iOS Forensics References

Last update: April 17th 2023

DATA Partition (/private/var)

"/.fseventsd/" folder

/.fseventsd
- Understanding MacOS File System Events with FSEventsParser
- Mac OS X and iOS Forensics - Looking into the past with FSEvents
- FSEvents Parser

"/containers/" folder

/containers/Data/System/"GUID"/Documents/storeSystem.db
/containers/Shared/SystemGroup/"GUID"/Library/BatteryLife/CurrentPowerlog.PLSQL
- FROM APPLE SEEDS TO APPLE PIE
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
- On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
- APOLLO CurrentPowerLog Modules
- Time Well Spent: Precision Timing, Monotonic Clocks, and the PowerLogs Database for iOS
- Oh no! I have a wiped iPhone, now what?
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- iOS Forensics for Investigators
/containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.other.db
- Bluetooth – iOS
- How to Use iOS Bluetooth Connections to Solve Crimes Faster
- How to Use iOS Bluetooth Connections to Solve Crimes Faster
- iLEAPP Bluetooth Plugin
- iOS Forensics for Investigators
/containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db
- Bluetooth – iOS
- How to Use iOS Bluetooth Connections to Solve Crimes Faster
- How to Use iOS Bluetooth Connections to Solve Crimes Faster
- iLEAPP Bluetooth Plugin
- EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY
- iOS Forensics for Investigators
/containers/Shared/SystemGroup/"GUID"/Library/Preferences/com.apple.MobileBluetooth.devices.plist
- Bluetooth – iOS
- How to Use iOS Bluetooth Connections to Solve Crimes Faster
- How to Use iOS Bluetooth Connections to Solve Crimes Faster
- Cellebrite CTF 2021 - Beth's iPhone
- Cellebrite CTF 2020: Juan Mortyme
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iLEAPP Bluetooth Plugin
- iOS Forensics for Investigators

"/db/" folder

/db/biome/
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1
- iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari
- iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."
- Bringing it Back With Biome Data
- iLEAPP Biome Plugins
/db/dhcpd_leases*
- iLEAPP DHCP Plugin
/db/dhcpclient/
- MAC Apt Networking Plugin
- Cellebrite CTF 2020: Juan Mortyme
- Apple TV Forensics 03: Analysis
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iLEAPP DHCP Plugin
/db/diagnostics/
- Apple Unified Logging and Activity Tracing formats
- Browsing the unified log in difficult circumstances
- Reviewing macOS Unified Logs
- Finding Waldo: Leveraging the Apple Unified Log for Incident Response
- Unified Log Reader
- Upgrade From NULL—Detecting iOS Wipe Artifacts
- Logs Unite! - Forensic Analysis of Apple Unified Logs
- Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]

"/installd/" folder

/installd/Library/Logs/MobileInstallation/mobile_installation.log.*
- CyberDefenders - Jailbreak CTF
- iOS Mobile Installation Logs
- iOS Mobile Installation Logs
- iOS Mobile Installation Logs Parser
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Using Apple “Bug Reporting” for forensic purposes
- Apple TV Forensics 03: Analysis
- iLEAPP Mobile Installation Log Plugin
/installd/Library/Logs/MobileInstallation/LastBuildInfo.plist
- iOS Analysis Test No. 21-5551 Summary Report
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Cellebrite CTF 2020: Ruth Langmore
- iLEAPP Last Build Info Plugin
/installd/Library/Logs/MobileInstallation/MigrationInfo.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
/installd/Library/Logs/MobileInstallation/RoleUserMigration.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

"/logs/" folder

/logs/lockdownd.log
- So Long Lockdown!
- KnowledgeC (and Friends)
- Cellebrite CTF 2021 - Beth's iPhone
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/logs/usermanagerd.log.*
/logs/wifimanager.log

"/mobile/Containers/" folder

/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Caches/com.apple.mobilesafari/Cache.db
- Getting Started with iOS Forensics
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Containers/Data/Application//Library/Caches/com.apple.WebAppCache/ApplicationCache.db
- Practical Mobile Forensics - Fourth Edition
/mobile/Containers/Data/Application//Library/Cookies/Cookies.binarycookies
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/ImageCache/Favicons/Favicon.db
- Favicons
- iLEAPP Favicon Plugin
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Preferences/com.apple.mobilesafari.plist
- iOS 14 - First Thoughts and Analysis
- iLEAPP Recent Web Searches Safari Plugin
- Practical Mobile Forensics - Fourth Edition
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Downloads/Downloads.plist
- iOS / macOS - Tracking Downloads from Safari Without Downloads
- Safari and iPhone Internet History Parser
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Thumbnails/
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/WebKit/WebsiteData/LocalStorage/
- Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS
- iOS Analysis Test No. 22-5551 Summary Report
/mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Maps/GeoHistory.mapsdata
- Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
- HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?
- FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- Find Me If You Can: Mobile GPS Mapping Applications Forensic Analysis & SNAVP the Open Source, Modular, Extensible Parser Analysis & SNAVP the Open Source, Modular, Extensible Parser
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- Practical Mobile Forensics - Fourth Edition
/mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Preferences/com.apple.Maps.plist
- HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?
- FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- Practical Mobile Forensics - Fourth Edition
/mobile/Containers/Shared/AppGroup/"Apple Maps GUID"/Maps/MapsSync_0.0.1
- What Apple Maps Activity Can be Found Using a Logical Extraction
- iOS14 Maps History BLOB Script
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
- iLEAPP Maps Sync Plugin

"/mobile/Library/" folder

/mobile/Library/Accounts/Accounts3.sqlite
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS - Tracking Device Migration
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- Cellebrite CTF 2022 - Beth's iPhone
- Magnet Forensics Virtual Summit 2023 CTF – iOS
- Case Study: Forensic Analysis of TikTok on iOS
- iLEAPP Accounts Plugin
- Accounts3.sqlite query
- iOS Forensics for Investigators
/mobile/Library/AddressBook/AddressBook.sqlitedb
- Getting Started with iOS Forensics
- Identification and analysis of email and contacts artefacts on iOS and OS X
- TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
- How To Identify When an IPhone or iPad was Factory Reset
- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices
- Upgrade From NULL—Detecting iOS Wipe Artifacts
- iOS Analysis Test No. 18-5551 Summary Report
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- AddressBook.sqlitedb query
- iPhone Artifacts - Champlain College
- iLEAPP Address Book Plugin
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Library/AddressBook/AddressBookImages.sqlitedb
- Identification and analysis of email and contacts artefacts on iOS and OS X
- IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES
- AddressBookImages.sqlitedb query
- Practical Mobile Forensics - Fourth Edition
/mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb
- Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite)
- On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!
- FROM APPLE SEEDS TO APPLE PIE
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- Forensics Tools: Stop Miscalculating iOS Usage Analytics!
- SANS 2022 DFIR Summit Queries
- APOLLO ADDataStore Modules
/mobile/Library/AppConduit/AvailableApps.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/mobile/Library/AppConduit/AvailableCompanionApps.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Cloud.sqlite
/mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Local.sqlite
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- ScreenTimeController
- Data Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts
- A Look Into Apple’s Screen Time Feature and What Insights It Lends To Digital Intelligence
- iOS Screentine And Android Digital Wellbeing Apps
- Getting Evidence from iOS Screen Time Artifacts
- Plaso iOS SceenTime Parser
- A Look Into Apple’s Screen Time Feature and What Insights It Lends To Forensics
- Cellebrite CTF 2020: Ruth Langmore
- Magnet Forensics Virtual Summit 2023 CTF – iOS
- Magnet 2022 CTF – iOS15
- MAC Apt SceenTime Plugin
- APOLLO ScreenTime Modules
/mobile/Library/ApplicationSync/AssetSortOrder.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/mobile/Library/Assistant/SiriAnalytics.db
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
/mobile/Library/Biome/
- Analyzing iOS Biome AppIntent Files
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1
- iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari
- iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."
- Bringing it Back With Biome Data
- An Alternate Location for Deleted SMS/iMessage Data in Apple Devices
- Lagging for the Win: Querying for Negative Evidence in the sms.db
- The Meaning of Messages
- Magnet Forensics Virtual Summit 2023 CTF – iOS
- Magnet Virtual Summit 2023 CTF - iOS 16 iPhone
- iLEAPP Biome Plugins
/mobile/Library/BulletinBoard/ClearedSections.plist
- Artifacts of an IOS device
- iOS Forensics: HFS+ file system, partitions and relevant evidences
/mobile/Library/Caches/com.apple.Pasteboard/*
/mobile/Library/Caches/com.apple.findmy.fmipcore/
- Stored AirTag (and Other) Aritfacts
- AirTags within iOS File Systems
- iLEAPP AirTags Plugin
/mobile/Library/Caches/com.apple.routined/Cache.sqlite
- Locations, Locations, Locations
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
- FROM APPLE SEEDS TO APPLE PIE
- iOS Location Artifacts Explained
- Location Data on iOS and Android Devices
- Apple Probably Knows What You Did Last Summer
- UAV Forensics: DJI Mini 2 Case Study
- Magnet User Summit 2022 CTF - iPhone
- Building a Pattern of Life - Leveraging Location and Health Data
- SANS 2022 DFIR Summit Queries
- iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table
- Vehicle and iPhone Speed Comparison
- Cache.sqlite query
- APOLLO iOS Routined Cache Modules
- iOS Forensics for Investigators
/mobile/Library/Caches/com.apple.routined/Cloud.sqlite
/mobile/Library/Caches/com.apple.routined/Cloud-V2.sqlite
- Locations, Locations, Locations
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
- FROM APPLE SEEDS TO APPLE PIE
- iOS Location Artifacts Explained
- Location Data on iOS and Android Devices
- Cellebrite CTF 2021 - Beth's iPhone
- Apple Probably Knows What You Did Last Summer
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- Building a Pattern of Life - Leveraging Location and Health Data
- SANS 2022 DFIR Summit Queries
- APOLLO iOS Routined Cloud Modules
- iOS Forensics for Investigators
/mobile/Library/Caches/com.apple.routined/Local.sqlite
- Locations, Locations, Locations
- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
- FROM APPLE SEEDS TO APPLE PIE
- iOS Location Artifacts Explained
- Location Data on iOS and Android Devices
- Building a Pattern of Life - Leveraging Location and Health Data
- SANS 2022 DFIR Summit Queries
- Cellebrite CTF 2022 - Beth's iPhone
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- APOLLO iOS Routined Local Modules
- iOS Forensics for Investigators
/mobile/Library/Calendar/Calendar.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Analysis Test No. 18-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- Magnet User Summit 2022 CTF - iPhone
- Calendar.sqlitedb query
- iLEAPP Calendar Plugin
- Practical Mobile Forensics - Fourth Edition
/mobile/Library/Calendar/Extras.db
- Extras.db query
/mobile/Library/CallHistoryDB/CallHistory.storedata
- Missing SQLite Records Analysis
- A GLIMPSE OF IOS 10 FROM A SMARTPHONE FORENSIC PERSPECTIVE
- TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES
- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
- How To Identify When an IPhone or iPad was Factory Reset
- iOS 14 - First Thoughts and Analysis
- Cellebrite CTF 2022 - Marsha's iPhone
- Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.
- iOS Analysis Test No. 18-5551 Summary Report
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- CallHistory Query
- APOLLO CallHistory Module
- iLEAPP CallHistory Plugin
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Library/CallHistoryDB/CallHistoryTemp.storedata
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- iOS Forensics for Investigators
/mobile/Library/CallHistoryTransactions/
/mobile/Library/com.apple.ClipServices.clipserviced/ClipData.db
- iOS 14 - Tracking App Clips in iOS 14
/mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
/mobile/Library/com.apple.itunesstored/kvs.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
- Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
- Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db
- Extensive knowledgeC APOLLO Updates!
- Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
- Providing Context to iOS App Usage with knowledgeC.db and APOLLO
- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- Apple TV Forensics 03: Analysis
- iOS KnowledgeC.db Notifications
- iOS KnowledgeC.db Notifications
- KnowledgeC: Now Playing entries
- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG
- KnowledgeC (and Friends)
- Building a Pattern of Life - Leveraging Location and Health Data
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1
- iOS - Tracking Traces of Deleted Applications
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
- iOS Analysis Test No. 22-5551 Summary Report
- Magnet User Summit 2022 CTF - iPhone
- KwnoledgeC queries
- SANS 2022 DFIR Summit Queries
- APOLLO KnowledgeC Modules
- iOS Forensics for Investigators
/mobile/Library/CoreDuet/People/interactionC.db
- FROM APPLE SEEDS TO APPLE PIE
- KnowledgeC (and Friends)
- Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
- Local Photo Library Photos.sqlite Query Variations & WHERE statements
- Comparison of iOS backups: Encrypted vs Unencrypted
- SANS 2022 DFIR Summit Queries
- APOLLO interactionC Modules
- iLEAPP interactionC Plugin
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Library/DataAccess/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- Artifacts of an IOS device
- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices
/mobile/Library/DeviceRegistry.state/activeStateMachine.plist
- Apple Watch Forensics 02: Analysis
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
- Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices
/mobile/Library/DeviceRegistry.state/historySecureProperties.plist
- Apple Watch Forensics 02: Analysis
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
- Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices
/mobile/Library/DoNotDisturb/DB/Settings.sqlite
/mobile/Library/DoNotDisturb/DB/IDSSyncEngineMetadata.plist
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
/mobile/Library/DuetExpertCenter/streams/userNotificationEvent/local
- Peeking at User Notification Events in iOS 15
- Peeking at User Notification Events in iOS 15
- iOS 16 - "Paul unsent a message." ... OR DID HE?!
- Magnet Forensics Virtual Summit 2023 CTF – iOS
- iLEAPP User Notifications Plugin
/mobile/Library/FrontBoard/applicationState.db
- Identifying installed and uninstalled apps in iOS
- iOS - Tracking Traces of Deleted Applications
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
- iOS Application Groups & Shared data
- iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins
- iOS – Tracking Bundle IDs for Containers, Shared Containers, and Plugins
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Magnet Virtual Summit 2020 CTF (iOS)
- iLEAPP Application State Plugin
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Library/Health/ActivitySharing/contacts.dat
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
/mobile/Library/Health/healthdb.sqlite
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data
- FROM APPLE SEEDS TO APPLE PIE
- Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- Apple Health
- Health and Activity
- Making a Murderer: Health Activity Edition
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- Audio and App Usage in Apple Health
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- healthdb.sqlite query
/mobile/Library/Health/healthdb_secure.sqlite
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data
- FROM APPLE SEEDS TO APPLE PIE
- On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data
- Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics
- The iPhone Health App from a forensic perspective: can steps and distances registered during walking and running be used as digital evidence?
- The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones
- Interpreting the location data extracted from the Apple Health database
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- Apple Health
- Health and Activity
- Making a Murderer: Health Activity Edition
- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
- Audio and App Usage in Apple Health
- Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database
- Cellebrite CTF 2021 - Beth's iPhone
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- Securing and Extracting Health Data: Apple Health vs. Google Fit
- Building a Pattern of Life - Leveraging Location and Health Data
- Health Data Types
- Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- healthdb_secure.sqlite query
- APOLLO health_secure.sqlite Modules
/mobile/Library/Health/Client/HealthApp.sqlite
- Health Data Types
/mobile/Library/homed/datastore.sqlite
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
- Forensic Analysis of Apple HomePod & Apple HomeKit Environment w/ Mattia Epifani - SANS DFIR Summit
/mobile/Library/Keyboard/-dynamic.lm/dynamic-lexicon.dat
- iOS Analysis Test No. 22-5551 Summary Report
- iLEAPP Keyboard Lexicon
/mobile/Library/Keyboard/app_usage_database.plist
- iLEAPP App Usage Plugin
/mobile/Library/Keyboard/langlikelihood.dat
- Cellebrite CTF 2021 Writeup
/mobile/Library/Keyboard/UserDictionary.sqlite
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
/mobile/Library/Logs/AppConduit/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Using Apple “Bug Reporting” for forensic purposes
- iOS Sysdiagnose AppConduit script
- iLEAPP AppConduit Plugin
/mobile/Library/Logs/AppleSupport/general.log
/mobile/Library/Logs/mobile_installation_helper.log*
/mobile/Library/Logs/mobileactivationd/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Cellebrite CTF 2021 - Beth's iPhone
- Using Apple “Bug Reporting” for forensic purposes
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
- Apple TV Forensics 03: Analysis
- iLEAPP Mobile Activation Logs Plugin
/mobile/Library/Mail/
- iOS Mail
- Identification and analysis of email and contacts artefacts on iOS and OS X
- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices
- iOS Analysis Test No. 22-5551 Summary Report
- Getting Started with iOS Forensics
- iOS Forensics for Investigators
/mobile/Library/MedicalID/MedicalIDData.Archive
- Magnet Virtual Summit 2020 CTF (iOS)
- iLEAPP MedicalID Plugin
/mobile/Library/NanoBackup/
/mobile/Library/NanoMusicSync/
/mobile/Library/NanoPreferencesSync/
- Apple Watch Forensics 02: Analysis
/mobile/Library/NanoTimeKit/
/mobile/Library/Passes/passes23.sqlite
- Pocket Litter A Peek Inside Your Apple Wallet
- Analysing Apple Pay Transactions
- Cellebrite CTF 2020: Juan Mortyme
- Cellebrite CTF 2021 Writeup
- Cellebrite CTF 2021 - Beth's iPhone
- Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts)
- APOLLO passes23.sqlite Modules
- iLEAPP passes23.sqlite Plugin
/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db
- Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database
- Lucky (iOS) #13: Time to Press Your Bets w/ Jared Barnhart - SANS DFIR Summit 2020
/mobile/Library/Preferences/.GlobalPreferences.plist
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
/mobile/Library/Preferences/addaily.plist
/mobile/Library/Preferences/com.apple.accountsettings.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
/mobile/Library/Preferences/com.apple.ActivitySharing.plist
/mobile/Library/Preferences/com.apple.AdLib.plist
/mobile/Library/Preferences/com.apple.aggregated.plist
/mobile/Library/Preferences/com.apple.AppStore.plist
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- Hacking and Securing iOS Applications by Jonathan Zdziarski, Chapter 4
/mobile/Library/Preferences/com.apple.assistant.backedup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
/mobile/Library/Preferences/com.apple.assetsd.plist
- Shared with You Syndication Photo Library – Message Attachments & Linked Assets
/mobile/Library/Preferences/com.apple.atc.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
/mobile/Library/Preferences/com.apple.BatteryCenter.BatteryWidget.plist
/mobile/Library/Preferences/com.apple.camera.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
/mobile/Library/Preferences/com.apple.carplay.plist
- Ridin’ With Apple CarPlay
- They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
- Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlay
- Cellebrite CTF 2021 Writeup
- Cellebrite CTF 2021 - Marsha's iPhone
- Auto-Parser: Android Auto and Apple CarPlay Forensics
/mobile/Library/Preferences/com.apple.celestial.plist
- Ridin’ With Apple CarPlay
- Auto-Parser: Android Auto and Apple CarPlay Forensics
/mobile/Library/Preferences/com.apple.cloud.quota.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/mobile/Library/Preferences/com.apple.cloudphotod.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

/mobile/Library/Preferences/com.apple.cmfsyncagent.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
The Meaning of Messages

/mobile/Library/Preferences/com.apple.commcenter.shared.plist

Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.conference.plist

/mobile/Library/Preferences/com.apple.contacts.donation-agent.plist

/mobile/Library/Preferences/com.apple.contextstored.plist

/mobile/Library/Preferences/com.apple.CoreDuet.plist

/mobile/Library/Preferences/com.apple.CoreDuet.QueuedDenials.plist

/mobile/Library/Preferences/com.apple.coreduetd.batterysaver.state.plist

/mobile/Library/Preferences/com.apple.coreduetd.plist

iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
iOS Forensics: HFS+ file system, partitions and relevant evidences

/mobile/Library/Preferences/com.apple.corerecents.recentsd.plist

/mobile/Library/Preferences/com.apple.corespotlightui.plist

/mobile/Library/Preferences/com.apple.FeedbackAssistant.plist

/mobile/Library/Preferences/com.apple.homesharing.plist

iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
iOS Analysis Test No. 18-5551 Summary Report

/mobile/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist

/mobile/Library/Preferences/com.apple.icloud.fmfd.plist

iOS - Tracking Device Migration

/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist

How iOS Properties Files Can Confirm a Suspect’s Contacts Even If Deleted
Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
iOS Forensics: HFS+ file system, partitions and relevant evidences
Making the most of Property Lists
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.imservice*.plist

/mobile/Library/Preferences/com.apple.locationd.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
iOS Location Services and System Services are they ON or OFF
iOS Location Services and System Services ON or OFF?
iOS Analysis Test No. 18-5551 Summary Report
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.madrid.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
The Meaning of Messages
iOS Forensics for Investigators

/mobile/Library/Preferences/com.apple.messages.pinning.plist

The Meaning of Messages

/mobile/Library/Preferences/com.apple.migration.plist

iOS - Tracking Device Migration
Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

/mobile/Library/Preferences/com.apple.mmcs.plist

/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.mobilegestalt.plist

WHO IS THE OWNER OF THE MOBILE DEVICE?
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.mobilephone.plist

Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.mobileslideshow.plist

How to find iOS Hidden Assets
Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

/mobile/Library/Preferences/com.apple.MobileSMS.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
What is the likelihood of recovering deleted iPhone messages?
Missing Pieces: Tips and Tricks on how to ensure your acquisitions aren’t missing critical data
The Meaning of Messages
Practical Mobile Forensics - Fourth Edition
iOS Forensics for Investigators

/mobile/Library/Preferences/com.apple.mt.lastLaunch.plist

/mobile/Library/Preferences/com.apple.nano.plist

/mobile/Library/Preferences/com.apple.nanoregistry.plist

/mobile/Library/Preferences/com.apple.preferences.datetime.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.preferences.network.plist

Artifacts of an IOS device
Wireless Network Preferences – iOS

/mobile/Library/Preferences/com.apple.Preferences.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.purplebuddy.plist

iOS - Tracking Device Migration
Putting a User Behind an iOS Device
How was an iPhone set up?
Upgrade From NULL—Detecting iOS Wipe Artifacts
How was an iPhone set up?
How To Identify When an IPhone or iPad was Factory Reset
Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
iOS Analysis Test No. 20-5551 Summary Report

/mobile/Library/Preferences/com.apple.sharingd.plist

Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge
EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY
Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

/mobile/Library/Preferences/com.apple.springboard.plist

Recover your iPhone Screen Time or restrictions passcode (supports iOS 14)
Artifacts of an IOS device
Auto-Parser: Android Auto and Apple CarPlay Forensics
Practical Mobile Forensics - Fourth Edition

/mobile/Library/Preferences/com.apple.timed.plist

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

/mobile/Library/Preferences/com.apple.weather.plist

/mobile/Library/Recents/Recents

iOS Analysis Test No. 20-5551 Summary Report
Recents query

/mobile/Library/Reminders/

Cellebrite CTF 2020: Ruth Langmore
iLEAPP Reminders Plugin

/mobile/Library/Safari/Bookmarks.db

iOS 14 - First Thoughts and Analysis
Getting Started with iOS Forensics
iLEAPP Safari Bookmarks Plugin
Practical Mobile Forensics - Fourth Edition
iOS Forensics for Investigators

/mobile/Library/Safari/BrowserState.db

Examining mobile devices: identiffying private internet browking activity in Mobile Safari
iOS 14 - First Thoughts and Analysis
iLEAPP Safari Tabs Plugin
iOS Forensics for Investigators

/mobile/Library/Safari/CloudTabs.db

iLEAPP Safari Tabs Plugin
iOS Forensics for Investigators

/mobile/Library/Safari/History.db

Missing SQLite Records Analysis
Examining mobile devices: identiffying private internet browking activity in Mobile Safari
KnowledgeC (and Friends)
Cellebrite CTF 2020: Ruth Langmore
Magnet User Summit 2022 CTF - iPhone
Magnet User Summit 2022 CTF - iPhone
iOS Analysis Test No. 18-5551 Summary Report
iOS Analysis Test No. 19-5551 Summary Report
iOS Analysis Test No. 20-5551 Summary Report
iOS Analysis Test No. 21-5551 Summary Report
iOS Analysis Test No. 22-5551 Summary Report
Reading Your Browser's History with SQLite
APOLLO Safari History Module
iLEAPP Safari History Plugin
Practical Mobile Forensics - Fourth Edition
iOS Forensics for Investigators

/mobile/Library/Safari/SafariTabs.db

iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari
iOS 16: What Digital Investigators Need to Know
Checking in on iOS 16 in Magnet AXIOM 6.8

/mobile/Library/SMS/Attachments/

The Meaning of Messages
Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?
Shared with You Syndication Photo Library – Message Attachments & Linked Assets
iOS Analysis Test No. 19-5551 Summary Report
iOS Forensics for Investigators

/mobile/Library/SMS/Drafts/

Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
iLEAPP Draft SMS Plugin
iOS Forensics for Investigators

/mobile/Library/SMS/sms.db

The Meaning of Messages
iOS16 iMessages
iOS 16 - "Paul unsent a message." ... OR DID HE?!
Message Reactions
Sharing Locations in iOS Messages
iOS 14 - Message Mentions and Threading
Cellebrite CTF 2020: Juan Mortyme
iOS Analysis Test No. 18-5551 Summary Report
iOS Analysis Test No. 19-5551 Summary Report
iOS Analysis Test No. 20-5551 Summary Report
Lagging for the Win: Querying for Negative Evidence in the sms.db
An Alternate Location for Deleted SMS/iMessage Data in Apple Devices
Missing SQLite Records Analysis
Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
How To Identify When an IPhone or iPad was Factory Reset
KnowledgeC (and Friends)
Temporal Analysis Anomalies with iOS iMessage Communication Exchange
iLEAPP SMS Plugin
APOLLO SMS Modules
Practical Mobile Forensics - Fourth Edition
iOS Forensics for Investigators

/mobile/Library/SMS/sms-temp.db

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
iOS Forensics for Investigators

/mobile/Library/SpringBoard/HomeBackgroundThumbnail.jpg

/mobile/Library/SpringBoard/IconState.plist

Today, Widgets, & Ignored Apps in iOS
Recover iOS App Screen Layouts with the New iOS Home Screen Items Artifact
Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
iLEAPP Icon State Plugin
A Few Interesting iOS Forensic Artefacts
iOS - Tracking Traces of Deleted Applications
Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
Auto-Parser: Android Auto and Apple CarPlay Forensics
They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto

/mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg

Practical Mobile Forensics - Fourth Edition

/mobile/Library/SpringBoard/LockBackgroundThumbnaildark.jpg

Practical Mobile Forensics - Fourth Edition

/mobile/Library/SpringBoard/TodayViewArchive.plist

/mobile/Library/SpringBoard/PushStore/

pushstore_parser
iLEAPP PushStore Plugin

/mobile/Library/Suggestions/query_predictions.db

iLEAPP Query Predictions Plugin
APOLLO Query Predictions Module

/mobile/Library/TCC/TCC.db

Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
iOS Forensics: HFS+ file system, partitions and relevant evidences
Cellebrite CTF 2021 - Beth's iPhone
Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module
iLEAPP TCC Plugin
APOLLO TCC Module

/mobile/Library/UserConfigurationProfiles/PublicEffectiveUserSettings.plist

iOS Settings Display Auto-Lock & Require Passcode
iOS Settings Display Auto-Lock & Require Passcode
Cellebrite CTF 2021 - Beth's iPhone
Cellebrite CTF 2021 Writeup

/mobile/Library/UserConfigurationProfiles/UserSettings.plist

/mobile/Library/UserNotifications/

Magnet User Summit 2022 CTF - iPhone
iLEAPP User Notifications Plugin
Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS

/mobile/Library/Voicemail/voicemail.db

iOS Voicemail Transcripts
Dude, Where's My Banana? Retrieving data from an iPhone voicemail database
Dude, Where's My Data?
iOS Analysis Test No. 18-5551 Summary Report
iOS Analysis Test No. 20-5551 Summary Report
iOS Analysis Test No. 21-5551 Summary Report
iOS Analysis Test No. 22-5551 Summary Report
Practical Mobile Forensics - Fourth Edition

"/mobile/Media/" folder

/mobile/Media/DCIM/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
- How to find iOS Hidden Assets
- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Cellebrite CTF 2021 Writeup
- Cellebrite CTF 2020: Juan Mortyme
- Cellebrite CTF 2022 - Marsha's iPhone
- Magnet Forensics Virtual Summit 2023 CTF – iOS
- iOS Analysis Test No. 18-5551 Summary Report
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Cellebrite CTF 2020: Ruth Langmore
- Apple TV Forensics 03: Analysis
- Forensicating The Apple TV
- Apple Watch Forensics 02: Analysis
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
- iLEAPP Media Library Plugin
/mobile/Media/iTunesControl/iTunes/iTunesPrefs
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Forensic Analysis of iTunes Backups
/mobile/Media/MediaAnalysis/mediaanalysis.db
- Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney)
- iOS Forensics for Investigators
/mobile/Media/PhotoData/AlbumsMetadata/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
/mobile/Media/PhotoData/PhotoCloudSharingData/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Local Photo Library Photos.sqlite Query Variations & WHERE statements
- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
- Sharing is Caring – An Overview of Shared Albums in iOS
- iLEAPP Shared Albumbs Plugin
- iOS Forensics for Investigators
/mobile/Media/PhotoData/Caches/GraphService/CLSPublicEventCache.sqlite
/mobile/Media/PhotoData/CPL/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
- How to find iOS Hidden Assets
- Practical Mobile Forensics - Fourth Edition
/mobile/Media/PhotoData/Photos.sqlite
- Photos.sqlite Queries – Original Blog Posting
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Local Photo Library Photos.sqlite Query Variations & WHERE statements
- How to find iOS Hidden Assets
- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
- Part B Filling a device internal storage for Optimize iPhone Storage Research
- iOS Media Adjustments
- iOS Local Photo Library (PL) Photos.sqlite Queries
- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG
- How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database
- How Did That Photo Get on That iPhone: Media Attribution for iOS
- iOS Photos.sqlite Forensics
- macOS & iOS Photos Support with Magnet AXIOM
- Apple Watch Forensics 02: Analysis
- Apple iOS: Recently Deleted images
- The Apple Photos library
- Photos.sqlite query
- iLEAPP Photos Plugin
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/mobile/Media/PhotoData/Thumbnails/
- iPhone Photodata Thumbnails
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
- iOS iThmbs
- iThmb Converter
- iOS Forensics for Investigators
/mobile/Media/Recordings/
- Forensic originality identification of iPhone’s voice memos
- A method of forensic authentication of audio recordings generated using the Voice Memos application in the iPhone
- Advanced forensic procedure for the authentication of audio recordings generated by Voice Memos application of iOS14
- Cellebrite CTF 2020: Juan Mortyme
- iLEAPP Voice Recordings Plugin
- Practical Mobile Forensics - Fourth Edition

"/mobile/MobileSoftwareUpdate/" folder

/mobile/MobileSoftwareUpdate/restore.log
- Restore Log - Tracking iOS Update History
- Cellebrite CTF 2021 Writeup
- iLEAPP restore.log Plugin

"/networkd/" folder

/networkd/netusage.sqlite
- Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases
- iOS - Tracking Traces of Deleted Applications
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- iLEAPP Net Usage Plugin
- APOLLO Netusage Module

"/preferences/" folder

/preferences/com.apple.networkextension.plist
/preferences/com.apple.wifi.known-networks.plist
- Apple Private Wi-Fi Addresses
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
- mac_apt WiFi Plugin
/preferences/SystemConfiguration/com.apple.accounts.exists.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iLEAPP Conf Accounts Plugin
/preferences/SystemConfiguration/com.apple.networkidentification.plist
- Artifacts of an IOS device
- Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask
/preferences/SystemConfiguration/com.apple.radios.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics for Investigators
/preferences/SystemConfiguration/com.apple.wifi.plist
- From iPhone to Access Point
- Apple Private Wi-Fi Addresses
- Using Apple “Bug Reporting” for forensic purposes
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
- Wifi Networks – iOS
- Apple Watch Forensics 02: Analysis
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
- Cellebrite CTF 2020: Ruth Langmore
- iOS Analysis Test No. 18-5551 Summary Report
- iOS Analysis Test No. 19-5551 Summary Report
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- iOS Sysdiagnose Wi-Fi script
- iLEAPP WiFi Plugin
- mac_apt WiFi Plugin
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators
/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist
- Apple Private Wi-Fi Addresses
- iLEAPP WiFi Plugin
- mac_apt WiFi Plugin
/preferences/SystemConfiguration/NetworkInterfaces.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Sysdiagnose Network Interfaces script
- Using Apple “Bug Reporting” for forensic purposes
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Forensics for Investigators
/preferences/SystemConfiguration/preferences.plist

"/root/" folder

/root/.obliterated
- Upgrade From NULL—Detecting iOS Wipe Artifacts
- How To Identify When an IPhone or iPad was Factory Reset
- iOS Analysis Test No. 20-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- Cellebrite CTF 2020: Ruth Langmore
/root/Library/Application Support/com.apple.wifianalyticsd/DeviceAnalyticsModel.sqlite
/root/Library/Application Support/com.apple.wifianalyticsd/WiFiNetworkStoreModel.sqlite
- iLEAPP WifiNetworkStoreModel Plugin
/root/Library/Caches/com.apple.wifid/ThreeBars.sqlite
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Locations, Locations, Locations
- Harvested Locations
/root/Library/Caches/locationd/cache.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Ridin’ With Apple CarPlay
/root/Library/Caches/locationd/cache_encryptedA.db
- New Script – iOS Locations Scraper
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- Getting Started with iOS Forensics
- APOLLO cache_ecnryptedA/B Modules
/root/Library/Caches/locationd/cache_encryptedB.db
- FROM APPLE SEEDS TO APPLE PIE
- New Script – iOS Locations Scraper
- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Harvested Locations
- APOLLO cache_ecnryptedA/B Modules
- iOS Forensics for Investigators
/root/Library/Caches/locationd/cache_encryptedC.db
- FROM APPLE SEEDS TO APPLE PIE
- SANS 2022 DFIR Summit Queries
- APOLLO cache_ecnryptedC Modules
- The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics for Investigators
/root/Library/Caches/locationd/clients.plist
- iOS Location Services and System Services ON or OFF?
- iOS Location Services and System Services are they ON or OFF
- Practical Mobile Forensics - Fourth Edition
/root/Library/Caches/locationd/consolidated.db
- iOS GeoFences
- BELKASOFT CTF JULY 2022: WRITE-UP
- iOS Forensics for Investigators
/root/Library/Lockdown/data_ark.plist
- Putting a User Behind an iOS Device
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Oh no! I have a wiped iPhone, now what?
- KnowledgeC (and Friends)
- Magnet Virtual Summit 2020 CTF (iOS)
- iOS - Tracking Device Migration
- iOS Analysis Test No. 22-5551 Summary Report
- Artifacts of an IOS device
/root/Library/Lockdown/escrow_records/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Understanding usbmux and the iOS lockdown service
- Practical Mobile Forensics - Fourth Edition
/root/Library/Lockdown/pair_records/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Understanding usbmux and the iOS lockdown service
- Practical Mobile Forensics - Fourth Edition
/root/Library/Logs/MobileContainerManager
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- How To Identify When an IPhone or iPad was Factory Reset
- So Long Lockdown!
- Upgrade From NULL—Detecting iOS Wipe Artifacts
- Using Apple “Bug Reporting” for forensic purposes
- Apple Watch Forensics 02: Analysis
- Apple TV Forensics 03: Analysis
- iLEAPP Mobile Container Manager Logs Plugin
/root/Library/MobileContainerManager/containers.sqlite3
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Application Groups & Shared data
/root/Library/Preferences/com.apple.MobileBackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- Using Apple “Bug Reporting” for forensic purposes
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
- iOS Sysdiagnose Mobile Backup script
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
- Practical Mobile Forensics - Fourth Edition
/root/Library/Preferences/com.apple.preferences.network.plist
- Artifacts of an IOS device
- Wireless Network Preferences – iOS

"/wireless/" folder

/wireless/Library/Databases/CellularUsage.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- A Few Interesting iOS Forensic Artefacts
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- Cellebrite CTF 2021 - Marsha's Backup
- iOS Analysis Test No. 20-5551 Summary Report
- Practical Mobile Forensics - Fourth Edition
/wireless/Library/Databases/DataUsage.sqlite
- Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases
- FROM APPLE SEEDS TO APPLE PIE
- iOS - Tracking Traces of Deleted Applications
- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
- iOS Analysis Test No. 20-5551 Summary Report
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- APOLLO DataUsage Modules
- iLEAPP DataUsage Plugin
- iOS Forensics for Investigators
/wireless/Library/preferences/com.apple.commcenter.callservices.plist
/wireless/Library/Preferences/com.apple.commcenter.counts.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/wireless/Library/Preferences/com.apple.commcenter.data.plist
- Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.
- iLEAPP SimInfo Plugin
/wireless/Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
/wireless/Library/Preferences/com.apple.commcenter.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
- iOS Forensics: HFS+ file system, partitions and relevant evidences
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
- Artifacts of an IOS device
- iOS Analysis Test No. 18-5551 Summary Report
- iOS Analysis Test No. 21-5551 Summary Report
- iOS Analysis Test No. 22-5551 Summary Report
- Practical Mobile Forensics - Fourth Edition
- iOS Forensics for Investigators

iOS-Forensics-References
iOS-Forensics-References copied to clipboard

Metadata

iOS Forensics References

DATA Partition (/private/var)

"/.fseventsd/" folder

"/containers/" folder

"/db/" folder

"/installd/" folder

"/logs/" folder

"/mobile/Containers/" folder

"/mobile/Library/" folder

"/mobile/Media/" folder

"/mobile/MobileSoftwareUpdate/" folder

"/networkd/" folder

"/preferences/" folder

"/root/" folder

"/wireless/" folder

← Metadata

Owner

Metadata

iOS-Forensics-References iOS-Forensics-References copied to clipboard

Metadata

iOS Forensics References

DATA Partition (/private/var)

"/.fseventsd/" folder

"/containers/" folder

"/db/" folder

"/installd/" folder

"/logs/" folder

"/mobile/Containers/" folder

"/mobile/Library/" folder

"/mobile/Media/" folder

"/mobile/MobileSoftwareUpdate/" folder

"/networkd/" folder

"/preferences/" folder

"/root/" folder

"/wireless/" folder

← Metadata

Owner

Metadata

iOS-Forensics-References
iOS-Forensics-References copied to clipboard