicemail database http://cheeky4n6monkey.blogspot.com/2013/01/dude-wheres-my-banana-retrieving-data.html
- Dude, Where's My Data? http://az4n6.blogspot.com/2012/12/dude-wheres-my-data.html
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
"/mobile/Media/" folder
-
/mobile/Media/DCIM/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
- How to find iOS Hidden Assets https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://dfir.pubpub.org/pub/v19rksyf/release/1
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Cellebrite CTF 2021 Writeup https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
- Cellebrite CTF 2020: Juan Mortyme https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
- Cellebrite CTF 2022 - Marsha's iPhone https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html
- Magnet Forensics Virtual Summit 2023 CTF – iOS https://www.forgottennook.com/blog/magnet-ios-2023
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- Apple TV Forensics 03: Analysis https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
- Forensicating The Apple TV https://www.forensicfocus.com/webinars/forensicating-the-apple-tv/
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT? https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
- iLEAPP Media Library Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mediaLibrary.py
-
/mobile/Media/iTunesControl/iTunes/iTunesPrefs
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Forensic Analysis of iTunes Backups https://farleyforensics.com/2019/04/14/forensic-analysis-of-itunes-backups/
-
/mobile/Media/MediaAnalysis/mediaanalysis.db
- Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney) http://www.mac4n6.com/blog/2020/7/19/follow-on-to-dfir-summit-talk-lucky-ios-13-time-to-press-your-bets-via-bizzybarney
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Media/PhotoData/AlbumsMetadata/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
-
/mobile/Media/PhotoData/PhotoCloudSharingData/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Local Photo Library Photos.sqlite Query Variations & WHERE statements https://theforensicscooter.com/2022/02/21/photos-sqlite-update/
- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/
- Sharing is Caring – An Overview of Shared Albums in iOS https://gforce4n6.blogspot.com/2020/09/sharing-is-caring-overview-of-shared.html
- iLEAPP Shared Albumbs Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/icloudSharedalbums.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /mobile/Media/PhotoData/Caches/GraphService/CLSPublicEventCache.sqlite
-
/mobile/Media/PhotoData/CPL/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
- How to find iOS Hidden Assets https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/mobile/Media/PhotoData/Photos.sqlite
- Photos.sqlite Queries – Original Blog Posting https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Local Photo Library Photos.sqlite Query Variations & WHERE statements https://theforensicscooter.com/2022/02/21/photos-sqlite-update/
- How to find iOS Hidden Assets https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
- Part B Filling a device internal storage for Optimize iPhone Storage Research https://theforensicscooter.com/2022/12/03/part-b-filling-a-device-internal-storage-for-optimize-iphone-storage-research/
- iOS Media Adjustments https://www.doubleblak.com/blogPosts.php?id=23
- iOS Local Photo Library (PL) Photos.sqlite Queries https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries
- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://dfir.pubpub.org/pub/v19rksyf/release/1
- How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database https://msab.com/guides-whitepapers/forensic-dive-into-ios-photos-sqlite-database/
- How Did That Photo Get on That iPhone: Media Attribution for iOS https://www.msab.com/blog/media-attribution-for-ios/
- iOS Photos.sqlite Forensics https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/
- macOS & iOS Photos Support with Magnet AXIOM https://www.magnetforensics.com/blog/macos-ios-photos-support-with-magnet-axiom/
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- Apple iOS: Recently Deleted images https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html
- The Apple Photos library https://www.tonkata.com/posts/apple-photos/
- Photos.sqlite query https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql
- iLEAPP Photos Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/photosMetadata.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Media/PhotoData/Thumbnails/
- iPhone Photodata Thumbnails https://athenaforensics.co.uk/iphone-photodata-thumbnails/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur? https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/
- iOS iThmbs http://dig-forensics.blogspot.com/2013/05/ios-ithmbs.html
- iThmb Converter https://www.ithmbconverter.com/
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/mobile/Media/Recordings/
- Forensic originality identification of iPhone’s voice memos https://iopscience.iop.org/article/10.1088/1742-6596/1345/5/052053/pdf
- A method of forensic authentication of audio recordings generated using the Voice Memos application in the iPhone https://www.sciencedirect.com/science/article/abs/pii/S0379073821000220
- Advanced forensic procedure for the authentication of audio recordings generated by Voice Memos application of iOS14 https://onlinelibrary.wiley.com/doi/abs/10.1111/1556-4029.15016
- Cellebrite CTF 2020: Juan Mortyme https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
- iLEAPP Voice Recordings Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/voiceRecordings.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
"/mobile/MobileSoftwareUpdate/" folder
-
/mobile/MobileSoftwareUpdate/restore.log
- Restore Log - Tracking iOS Update History https://www.stark4n6.com/2021/10/restore-log-tracking-ios-update-history.html
- Cellebrite CTF 2021 Writeup https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
- iLEAPP restore.log Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/restoreLog.py
"/networkd/" folder
-
/networkd/netusage.sqlite
- Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases
- iOS - Tracking Traces of Deleted Applications https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019 https://www.youtube.com/watch?v=4LcQm4ErXpA
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- iLEAPP Net Usage Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py
- APOLLO Netusage Module https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zprocess.txt https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliveusage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliverouteperf.txt
"/preferences/" folder
- /preferences/com.apple.networkextension.plist
-
/preferences/com.apple.wifi.known-networks.plist
- Apple Private Wi-Fi Addresses https://ciofecaforensics.com/2020/10/24/apple-private-addresses/
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
- mac_apt WiFi Plugin https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py
-
/preferences/SystemConfiguration/com.apple.accounts.exists.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iLEAPP Conf Accounts Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/confaccts.py
-
/preferences/SystemConfiguration/com.apple.networkidentification.plist
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask https://blog.elcomsoft.com/2014/03/itunes-icloud-backups/
-
/preferences/SystemConfiguration/com.apple.radios.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/preferences/SystemConfiguration/com.apple.wifi.plist
- From iPhone to Access Point https://www.forensicfocus.com/articles/from-iphone-to-access-point/
- Apple Private Wi-Fi Addresses https://ciofecaforensics.com/2020/10/24/apple-private-addresses/
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
- Wifi Networks – iOS https://bitsplease4n6.wordpress.com/2020/12/08/wifi-networks-ios/
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT? https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!) https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 19-5551 Summary Report https://cts-forensics.com/reports/19-5551_Web.pdf
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- iOS Sysdiagnose Wi-Fi script https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-wifi-plist.py
- iLEAPP WiFi Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py
- mac_apt WiFi Plugin https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist
- Apple Private Wi-Fi Addresses https://ciofecaforensics.com/2020/10/24/apple-private-addresses/
- iLEAPP WiFi Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py
- mac_apt WiFi Plugin https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py
-
/preferences/SystemConfiguration/NetworkInterfaces.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Sysdiagnose Network Interfaces script https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-networkinterfaces.py
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /preferences/SystemConfiguration/preferences.plist
"/root/" folder
-
/root/.obliterated
- Upgrade From NULL—Detecting iOS Wipe Artifacts https://dfir.pubpub.org/pub/6i7d593n/release/1
- How To Identify When an IPhone or iPad was Factory Reset https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Cellebrite CTF 2020: Ruth Langmore https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
- /root/Library/Application Support/com.apple.wifianalyticsd/DeviceAnalyticsModel.sqlite
-
/root/Library/Application Support/com.apple.wifianalyticsd/WiFiNetworkStoreModel.sqlite
- iLEAPP WifiNetworkStoreModel Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/wifiNetworkStoreModel.py
-
/root/Library/Caches/com.apple.wifid/ThreeBars.sqlite
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Locations, Locations, Locations https://doubleblak.com/blogPosts.php?id=14
- Harvested Locations https://www.doubleblak.com/blogPosts.php?id=16
-
/root/Library/Caches/locationd/cache.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Ridin’ With Apple CarPlay https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/
-
/root/Library/Caches/locationd/cache_encryptedA.db
- New Script – iOS Locations Scraper http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- Getting Started with iOS Forensics https://www.systoolsgroup.com/forensics/sqlite/ios.html
- APOLLO cache_ecnryptedA/B Modules https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt
-
/root/Library/Caches/locationd/cache_encryptedB.db
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- New Script – iOS Locations Scraper http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Harvested Locations https://www.doubleblak.com/blogPosts.php?id=16
- APOLLO cache_ecnryptedA/B Modules https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/root/Library/Caches/locationd/cache_encryptedC.db
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- SANS 2022 DFIR Summit Queries https://for585.com/dfirsummit22
- APOLLO cache_ecnryptedC Modules https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_motionstatehistory.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_stepcounthistory.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_nataliehistory.txt
- The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/root/Library/Caches/locationd/clients.plist
- iOS Location Services and System Services ON or OFF? https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/
- iOS Location Services and System Services are they ON or OFF https://dfir.pubpub.org/pub/4sv4kxyh/release/2
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/root/Library/Caches/locationd/consolidated.db
- iOS GeoFences http://www.doubleblak.com/m/blogPosts.php?id=22
- BELKASOFT CTF JULY 2022: WRITE-UP https://belkasoft.com/belkactf-jul2022-writeup
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
-
/root/Library/Lockdown/data_ark.plist
- Putting a User Behind an iOS Device https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Oh no! I have a wiped iPhone, now what? https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html
- KnowledgeC (and Friends) http://www.doubleblak.com/m/blogPosts.php?id=2
- Magnet Virtual Summit 2020 CTF (iOS) https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html
- iOS - Tracking Device Migration https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
-
/root/Library/Lockdown/escrow_records/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Understanding usbmux and the iOS lockdown service https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/root/Library/Lockdown/pair_records/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Understanding usbmux and the iOS lockdown service https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/root/Library/Logs/MobileContainerManager
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- How To Identify When an IPhone or iPad was Factory Reset https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
- So Long Lockdown! http://www.doubleblak.com/m/blogPosts.php?id=9
- Upgrade From NULL—Detecting iOS Wipe Artifacts https://dfir.pubpub.org/pub/6i7d593n/release/1
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- Apple Watch Forensics 02: Analysis https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
- Apple TV Forensics 03: Analysis https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
- iLEAPP Mobile Container Manager Logs Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileContainerManager.py
-
/root/Library/MobileContainerManager/containers.sqlite3
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Application Groups & Shared data http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html
-
/root/Library/Preferences/com.apple.MobileBackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- Using Apple “Bug Reporting” for forensic purposes https://for585.com/sysdiagnose
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
- iOS Sysdiagnose Mobile Backup script https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-mobilebackup.py
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/root/Library/Preferences/com.apple.preferences.network.plist
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- Wireless Network Preferences – iOS https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/
"/wireless/" folder
-
/wireless/Library/Databases/CellularUsage.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- A Few Interesting iOS Forensic Artefacts https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- Cellebrite CTF 2021 - Marsha's Backup https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-backup.html
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
-
/wireless/Library/Databases/DataUsage.sqlite
- Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases
- FROM APPLE SEEDS TO APPLE PIE https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
- iOS - Tracking Traces of Deleted Applications https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019 https://www.youtube.com/watch?v=4LcQm4ErXpA
- iOS Analysis Test No. 20-5551 Summary Report https://cts-forensics.com/reports/20-5551_Web.pdf
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- APOLLO DataUsage Modules https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zprocess.txt https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zliveusage.txt
- iLEAPP DataUsage Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
- /wireless/Library/preferences/com.apple.commcenter.callservices.plist
-
/wireless/Library/Preferences/com.apple.commcenter.counts.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/wireless/Library/Preferences/com.apple.commcenter.data.plist
- Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs. https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/
- iLEAPP SimInfo Plugin https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/simInfo.py
-
/wireless/Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
-
/wireless/Library/Preferences/com.apple.commcenter.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
- iOS Forensics: HFS+ file system, partitions and relevant evidences https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
- Artifacts of an IOS device https://infosecaddicts.com/artifacts-ios-device/
- iOS Analysis Test No. 18-5551 Summary Report https://cts-forensics.com/reports/38551_Web.pdf
- iOS Analysis Test No. 21-5551 Summary Report https://cts-forensics.com/reports/21-5551_Web.pdf
- iOS Analysis Test No. 22-5551 Summary Report https://cts-forensics.com/reports/22-5551_Web.pdf
- Practical Mobile Forensics - Fourth Edition https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
- iOS Forensics for Investigators https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083