Awesome

iOS Forensics References

Last update: April 17th 2023 <h1>DATA Partition (/private/var)</h1> <h2 style="text-align: left;">"/.fseventsd/" folder</h2> <div> <ul> <li> /.fseventsd <ul> <li>Understanding MacOS File System Events with FSEventsParser</li> http://www.osdfcon.org/presentations/2017/Ibrahim-Understanding-MacOS-File-Ststem-Events-with-FSEvents-Parser.pdf <li>Mac OS X and iOS Forensics - Looking into the past with FSEvents</li> https://papers.put.as/papers/macosx/2017/summit_archive_1498158287.pdf <li>FSEvents Parser</li> https://github.com/dlcowen/FSEventsParser </ul> </li> </ul> </div> <h2 style="text-align: left;">"/containers/" folder</h2> <div> <ul> <li> /containers/Data/System/"GUID"/Documents/storeSystem.db </li> <li> /containers/Shared/SystemGroup/"GUID"/Library/BatteryLife/CurrentPowerlog.PLSQL <ul> <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice</li> http://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice <li>On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving</li> http://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving <li>On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis</li> http://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis <li>On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage</li> http://www.mac4n6.com/blog/2018/12/20/on-the-seventh-day-of-apollo-my-true-love-gave-to-me-a-good-conversation-analysis-of-communications-and-data-usage <li>On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections</li> http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections <li>On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis</li> http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis <li>APOLLO CurrentPowerLog Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_accessory_connection.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_airdrop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_audio.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_deletion.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_info.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_nowplaying.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage_by_hour.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_assertion.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_audio_routing.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_awdl_states.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backcamera_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backlight_brightness.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level_ui.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_bluetooth_device_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_button_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_camera_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_coalition_interval.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_lock_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_screen_autolock.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_registration.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_volume.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display_brightness.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_frontcamera_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_ids_messages.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_incallservice.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_kernel_task_monitor.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightning_connector_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightnining_connector_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_client_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_tech_status.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_mobilebackup.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_network_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_paired_device_config.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_power_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_powernap.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_data_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_id.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_monitor_dynamic.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_push_message_received.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_rapport_received_message.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_bulletins.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_notifications.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_timezone.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_torch_state.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmfile.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmhls.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_vtsession.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_card.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_transaction.txt https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wifi_properties.txt <li>Time Well Spent: Precision Timing, Monotonic Clocks, and the PowerLogs Database for iOS</li> https://www.forensicfocus.com/webinars/time-well-spent-precision-timing-monotonic-clocks-and-the-powerlogs-database-for-ios/ <li>Oh no! I have a wiped iPhone, now what?</li> https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.other.db <ul> <li>Bluetooth – iOS</li> https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/ <li>How to Use iOS Bluetooth Connections to Solve Crimes Faster</li> https://dfir.pubpub.org/pub/frknihlg/release/1 <li>How to Use iOS Bluetooth Connections to Solve Crimes Faster</li> https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/ <li>iLEAPP Bluetooth Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db <ul> <li>Bluetooth – iOS</li> https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/ <li>How to Use iOS Bluetooth Connections to Solve Crimes Faster</li> https://dfir.pubpub.org/pub/frknihlg/release/1 <li>How to Use iOS Bluetooth Connections to Solve Crimes Faster</li> https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/ <li>iLEAPP Bluetooth Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py <li>EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY</li> https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /containers/Shared/SystemGroup/"GUID"/Library/Preferences/com.apple.MobileBluetooth.devices.plist <ul> <li>Bluetooth – iOS</li> https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/ <li>How to Use iOS Bluetooth Connections to Solve Crimes Faster</li> https://dfir.pubpub.org/pub/frknihlg/release/1 <li>How to Use iOS Bluetooth Connections to Solve Crimes Faster</li> https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/ <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Cellebrite CTF 2020: Juan Mortyme</li> https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/ <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iLEAPP Bluetooth Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> </ul> </div> <h2 style="text-align: left;">"/db/" folder</h2> <div> <ul> <li> /db/biome/ <ul> <li>iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1</li> https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html <li>iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html <li>iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html <li>iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html <li>iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html <li>Bringing it Back With Biome Data</li> https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/ <li>iLEAPP Biome Plugins</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py </ul> </li> <li> /db/dhcpd_leases* <ul> <li>iLEAPP DHCP Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcphp.py </ul> </li> <li> /db/dhcpclient/ <ul> <li>MAC Apt Networking Plugin</li> https://github.com/ydkhatri/mac_apt/wiki/NETWORKING <li>Cellebrite CTF 2020: Juan Mortyme</li> https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/ <li>Apple TV Forensics 03: Analysis</li> https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/ <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iLEAPP DHCP Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcpl.py </ul> </li> <li> /db/diagnostics/ <ul> <li>Apple Unified Logging and Activity Tracing formats</li> https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc <li>Browsing the unified log in difficult circumstances</li> https://eclecticlight.co/2017/09/25/browsing-the-unified-log-in-difficult-circumstances/ <li>Reviewing macOS Unified Logs</li> https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs <li>Finding Waldo: Leveraging the Apple Unified Log for Incident Response</li> https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/ https://objectivebythesea.org/v3/talks/OBTS_v3_jMusunuri_eMartin.pdf <li>Unified Log Reader</li> https://github.com/ydkhatri/UnifiedLogReader <li>Upgrade From NULL—Detecting iOS Wipe Artifacts</li> https://dfir.pubpub.org/pub/6i7d593n/release/1 <li>Logs Unite! - Forensic Analysis of Apple Unified Logs</li> https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf <li>Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]</li> https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0 </ul> </li> </ul> </div> <h2 style="text-align: left;">"/installd/" folder</h2> <div> <ul> <li> /installd/Library/Logs/MobileInstallation/mobile_installation.log.* <ul> <li>CyberDefenders - Jailbreak CTF</li> https://www.netscylla.com/blog/2022/06/09/Cyberdefenders-Jailbreak-CTF.html <li>iOS Mobile Installation Logs</li> https://dfir.pubpub.org/pub/e5xlbw88/release/2 <li>iOS Mobile Installation Logs</li> https://dfrws.org/wp-content/uploads/2019/10/2019_review-ios_mobile_installation_logs.pdf <li>iOS Mobile Installation Logs Parser</li> https://abrignoni.blogspot.com/2019/01/ios-mobile-installation-logs-parser.html <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>Apple TV Forensics 03: Analysis</li> https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/ <li>iLEAPP Mobile Installation Log Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileInstall.py </ul> </li> <li> /installd/Library/Logs/MobileInstallation/LastBuildInfo.plist <ul> <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ <li>iLEAPP Last Build Info Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/lastBuild.py </ul> </li> <li> /installd/Library/Logs/MobileInstallation/MigrationInfo.plist <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ </ul> </li> <li> /installd/Library/Logs/MobileInstallation/RoleUserMigration.plist <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ </ul> </li> </ul> </div> <h2 style="text-align: left;">"/logs/" folder</h2> <div> <ul> <li> /logs/lockdownd.log <ul> <li>So Long Lockdown!</li> http://www.doubleblak.com/m/blogPosts.php?id=9 <li>KnowledgeC (and Friends)</li> http://www.doubleblak.com/m/blogPosts.php?id=2 <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /logs/usermanagerd.log.* </li> <li> /logs/wifimanager.log </li> </ul> </div> <h2 style="text-align: left;">"/mobile/Containers/" folder</h2> <div> <ul> <li> /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Caches/com.apple.mobilesafari/Cache.db <ul> <li>Getting Started with iOS Forensics</li> https://www.systoolsgroup.com/forensics/sqlite/ios.html <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Containers/Data/Application/<Apple Safari GUID>/Library/Caches/com.apple.WebAppCache/ApplicationCache.db <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Containers/Data/Application/<Apple Safari GUID>/Library/Cookies/Cookies.binarycookies <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/ImageCache/Favicons/Favicon.db <ul> <li>Favicons</li> https://www.doubleblak.com/m/blogPosts.php?id=13 <li>iLEAPP Favicon Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariFavicons.py </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Preferences/com.apple.mobilesafari.plist <ul> <li>iOS 14 - First Thoughts and Analysis</li> https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html <li>iLEAPP Recent Web Searches Safari Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariRecentWebSearches.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Downloads/Downloads.plist <ul> <li>iOS / macOS - Tracking Downloads from Safari Without Downloads</li> https://blog.d204n6.com/2021/05/ios-macos-tracking-downloads-from.html <li>Safari and iPhone Internet History Parser</li> http://az4n6.blogspot.com/2014/07/safari-and-iphone-internet-history.html </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Thumbnails/ <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/WebKit/WebsiteData/LocalStorage/ <ul> <li>Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS</li> https://www.mdpi.com/2076-3417/12/21/11180 <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Maps/GeoHistory.mapsdata <ul> <li>Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics</li> http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics <li>ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET</li> https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/ <li>HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?</li> https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/ <li>FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?</li> https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/ <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>Find Me If You Can: Mobile GPS Mapping Applications Forensic Analysis & SNAVP the Open Source, Modular, Extensible Parser Analysis & SNAVP the Open Source, Modular, Extensible Parser</li> https://commons.erau.edu/cgi/viewcontent.cgi?article=1414&context=jdfsl <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Preferences/com.apple.Maps.plist <ul> <li>HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?</li> https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/ <li>FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?</li> https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/ <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Containers/Shared/AppGroup/"Apple Maps GUID"/Maps/MapsSync_0.0.1 <ul> <li>What Apple Maps Activity Can be Found Using a Logical Extraction</li> https://lordtemplar1.wordpress.com/2022/05/08/what-apple-maps-activity-can-be-found-using-a-logical-extraction/ <li>iOS14 Maps History BLOB Script</li> http://cheeky4n6monkey.blogspot.com/2020/11/ios14-maps-history-blob-script.html https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/iOS/ios14_maps_history.py <li>ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET</li> https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/ <li>iLEAPP Maps Sync Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mapsSync.py </ul> </li> </ul> </div> <h2 style="text-align: left;">"/mobile/Library/" folder</h2> <div> <ul> <li> /mobile/Library/Accounts/Accounts3.sqlite <ul> <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS - Tracking Device Migration</li> https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>Cellebrite CTF 2022 - Beth's iPhone</li> https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html <li>Magnet Forensics Virtual Summit 2023 CTF – iOS</li> https://www.forgottennook.com/blog/magnet-ios-2023 <li>Case Study: Forensic Analysis of TikTok on iOS</li> https://dfir.pubpub.org/pub/h6vyh33u/release/1 <li>iLEAPP Accounts Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/accs.py <li>Accounts3.sqlite query</li> https://github.com/kacos2000/Queries/blob/master/Accounts3_sqlite.sql <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/AddressBook/AddressBook.sqlitedb <ul> <li>Getting Started with iOS Forensics</li> https://www.systoolsgroup.com/forensics/sqlite/ios.html <li>Identification and analysis of email and contacts artefacts on iOS and OS X</li> https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf <li>TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11</li> https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/ <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET</li> https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/ <li>How To Identify When an IPhone or iPad was Factory Reset</li> https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/ <li>A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices</li> https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf <li>Upgrade From NULL—Detecting iOS Wipe Artifacts</li> https://dfir.pubpub.org/pub/6i7d593n/release/1 <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>AddressBook.sqlitedb query</li> https://github.com/kacos2000/Queries/blob/master/AddressBook_sqlite.sql <li>iPhone Artifacts - Champlain College</li> https://www.champlain.edu/Documents/LCDI/iPhone%20Artifacts.pdf <li>iLEAPP Address Book Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/addressBook.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/AddressBook/AddressBookImages.sqlitedb <ul> <li>Identification and analysis of email and contacts artefacts on iOS and OS X</li> https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf <li>IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES</li> https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/ <li>AddressBookImages.sqlitedb query</li> https://github.com/kacos2000/Queries/blob/master/AddressBookImages_sqlite.sql <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb <ul> <li>Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite)</li> https://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite <li>On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!</li> https://www.mac4n6.com/blog/2018/12/18/on-the-fifth-day-of-apollo-my-true-love-gave-to-me-a-stocking-full-of-random-junk-some-of-which-might-be-useful <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>Forensics Tools: Stop Miscalculating iOS Usage Analytics!</li> https://www.zdziarski.com/blog/?p=2686 <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>APOLLO ADDataStore Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_scalars.txt https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_distributed_keys.txt </ul> </li> <li> /mobile/Library/AppConduit/AvailableApps.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/AppConduit/AvailableCompanionApps.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Cloud.sqlite /mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Local.sqlite <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>ScreenTimeController</li> https://github.com/Evian-Zhang/ScreenTimeController/blob/master/README.md <li>Data Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts</li> https://cellebrite.com/en/data-quality-and-quantity-how-to-get-the-best-of-both-worlds-part-2-examining-screen-time-artifacts/ <li>A Look Into Apple’s Screen Time Feature and What Insights It Lends To Digital Intelligence</li> https://cellebrite.com/en/a-look-into-apples-screen-time-feature-and-what-insights-it-lends-to-digital-intelligence/ <li>iOS Screentine And Android Digital Wellbeing Apps</li> https://www.forensicfocus.com/webinars/ios-screentine-and-android-digital-wellbeing-apps/ <li>Getting Evidence from iOS Screen Time Artifacts</li> https://www.magnetforensics.com/blog/getting-evidence-from-ios-screen-time-artifacts/ <li>Plaso iOS SceenTime Parser</li> https://plaso.readthedocs.io/en/latest/_modules/plaso/parsers/sqlite_plugins/ios_screentime.html <li>A Look Into Apple’s Screen Time Feature and What Insights It Lends To Forensics</li> https://www.goldencelle.com/post/a-look-into-apple-s-screen-time-feature-and-what-insights-it-lends-to-forensics <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ <li>Magnet Forensics Virtual Summit 2023 CTF – iOS</li> https://www.forgottennook.com/blog/magnet-ios-2023 <li>Magnet 2022 CTF – iOS15</li> https://bakerstreetforensics.com/2022/07/28/magnet-2022-ctf-ios15/ <li>MAC Apt SceenTime Plugin</li> https://github.com/ydkhatri/mac_apt/blob/master/plugins/screentime.py <li>APOLLO ScreenTime Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_timed_items.txt https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_counted_items.txt https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_hour.txt https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_category.txt </ul> </li> <li> /mobile/Library/ApplicationSync/AssetSortOrder.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/Assistant/SiriAnalytics.db <ul> <li>Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective</li> https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html </ul> </li> <li> /mobile/Library/Biome/ <ul> <li>Analyzing iOS Biome AppIntent Files</li> https://bluecrewforensics.com/2022/03/07/ios-app-intents/ <li>iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1</li> https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html <li>iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html <li>iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html <li>iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html <li>iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html <li>Bringing it Back With Biome Data</li> https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/ <li>An Alternate Location for Deleted SMS/iMessage Data in Apple Devices</li> https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/ https://dfir.pubpub.org/pub/yp6efc8q/release/1 <li>Lagging for the Win: Querying for Negative Evidence in the sms.db</li> https://belkasoft.com/lagging-for-win <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ <li>Magnet Forensics Virtual Summit 2023 CTF – iOS</li> https://www.forgottennook.com/blog/magnet-ios-2023 <li>Magnet Virtual Summit 2023 CTF - iOS 16 iPhone</li> https://www.stark4n6.com/2023/03/magnet-virtual-summit-2023-ctf-ios-16.html <li>iLEAPP Biome Plugins</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py </ul> </li> <li> /mobile/Library/BulletinBoard/ClearedSections.plist <ul> <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ </ul> </li> <li> /mobile/Library/Caches/com.apple.Pasteboard/* </li> <li> /mobile/Library/Caches/com.apple.findmy.fmipcore/ <ul> <li>Stored AirTag (and Other) Aritfacts</li> https://blog.d204n6.com/2022/04/airtag-youre-it.html <li>AirTags within iOS File Systems</li> https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f <li>iLEAPP AirTags Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/airtags.py </ul> </li> <li> /mobile/Library/Caches/com.apple.routined/Cache.sqlite <ul> <li>Locations, Locations, Locations</li> https://doubleblak.com/blogPosts.php?id=14 https://doubleblak.com/BlogArticles/14/PDF2.pdf <li>On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis</li> http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>iOS Location Artifacts Explained</li> https://cellebrite.com/en/ios-location-artifacts-explained/ <li>Location Data on iOS and Android Devices</li> https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ <li>Apple Probably Knows What You Did Last Summer</li> https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/ <li>UAV Forensics: DJI Mini 2 Case Study</li> https://www.researchgate.net/publication/352058134_UAV_Forensics_DJI_Mini_2_Case_Study <li>Magnet User Summit 2022 CTF - iPhone</li> https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html <li>Building a Pattern of Life - Leveraging Location and Health Data</li> https://www.youtube.com/watch?v=eU7THDwFkiM <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table</li> https://theforensicscooter.com/2021/09/22/iphone-device-speeds-in-cache-sqlite-zrtcllocationmo/ <li>Vehicle and iPhone Speed Comparison</li> https://theforensicscooter.com/2022/07/01/vehicle-and-iphone-speed-comparison/ <li>Cache.sqlite query</li> https://github.com/ScottKjr3347/iOS_Cache.sqlite_Queries <li>APOLLO iOS Routined Cache Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrtcllocationmo.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrthintmo.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrvisitmo.txt <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Caches/com.apple.routined/Cloud.sqlite /mobile/Library/Caches/com.apple.routined/Cloud-V2.sqlite <ul> <li>Locations, Locations, Locations</li> https://doubleblak.com/blogPosts.php?id=14 https://doubleblak.com/BlogArticles/14/PDF2.pdf <li>On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis</li> http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>iOS Location Artifacts Explained</li> https://cellebrite.com/en/ios-location-artifacts-explained/ <li>Location Data on iOS and Android Devices</li> https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Apple Probably Knows What You Did Last Summer</li> https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/ <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>Building a Pattern of Life - Leveraging Location and Health Data</li> https://www.youtube.com/watch?v=eU7THDwFkiM <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>APOLLO iOS Routined Cloud Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_entry.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_exit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_start.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_stop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_start.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_stop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_address.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_mapitem.txt <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Caches/com.apple.routined/Local.sqlite <ul> <li>Locations, Locations, Locations</li> https://doubleblak.com/blogPosts.php?id=14 https://doubleblak.com/BlogArticles/14/PDF2.pdf <li>On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis</li> http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>iOS Location Artifacts Explained</li> https://cellebrite.com/en/ios-location-artifacts-explained/ <li>Location Data on iOS and Android Devices</li> https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/ <li>Building a Pattern of Life - Leveraging Location and Health Data</li> https://www.youtube.com/watch?v=eU7THDwFkiM <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>Cellebrite CTF 2022 - Beth's iPhone</li> https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>APOLLO iOS Routined Local Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_entry.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_exit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_start.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_stop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked.txt https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked_history.txt <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Calendar/Calendar.sqlitedb <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Magnet User Summit 2022 CTF - iPhone</li> https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html <li>Calendar.sqlitedb query</li> https://github.com/kacos2000/queries/blob/master/calendar_sqlitedb.sql <li>iLEAPP Calendar Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/calendarAll.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Calendar/Extras.db <ul> <li>Extras.db query</li> https://github.com/kacos2000/queries/blob/master/calendar_extras.sql </ul> </li> <li> /mobile/Library/CallHistoryDB/CallHistory.storedata <ul> <li>Missing SQLite Records Analysis</li> https://dfir.pubpub.org/pub/33vkc2ul/release/1 <li>A GLIMPSE OF IOS 10 FROM A SMARTPHONE FORENSIC PERSPECTIVE</li> https://smarterforensics.com/2016/09/a-glimpse-of-ios-10-from-a-smartphone-forensic-perspective/ <li>TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11</li> https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/ <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES</li> https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/ <li>ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET</li> https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/ <li>How To Identify When an IPhone or iPad was Factory Reset</li> https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/ <li>iOS 14 - First Thoughts and Analysis</li> https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html <li>Cellebrite CTF 2022 - Marsha's iPhone</li> https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html <li>Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.</li> https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/ <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>CallHistory Query</li> https://github.com/kacos2000/queries/blob/master/callhistory_storedata.sql <li>APOLLO CallHistory Module</li> https://github.com/mac4n6/APOLLO/blob/master/modules/call_history.txt <li>iLEAPP CallHistory Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/callHistory.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/CallHistoryDB/CallHistoryTemp.storedata <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/CallHistoryTransactions/ </li> <li> /mobile/Library/com.apple.ClipServices.clipserviced/ClipData.db <ul> <li>iOS 14 - Tracking App Clips in iOS 14</li> https://blog.d204n6.com/2020/09/ios-14-tracking-app-clips-in-ios-14.html </ul> </li> <li> /mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ </ul> </li> <li> /mobile/Library/com.apple.itunesstored/kvs.sqlitedb <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/CoreDuet/Knowledge/knowledgeC.db <ul> <li>Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage</li> http://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage <li>Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db</li> https://www.mac4n6.com/blog/2018/9/12/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb <li>Extensive knowledgeC APOLLO Updates!</li> https://www.mac4n6.com/blog/2020/6/17/extensive-knowledgec-apollo-updates <li>Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules</li> https://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules <li>Providing Context to iOS App Usage with knowledgeC.db and APOLLO</li> https://www.mac4n6.com/blog/2020/1/13/apollo-into-the-details-with-application-activities <li>On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice</li> https://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice <li>On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving</li> https://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving <li>On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis</li> https://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis <li>On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections</li> http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>Apple TV Forensics 03: Analysis</li> https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/ <li>iOS KnowledgeC.db Notifications</li> https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-notifications/ <li>iOS KnowledgeC.db Notifications</li> https://dfir.pubpub.org/pub/g2v1z97i/release/1 <li>KnowledgeC: Now Playing entries</li> https://www.forensicmike1.com/2019/10/07/knowledgec-now-playing-entries/ <li>USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG</li> https://dfir.pubpub.org/pub/v19rksyf/release/1 https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ <li>KnowledgeC (and Friends)</li> http://www.doubleblak.com/m/blogPosts.php?id=2 <li>Building a Pattern of Life - Leveraging Location and Health Data</li> https://www.youtube.com/watch?v=eU7THDwFkiM <li>iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1</li> https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html <li>iOS - Tracking Traces of Deleted Applications</li> https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html <li>Tracking Traces of Deleted Applications - SANS DFIR Summit 2019</li> https://www.youtube.com/watch?v=4LcQm4ErXpA <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Magnet User Summit 2022 CTF - iPhone</li> https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html <li>KwnoledgeC queries</li> https://github.com/ScottKjr3347/iOS_KnowledgeC.db_Queries <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>APOLLO KnowledgeC Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level_feedback.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_airplay_prediction.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_calendar.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_clock.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_mail.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_maps.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_notes.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_passbook.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_photos.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_safari.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_weather.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_inFocus.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_install.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_intents.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_location_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_media_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_relevantshortcuts.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_webusage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_bluetooth_connected.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_input_route.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_media_nowplaying.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_output_route.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_calendar_event_title.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_charging_smart_topoff_checkpoint.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_activity_profile.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_battery_temperature.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_control_effort.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_battery_saver.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_batterylevel.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_carplay_connected.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_inferred_motion.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_is_backlit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_keybag_locked.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked_imputed.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_low_power_mode.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_orientation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_pluggedin.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_watch_nearby.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_signals.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_disk_subsystem_access.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_event_tombstone.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_family_prediction.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_inferred_microlocation_visit.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_knowledge_sync_addition_window.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_notification_usage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_paired_device_nearby.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_all.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_recent.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_edit_all.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_engagement.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_favorites_other.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_airdrop.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_all.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_extension.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_entity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_topic.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_safari_browsing.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_segment_monitor.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_settings_doNotDisturb.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sharesheet_feedback.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_activites.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_flow_activity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_service.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_spotlight_viewer_event.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_standby_timer.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_addition_window.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_deletion_bookmark.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_airplane_mode.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_tlc.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_userwakingevent.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_first_backlight_after_wakeup.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_interaction_app_directory.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_refresh.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_view.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widgets_viewed.txt https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_wifi_connection.txt <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/CoreDuet/People/interactionC.db <ul> <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>KnowledgeC (and Friends)</li> http://www.doubleblak.com/m/blogPosts.php?id=2 <li>Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules</li> http://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules <li>Local Photo Library Photos.sqlite Query Variations & WHERE statements</li> https://theforensicscooter.com/2022/02/21/photos-sqlite-update/ <li>Comparison of iOS backups: Encrypted vs Unencrypted</li> https://www.arcpointforensics.com/news/comparison-of-ios-backups <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>APOLLO interactionC Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions.txt https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions_keywords.txt <li>iLEAPP interactionC Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/interactionCcontacts.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/DataAccess/ <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices</li> https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf </ul> </li> <li> /mobile/Library/DeviceRegistry.state/activeStateMachine.plist <ul> <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ <li>APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?</li> https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf <li>Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices</li> https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices </ul> </li> <li> /mobile/Library/DeviceRegistry.state/historySecureProperties.plist <ul> <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ <li>APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?</li> https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf <li>Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices</li> https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices </ul> </li> <li> /mobile/Library/DoNotDisturb/DB/Settings.sqlite </li> <li> /mobile/Library/DoNotDisturb/DB/IDSSyncEngineMetadata.plist <ul> <li>iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html </ul> </li> <li> /mobile/Library/DuetExpertCenter/streams/userNotificationEvent/local <ul> <li>Peeking at User Notification Events in iOS 15</li> https://gforce4n6.blogspot.com/2022/05/peeking-at-user-notification-events-in.html <li>Peeking at User Notification Events in iOS 15</li> https://dfrws.org/presentation/dfir-review-showcase-peeking-at-user-notification-events-in-ios-15/ <li>iOS 16 - "Paul unsent a message." ... OR DID HE?!</li> https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html <li>Magnet Forensics Virtual Summit 2023 CTF – iOS</li> https://www.forgottennook.com/blog/magnet-ios-2023 <li>iLEAPP User Notifications Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsDuet.py </ul> </li> <li> /mobile/Library/FrontBoard/applicationState.db <ul> <li>Identifying installed and uninstalled apps in iOS</li> https://abrignoni.blogspot.com/2018/12/identifying-installed-and-uninstalled.html <li>iOS - Tracking Traces of Deleted Applications</li> https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html <li>Tracking Traces of Deleted Applications - SANS DFIR Summit 2019</li> https://www.youtube.com/watch?v=4LcQm4ErXpA <li>iOS Application Groups & Shared data</li> http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html <li>iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins</li> https://blog.d204n6.com/2020/09/ios-tracking-bundle-ids-for-containers.html <li>iOS – Tracking Bundle IDs for Containers, Shared Containers, and Plugins</li> https://www.magnetforensics.com/blog/ios-tracking-bundle-ids-for-containers-shared-containers-and-plugins/ <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Magnet Virtual Summit 2020 CTF (iOS)</li> https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html <li>iLEAPP Application State Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/applicationstate.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Health/ActivitySharing/contacts.dat <ul> <li>#DFIRFIT or Bust - A forensic exploration of iOS Health Data</li> https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf </ul> </li> <li> /mobile/Library/Health/healthdb.sqlite <ul> <li>#DFIRFIT or Bust - A forensic exploration of iOS Health Data</li> https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database</li> https://dfir.pubpub.org/pub/xqvcn3hj/release/1 <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>Apple Health</li> https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf <li>Health and Activity</li> https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf <li>Making a Murderer: Health Activity Edition</li> https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>Audio and App Usage in Apple Health</li> https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>healthdb.sqlite query</li> https://github.com/kacos2000/Queries/blob/master/healthdb.sql </ul> </li> <li> /mobile/Library/Health/healthdb_secure.sqlite <ul> <li>#DFIRFIT or Bust - A forensic exploration of iOS Health Data</li> https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data</li> https://www.mac4n6.com/blog/2018/12/15/on-the-second-day-of-apollo-my-true-love-gave-to-me-holiday-treats-and-a-trip-to-the-gym-a-look-at-ios-health-data <li>Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics</li> http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics <li>The iPhone Health App from a forensic perspective: can steps and distances registered during walking and running be used as digital evidence?</li> https://www.sciencedirect.com/science/article/pii/S1742287619300313 https://dfrws.org/sites/default/files/session-files/2019_EU_paper-the_iphone_health_app_from_a_forensic_perspective.pdf <li>The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones</li> https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780 <li>Interpreting the location data extracted from the Apple Health database</li> https://www.sciencedirect.com/science/article/pii/S2666281723000057 <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>Apple Health</li> https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf <li>Health and Activity</li> https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf <li>Making a Murderer: Health Activity Edition</li> https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf <li>…WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS</li> https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ <li>Audio and App Usage in Apple Health</li> https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html <li>Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database</li> https://dfir.pubpub.org/pub/xqvcn3hj/release/1 https://sqlmcgee.wordpress.com/2022/04/01/enriching-investigations-with-apple-watch-data-through-the-healthdb_secure-sqlite-database/ <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>Securing and Extracting Health Data: Apple Health vs. Google Fit</li> https://blog.elcomsoft.com/2019/01/securing-and-extracting-health-data-apple-health-vs-google-fit/ <li>Building a Pattern of Life - Leveraging Location and Health Data</li> https://www.youtube.com/watch?v=eU7THDwFkiM <li>Health Data Types</li> https://www.doubleblak.com/blogPosts.php?id=21 <li>Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!</li> http://prodigital4n6.blogspot.com/2017/07/personal-injury-insurance-fraud.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>healthdb_secure.sqlite query</li> https://github.com/kacos2000/Queries/blob/master/healthdb_secure.sql <li>APOLLO health_secure.sqlite Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/health_distance.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_ecg_average_heart_rate.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_flights.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_heart_rate.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_steps.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_stood_up.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_weight.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_cadence.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_elevation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_general.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_humidity.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_indoor.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_latitude.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_longitude.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_max_ground_elevation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_mets.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_min_ground_elevation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_temperature.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_timeofday.txt https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_weather.txt </ul> </li> <li> /mobile/Library/Health/Client/HealthApp.sqlite <ul> <li>Health Data Types</li> https://www.doubleblak.com/blogPosts.php?id=21 </ul> </li> <li> /mobile/Library/homed/datastore.sqlite <ul> <li>A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)</li> https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html <li>Forensic Analysis of Apple HomePod & Apple HomeKit Environment w/ Mattia Epifani - SANS DFIR Summit</li> https://www.youtube.com/watch?v=D8AOXCBkaTY </ul> </li> <li> /mobile/Library/Keyboard/<language>-dynamic.lm/dynamic-lexicon.dat <ul> <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>iLEAPP Keyboard Lexicon</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardLexicon.py </ul> </li> <li> /mobile/Library/Keyboard/app_usage_database.plist <ul> <li>iLEAPP App Usage Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardAppUsage.py </ul> </li> <li> /mobile/Library/Keyboard/langlikelihood.dat <ul> <li>Cellebrite CTF 2021 Writeup</li> https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 </ul> </li> <li> /mobile/Library/Keyboard/UserDictionary.sqlite <ul> <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ </ul> </li> <li> /mobile/Library/Logs/AppConduit/ <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>iOS Sysdiagnose AppConduit script</li> https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-appconduit.py <li>iLEAPP AppConduit Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appConduit.py </ul> </li> <li> /mobile/Library/Logs/AppleSupport/general.log </li> <li> /mobile/Library/Logs/mobile_installation_helper.log* </li> <li> /mobile/Library/Logs/mobileactivationd/ <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective</li> https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html <li>A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)</li> https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html <li>Apple TV Forensics 03: Analysis</li> https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/ <li>iLEAPP Mobile Activation Logs Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileActivationLogs.py </ul> </li> <li> /mobile/Library/Mail/ <ul> <li>iOS Mail</li> https://www.doubleblak.com/m/blogPosts.php?id=10 <li>Identification and analysis of email and contacts artefacts on iOS and OS X</li> https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf <li>A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices</li> https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Getting Started with iOS Forensics</li> https://www.systoolsgroup.com/forensics/sqlite/ios.html <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/MedicalID/MedicalIDData.Archive <ul> <li>Magnet Virtual Summit 2020 CTF (iOS)</li> https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html <li>iLEAPP MedicalID Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/medicalID.py </ul> </li> <li> /mobile/Library/NanoBackup/ </li> <li> /mobile/Library/NanoMusicSync/ </li> <li> /mobile/Library/NanoPreferencesSync/ <ul> <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ </ul> </li> <li> /mobile/Library/NanoTimeKit/ </li> <li> /mobile/Library/Passes/passes23.sqlite <ul> <li>Pocket Litter A Peek Inside Your Apple Wallet</li> https://objectivebythesea.org/v4/talks/OBTS_v4_sEdwards.pdf <li>Analysing Apple Pay Transactions</li> https://blog.elcomsoft.com/2018/08/analysing-apple-pay-transactions/ <li>Cellebrite CTF 2020: Juan Mortyme</li> https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/ <li>Cellebrite CTF 2021 Writeup</li> https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts)</li> http://www.mac4n6.com/blog/2019/1/17/apple-pattern-of-life-lazy-outputer-apollo-updates-amp-40-new-modules-location-chat-calls-apple-pay-transactions-wallet-passes-safari-amp-health-workouts?rq=passes23.sqlite <li>APOLLO passes23.sqlite Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_unique_passes_cards.txt https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_passes.txt https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_transactions.txt <li>iLEAPP passes23.sqlite Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWalletTransactions.py </ul> </li> <li> /mobile/Library/PersonalizationPortrait/PPSQLDatabase.db <ul> <li>Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database</li> http://www.mac4n6.com/blog/2020/6/2/guest-post-by-bizzybarney-a-peek-inside-the-ppsqldatabasedb-personalization-portrait-database <li>Lucky (iOS) #13: Time to Press Your Bets w/ Jared Barnhart - SANS DFIR Summit 2020</li> https://www.youtube.com/watch?v=8Fy83iQ4f8Q </ul> </li> <li> /mobile/Library/Preferences/.GlobalPreferences.plist <ul> <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf </ul> </li> <li> /mobile/Library/Preferences/addaily.plist </li> <li> /mobile/Library/Preferences/com.apple.accountsettings.plist <ul> <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.ActivitySharing.plist </li> <li> /mobile/Library/Preferences/com.apple.AdLib.plist </li> <li> /mobile/Library/Preferences/com.apple.aggregated.plist </li> <li> /mobile/Library/Preferences/com.apple.AppStore.plist <ul> <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Hacking and Securing iOS Applications by Jonathan Zdziarski, Chapter 4</li> https://www.oreilly.com/library/view/hacking-and-securing/9781449325213/ch04.html </ul> </li> <li> /mobile/Library/Preferences/com.apple.assistant.backedup.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.assetsd.plist <ul> <li>Shared with You Syndication Photo Library – Message Attachments & Linked Assets</li> https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.atc.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.BatteryCenter.BatteryWidget.plist </li> <li> /mobile/Library/Preferences/com.apple.camera.plist <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.carplay.plist <ul> <li>Ridin’ With Apple CarPlay</li> https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/ <li>They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto</li> https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf <li>iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html <li>Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlay</li> https://www.mdpi.com/1424-8220/22/19/7196/pdf <li>Cellebrite CTF 2021 Writeup</li> https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 <li>Cellebrite CTF 2021 - Marsha's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-iphone.html <li>Auto-Parser: Android Auto and Apple CarPlay Forensics</li> https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay </ul> </li> <li> /mobile/Library/Preferences/com.apple.celestial.plist <ul> <li>Ridin’ With Apple CarPlay</li> https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/ <li>Auto-Parser: Android Auto and Apple CarPlay Forensics</li> https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay </ul> </li> <li> /mobile/Library/Preferences/com.apple.cloud.quota.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/Preferences/com.apple.cloudphotod.plist <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ </li> </ul> <li> /mobile/Library/Preferences/com.apple.cmfsyncagent.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.commcenter.shared.plist <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.conference.plist </li> <li> /mobile/Library/Preferences/com.apple.contacts.donation-agent.plist </li> <li> /mobile/Library/Preferences/com.apple.contextstored.plist </li> <li> /mobile/Library/Preferences/com.apple.CoreDuet.plist </li> <li> /mobile/Library/Preferences/com.apple.CoreDuet.QueuedDenials.plist </li> <li> /mobile/Library/Preferences/com.apple.coreduetd.batterysaver.state.plist </li> <li> /mobile/Library/Preferences/com.apple.coreduetd.plist <ul> <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.corerecents.recentsd.plist </li> <li> /mobile/Library/Preferences/com.apple.corespotlightui.plist </li> <li> /mobile/Library/Preferences/com.apple.FeedbackAssistant.plist </li> <li> /mobile/Library/Preferences/com.apple.homesharing.plist <ul> <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf </ul> </li> <li> /mobile/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist </li> <li> /mobile/Library/Preferences/com.apple.icloud.fmfd.plist <ul> <li>iOS - Tracking Device Migration</li> https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html </ul> </li> <li> /mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist <ul> <li>How iOS Properties Files Can Confirm a Suspect’s Contacts Even If Deleted</li> https://cellebrite.com/en/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/ <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>Making the most of Property Lists</li> https://forensicskween.com/research/making-the-most-of-property-lists/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.imservice*.plist </li> <li> /mobile/Library/Preferences/com.apple.locationd.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Location Services and System Services are they ON or OFF</li> https://dfir.pubpub.org/pub/4sv4kxyh/release/2 <li>iOS Location Services and System Services ON or OFF?</li> https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/ <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.madrid.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Preferences/com.apple.messages.pinning.plist <ul> <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.migration.plist <ul> <li>iOS - Tracking Device Migration</li> https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.mmcs.plist </li> <li> /mobile/Library/Preferences/com.apple.mobile.ldbackup.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.mobilegestalt.plist <ul> <li>WHO IS THE OWNER OF THE MOBILE DEVICE?</li> https://www.digitalforensics.com/blog/articles/who-is-the-owner-of-the-mobile-device/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.mobilephone.plist <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.mobileslideshow.plist <ul> <li>How to find iOS Hidden Assets</li> https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/ <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.MobileSMS.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>What is the likelihood of recovering deleted iPhone messages?</li> https://improsec.com/tech-blog/what-is-the-likelihood-of-recovering-deleted-iphone-messages <li>Missing Pieces: Tips and Tricks on how to ensure your acquisitions aren’t missing critical data</li> https://static1.squarespace.com/static/62ab5b933d903d4c55e5d716/t/62fa28d8fd3a89429f8a9a80/1660561630138/MissingPieces_Hyde_Quezada_Final.pdf <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Preferences/com.apple.mt.lastLaunch.plist </li> <li> /mobile/Library/Preferences/com.apple.nano.plist </li> <li> /mobile/Library/Preferences/com.apple.nanoregistry.plist </li> <li> /mobile/Library/Preferences/com.apple.preferences.datetime.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.preferences.network.plist <ul> <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>Wireless Network Preferences – iOS</li> https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/ </ul> </li> <li> /mobile/Library/Preferences/com.apple.Preferences.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.purplebuddy.plist <ul> <li>iOS - Tracking Device Migration</li> https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html <li>Putting a User Behind an iOS Device</li> https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf <li>How was an iPhone set up?</li> https://dfir.pubpub.org/pub/2q177smo/release/5 <li>Upgrade From NULL—Detecting iOS Wipe Artifacts</li> https://dfir.pubpub.org/pub/6i7d593n/release/1 <li>How was an iPhone set up?</li> https://smarterforensics.com/2019/01/how-was-an-iphone-setup/ <li>How To Identify When an IPhone or iPad was Factory Reset</li> https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/ <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf </ul> </li> <li> /mobile/Library/Preferences/com.apple.sharingd.plist <ul> <li>Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge</li> http://www.mac4n6.com/blog/2020/6/5/analysis-of-apple-unified-logs-quarantine-edition-entry-11-airdropping-some-knowledge <li>EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY</li> https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/Preferences/com.apple.springboard.plist <ul> <li>Recover your iPhone Screen Time or restrictions passcode (supports iOS 14)</li> https://www.iphonebackupextractor.com/guides/recover-screen-time-parental-restrictions-passcode/ <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>Auto-Parser: Android Auto and Apple CarPlay Forensics</li> https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/Preferences/com.apple.timed.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /mobile/Library/Preferences/com.apple.weather.plist </li> <li> /mobile/Library/Recents/Recents <ul> <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>Recents query</li> https://github.com/kacos2000/queries/blob/master/recents.sql </ul> </li> <li> /mobile/Library/Reminders/ <ul> <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ <li>iLEAPP Reminders Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/reminders.py </ul> </li> <li> /mobile/Library/Safari/Bookmarks.db <ul> <li>iOS 14 - First Thoughts and Analysis</li> https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html <li>Getting Started with iOS Forensics</li> https://www.systoolsgroup.com/forensics/sqlite/ios.html <li>iLEAPP Safari Bookmarks Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariBookmarks.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Safari/BrowserState.db <ul> <li>Examining mobile devices: identiffying private internet browking activity in Mobile Safari</li> https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf <li>iOS 14 - First Thoughts and Analysis</li> https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html <li>iLEAPP Safari Tabs Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Safari/CloudTabs.db <ul> <li>iLEAPP Safari Tabs Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Safari/History.db <ul> <li>Missing SQLite Records Analysis</li> https://dfir.pubpub.org/pub/33vkc2ul/release/1 <li>Examining mobile devices: identiffying private internet browking activity in Mobile Safari</li> https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf <li>KnowledgeC (and Friends)</li> http://www.doubleblak.com/m/blogPosts.php?id=2 <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ <li>Magnet User Summit 2022 CTF - iPhone</li> https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html <li>Magnet User Summit 2022 CTF - iPhone</li> https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Reading Your Browser's History with SQLite</li> http://2016.padjo.org/tutorials/sqlite-your-browser-history/ <li>APOLLO Safari History Module</li> https://github.com/mac4n6/APOLLO/blob/master/modules/safari_history.txt <li>iLEAPP Safari History Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariHistory.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/Safari/SafariTabs.db <ul> <li>iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari</li> https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html <li>iOS 16: What Digital Investigators Need to Know</li> https://www.magnetforensics.com/blog/ios-16-what-digital-investigators-need-to-know/ <li>Checking in on iOS 16 in Magnet AXIOM 6.8</li> https://www.magnetforensics.com/blog/checking-in-on-ios-16-in-magnet-axiom-6-8/ </ul> </li> <li> /mobile/Library/SMS/Attachments/ <ul> <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ <li>Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?</li> https://dfir.pubpub.org/pub/v19rksyf/release/1 https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ <li>Shared with You Syndication Photo Library – Message Attachments & Linked Assets</li> https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/ <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/SMS/Drafts/ <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>iLEAPP Draft SMS Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/draftmessage.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/SMS/sms.db <ul> <li>The Meaning of Messages</li> https://www.magnetforensics.com/blog/the-meaning-of-messages/ <li>iOS16 iMessages</li> https://doubleblak.com/blogPosts.php?id=27 <li>iOS 16 - "Paul unsent a message." ... OR DID HE?!</li> https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html <li>Message Reactions</li> https://doubleblak.com/blogPosts.php?id=24 <li>Sharing Locations in iOS Messages</li> https://thebinaryhick.blog/2021/09/29/sharing-locations-in-ios-messages/ <li>iOS 14 - Message Mentions and Threading</li> https://blog.d204n6.com/2020/09/ios-14-message-mentions-and-threading.html <li>Cellebrite CTF 2020: Juan Mortyme</li> https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/ <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>Lagging for the Win: Querying for Negative Evidence in the sms.db</li> https://belkasoft.com/lagging-for-win <li>An Alternate Location for Deleted SMS/iMessage Data in Apple Devices</li> https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/ https://dfir.pubpub.org/pub/yp6efc8q/release/1 <li>Missing SQLite Records Analysis</li> https://dfir.pubpub.org/pub/33vkc2ul/release/1 <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>How To Identify When an IPhone or iPad was Factory Reset</li> https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/ <li>KnowledgeC (and Friends)</li> http://www.doubleblak.com/m/blogPosts.php?id=2 <li>Temporal Analysis Anomalies with iOS iMessage Communication Exchange</li> https://personal.cis.strath.ac.uk/george.weir/cyfor14/papers/4_govan_ovans.pdf <li>iLEAPP SMS Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/sms.py <li>APOLLO SMS Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat.txt https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_delivered.txt https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_read.txt <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/SMS/sms-temp.db <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Library/SpringBoard/HomeBackgroundThumbnail.jpg </li> <li> /mobile/Library/SpringBoard/IconState.plist <ul> <li>Today, Widgets, & Ignored Apps in iOS</li> https://thebinaryhick.blog/2021/07/25/today-widgets-ignored-apps-in-ios/ <li>Recover iOS App Screen Layouts with the New iOS Home Screen Items Artifact</li> https://www.magnetforensics.com/blog/recover-ios-app-screen-layouts-with-the-new-ios-home-screen-items-artifact/ <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iLEAPP Icon State Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/iconsScreen.py <li>A Few Interesting iOS Forensic Artefacts</li> https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/ <li>iOS - Tracking Traces of Deleted Applications</li> https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html <li>Tracking Traces of Deleted Applications - SANS DFIR Summit 2019</li> https://www.youtube.com/watch?v=4LcQm4ErXpA <li>Auto-Parser: Android Auto and Apple CarPlay Forensics</li> https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4 https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay <li>They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto</li> https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf </ul> </li> <li> /mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg </li> <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/SpringBoard/LockBackgroundThumbnaildark.jpg </li> <ul> <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Library/SpringBoard/TodayViewArchive.plist </li> <li> /mobile/Library/SpringBoard/PushStore/ <ul> <li>pushstore_parser</li> https://github.com/jakev/pushstore-parser <li>iLEAPP PushStore Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXI.py </ul> </li> <li> /mobile/Library/Suggestions/query_predictions.db <ul> <li>iLEAPP Query Predictions Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/queryPredictions.py <li>APOLLO Query Predictions Module</li> https://github.com/mac4n6/APOLLO/blob/master/modules/query_predictions.txt </ul> </li> <li> /mobile/Library/TCC/TCC.db <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module</li> http://www.mac4n6.com/blog/2020/6/1/analysis-of-apple-unified-logs-quarantine-edition-entry-10-you-down-with-tcc-yea-you-know-me-tracking-app-permissions-and-the-tcc-apollo-module?rq=tcc <li>iLEAPP TCC Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/tcc.py <li>APOLLO TCC Module</li> https://github.com/mac4n6/APOLLO/blob/master/modules/tcc_db.txt </ul> </li> <li> /mobile/Library/UserConfigurationProfiles/PublicEffectiveUserSettings.plist <ul> <li>iOS Settings Display Auto-Lock & Require Passcode</li> https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/ <li>iOS Settings Display Auto-Lock & Require Passcode</li> https://dfir.pubpub.org/pub/khnqi0ff/release/1 <li>Cellebrite CTF 2021 - Beth's iPhone</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html <li>Cellebrite CTF 2021 Writeup</li> https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 </ul> </li> <li> /mobile/Library/UserConfigurationProfiles/UserSettings.plist </li> <li> /mobile/Library/UserNotifications/ <ul> <li>Magnet User Summit 2022 CTF - iPhone</li> https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html <li>iLEAPP User Notifications Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXII.py <li>Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS</li> https://www.mdpi.com/2076-3417/12/21/11180 </ul> </li> <li> /mobile/Library/Voicemail/voicemail.db <ul> <li>iOS Voicemail Transcripts</li> https://www.linkedin.com/pulse/ios-voicemail-transcripts-charlie-rubisoff/ <li>Dude, Where's My Banana? Retrieving data from an iPhone voicemail database</li> http://cheeky4n6monkey.blogspot.com/2013/01/dude-wheres-my-banana-retrieving-data.html <li>Dude, Where's My Data?</li> http://az4n6.blogspot.com/2012/12/dude-wheres-my-data.html <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> </ul> </div> <h2 style="text-align: left;">"/mobile/Media/" folder</h2> <div> <ul> <li> /mobile/Media/DCIM/ <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ <li>How to find iOS Hidden Assets</li> https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/ <li>USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG</li> https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://dfir.pubpub.org/pub/v19rksyf/release/1 <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Cellebrite CTF 2021 Writeup</li> https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 <li>Cellebrite CTF 2020: Juan Mortyme</li> https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/ <li>Cellebrite CTF 2022 - Marsha's iPhone</li> https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html <li>Magnet Forensics Virtual Summit 2023 CTF – iOS</li> https://www.forgottennook.com/blog/magnet-ios-2023 <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ <li>Apple TV Forensics 03: Analysis</li> https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/ <li>Forensicating The Apple TV</li> https://www.forensicfocus.com/webinars/forensicating-the-apple-tv/ <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ <li>APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?</li> https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf <li>iLEAPP Media Library Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mediaLibrary.py </ul> </li> <li> /mobile/Media/iTunesControl/iTunes/iTunesPrefs <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Forensic Analysis of iTunes Backups</li> https://farleyforensics.com/2019/04/14/forensic-analysis-of-itunes-backups/ </ul> </li> <li> /mobile/Media/MediaAnalysis/mediaanalysis.db <ul> <li>Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney)</li> http://www.mac4n6.com/blog/2020/7/19/follow-on-to-dfir-summit-talk-lucky-ios-13-time-to-press-your-bets-via-bizzybarney <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Media/PhotoData/AlbumsMetadata/ <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ </ul> </li> <li> /mobile/Media/PhotoData/PhotoCloudSharingData/ <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Local Photo Library Photos.sqlite Query Variations & WHERE statements</li> https://theforensicscooter.com/2022/02/21/photos-sqlite-update/ <li>Photos.sqlite ZINTERNALRESOURCE Table Reference Guide</li> https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/ <li>Sharing is Caring – An Overview of Shared Albums in iOS</li> https://gforce4n6.blogspot.com/2020/09/sharing-is-caring-overview-of-shared.html <li>iLEAPP Shared Albumbs Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/icloudSharedalbums.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Media/PhotoData/Caches/GraphService/CLSPublicEventCache.sqlite </li> <li> /mobile/Media/PhotoData/CPL/ <ul> <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ <li>How to find iOS Hidden Assets</li> https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /mobile/Media/PhotoData/Photos.sqlite <ul> <li>Photos.sqlite Queries – Original Blog Posting</li> https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/ <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Local Photo Library Photos.sqlite Query Variations & WHERE statements</li> https://theforensicscooter.com/2022/02/21/photos-sqlite-update/ <li>How to find iOS Hidden Assets</li> https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/ <li>Photos.sqlite ZINTERNALRESOURCE Table Reference Guide</li> https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/ <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ <li>Part B Filling a device internal storage for Optimize iPhone Storage Research</li> https://theforensicscooter.com/2022/12/03/part-b-filling-a-device-internal-storage-for-optimize-iphone-storage-research/ <li>iOS Media Adjustments</li> https://www.doubleblak.com/blogPosts.php?id=23 <li>iOS Local Photo Library (PL) Photos.sqlite Queries</li> https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries <li>USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG</li> https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/ https://dfir.pubpub.org/pub/v19rksyf/release/1 <li>How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database</li> https://msab.com/guides-whitepapers/forensic-dive-into-ios-photos-sqlite-database/ <li>How Did That Photo Get on That iPhone: Media Attribution for iOS</li> https://www.msab.com/blog/media-attribution-for-ios/ <li>iOS Photos.sqlite Forensics</li> https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/ <li>macOS & iOS Photos Support with Magnet AXIOM</li> https://www.magnetforensics.com/blog/macos-ios-photos-support-with-magnet-axiom/ <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ <li>Apple iOS: Recently Deleted images</li> https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html <li>The Apple Photos library</li> https://www.tonkata.com/posts/apple-photos/ <li>Photos.sqlite query</li> https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql <li>iLEAPP Photos Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/photosMetadata.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Media/PhotoData/Thumbnails/ <ul> <li>iPhone Photodata Thumbnails</li> https://athenaforensics.co.uk/iphone-photodata-thumbnails/ <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?</li> https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/ <li>Photos.sqlite ZINTERNALRESOURCE Table Reference Guide</li> https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/ <li>iOS iThmbs</li> http://dig-forensics.blogspot.com/2013/05/ios-ithmbs.html <li>iThmb Converter</li> https://www.ithmbconverter.com/ <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /mobile/Media/Recordings/ <ul> <li>Forensic originality identification of iPhone’s voice memos</li> https://iopscience.iop.org/article/10.1088/1742-6596/1345/5/052053/pdf <li>A method of forensic authentication of audio recordings generated using the Voice Memos application in the iPhone</li> https://www.sciencedirect.com/science/article/abs/pii/S0379073821000220 <li>Advanced forensic procedure for the authentication of audio recordings generated by Voice Memos application of iOS14</li> https://onlinelibrary.wiley.com/doi/abs/10.1111/1556-4029.15016 <li>Cellebrite CTF 2020: Juan Mortyme</li> https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/ <li>iLEAPP Voice Recordings Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/voiceRecordings.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> </ul> </div> <h2 style="text-align: left;">"/mobile/MobileSoftwareUpdate/" folder</h2> <div> <ul> <li> /mobile/MobileSoftwareUpdate/restore.log <ul> <li>Restore Log - Tracking iOS Update History</li> https://www.stark4n6.com/2021/10/restore-log-tracking-ios-update-history.html <li>Cellebrite CTF 2021 Writeup</li> https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708 <li>iLEAPP restore.log Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/restoreLog.py </ul> </li> </ul> </div> <h2 style="text-align: left;">"/networkd/" folder</h2> <div> <ul> <li> /networkd/netusage.sqlite <ul> <li>Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases</li> http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases <li>iOS - Tracking Traces of Deleted Applications</li> https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html <li>Tracking Traces of Deleted Applications - SANS DFIR Summit 2019</li> https://www.youtube.com/watch?v=4LcQm4ErXpA <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>iLEAPP Net Usage Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py <li>APOLLO Netusage Module</li> https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zprocess.txt https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliveusage.txt https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliverouteperf.txt </ul> </li> </ul> </div> <h2 style="text-align: left;">"/preferences/" folder</h2> <div> <ul> <li> /preferences/com.apple.networkextension.plist </li> <li> /preferences/com.apple.wifi.known-networks.plist <ul> <li>Apple Private Wi-Fi Addresses</li> https://ciofecaforensics.com/2020/10/24/apple-private-addresses/ <li>Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective</li> https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html <li>mac_apt WiFi Plugin</li> https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py </ul> </li> <li> /preferences/SystemConfiguration/com.apple.accounts.exists.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iLEAPP Conf Accounts Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/confaccts.py </ul> </li> <li> /preferences/SystemConfiguration/com.apple.networkidentification.plist <ul> <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask</li> https://blog.elcomsoft.com/2014/03/itunes-icloud-backups/ </ul> </li> <li> /preferences/SystemConfiguration/com.apple.radios.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /preferences/SystemConfiguration/com.apple.wifi.plist <ul> <li>From iPhone to Access Point</li> https://www.forensicfocus.com/articles/from-iphone-to-access-point/ <li>Apple Private Wi-Fi Addresses</li> https://ciofecaforensics.com/2020/10/24/apple-private-addresses/ <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective</li> https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html <li>Wifi Networks – iOS</li> https://bitsplease4n6.wordpress.com/2020/12/08/wifi-networks-ios/ <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?</li> https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/ https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf <li>A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)</li> https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 19-5551 Summary Report</li> https://cts-forensics.com/reports/19-5551_Web.pdf <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>iOS Sysdiagnose Wi-Fi script</li> https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-wifi-plist.py <li>iLEAPP WiFi Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py <li>mac_apt WiFi Plugin</li> https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist <ul> <li>Apple Private Wi-Fi Addresses</li> https://ciofecaforensics.com/2020/10/24/apple-private-addresses/ <li>iLEAPP WiFi Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py <li>mac_apt WiFi Plugin</li> https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py </ul> </li> <li> /preferences/SystemConfiguration/NetworkInterfaces.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Sysdiagnose Network Interfaces script</li> https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-networkinterfaces.py <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /preferences/SystemConfiguration/preferences.plist </li> </ul> </div> <h2 style="text-align: left;">"/root/" folder</h2> <div> <ul> <li> /root/.obliterated <ul> <li>Upgrade From NULL—Detecting iOS Wipe Artifacts</li> https://dfir.pubpub.org/pub/6i7d593n/release/1 <li>How To Identify When an IPhone or iPad was Factory Reset</li> https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/ <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Cellebrite CTF 2020: Ruth Langmore</li> https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/ </ul> </li> <li> /root/Library/Application Support/com.apple.wifianalyticsd/DeviceAnalyticsModel.sqlite </li> <li> /root/Library/Application Support/com.apple.wifianalyticsd/WiFiNetworkStoreModel.sqlite <ul> <li>iLEAPP WifiNetworkStoreModel Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/wifiNetworkStoreModel.py </ul> </li> <li> /root/Library/Caches/com.apple.wifid/ThreeBars.sqlite <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Locations, Locations, Locations</li> https://doubleblak.com/blogPosts.php?id=14 <li>Harvested Locations</li> https://www.doubleblak.com/blogPosts.php?id=16 </ul> </li> <li> /root/Library/Caches/locationd/cache.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Ridin’ With Apple CarPlay</li> https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/ </ul> </li> <li> /root/Library/Caches/locationd/cache_encryptedA.db <ul> <li>New Script – iOS Locations Scraper</li> http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>Getting Started with iOS Forensics</li> https://www.systoolsgroup.com/forensics/sqlite/ios.html <li>APOLLO cache_ecnryptedA/B Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt </ul> </li> <li> /root/Library/Caches/locationd/cache_encryptedB.db <ul> <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>New Script – iOS Locations Scraper</li> http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper <li>Smartphone Privacy: How Your Smartphone Tracks Your Entire Life</li> https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Harvested Locations</li> https://www.doubleblak.com/blogPosts.php?id=16 <li>APOLLO cache_ecnryptedA/B Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /root/Library/Caches/locationd/cache_encryptedC.db <ul> <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>SANS 2022 DFIR Summit Queries</li> https://for585.com/dfirsummit22 <li>APOLLO cache_ecnryptedC Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_motionstatehistory.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_stepcounthistory.txt https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_nataliehistory.txt <li>The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones</li> https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780 <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /root/Library/Caches/locationd/clients.plist <ul> <li>iOS Location Services and System Services ON or OFF?</li> https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/ <li>iOS Location Services and System Services are they ON or OFF</li> https://dfir.pubpub.org/pub/4sv4kxyh/release/2 <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /root/Library/Caches/locationd/consolidated.db <ul> <li>iOS GeoFences</li> http://www.doubleblak.com/m/blogPosts.php?id=22 <li>BELKASOFT CTF JULY 2022: WRITE-UP</li> https://belkasoft.com/belkactf-jul2022-writeup <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /root/Library/Lockdown/data_ark.plist <ul> <li>Putting a User Behind an iOS Device</li> https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Oh no! I have a wiped iPhone, now what?</li> https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html <li>KnowledgeC (and Friends)</li> http://www.doubleblak.com/m/blogPosts.php?id=2 <li>Magnet Virtual Summit 2020 CTF (iOS)</li> https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html <li>iOS - Tracking Device Migration</li> https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ </ul> </li> <li> /root/Library/Lockdown/escrow_records/ <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Understanding usbmux and the iOS lockdown service</li> https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /root/Library/Lockdown/pair_records/ <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Understanding usbmux and the iOS lockdown service</li> https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /root/Library/Logs/MobileContainerManager <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>How To Identify When an IPhone or iPad was Factory Reset</li> https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/ <li>So Long Lockdown!</li> http://www.doubleblak.com/m/blogPosts.php?id=9 <li>Upgrade From NULL—Detecting iOS Wipe Artifacts</li> https://dfir.pubpub.org/pub/6i7d593n/release/1 <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>Apple Watch Forensics 02: Analysis</li> https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/ <li>Apple TV Forensics 03: Analysis</li> https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/ <li>iLEAPP Mobile Container Manager Logs Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileContainerManager.py </ul> </li> <li> /root/Library/MobileContainerManager/containers.sqlite3 <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Application Groups & Shared data</li> http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html </ul> </li> <li> /root/Library/Preferences/com.apple.MobileBackup.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>Using Apple “Bug Reporting” for forensic purposes</li> https://for585.com/sysdiagnose <li>Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective</li> https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html <li>iOS Sysdiagnose Mobile Backup script</li> https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-mobilebackup.py <li>Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts</li> https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/ <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /root/Library/Preferences/com.apple.preferences.network.plist <ul> <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>Wireless Network Preferences – iOS</li> https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/ </ul> </li> </ul> </div> <h2 style="text-align: left;">"/wireless/" folder</h2> <div> <ul> <li> /wireless/Library/Databases/CellularUsage.db <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>A Few Interesting iOS Forensic Artefacts</li> https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/ <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>Cellebrite CTF 2021 - Marsha's Backup</li> https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-backup.html <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 </ul> </li> <li> /wireless/Library/Databases/DataUsage.sqlite <ul> <li>Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases</li> http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases <li>FROM APPLE SEEDS TO APPLE PIE</li> https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf <li>iOS - Tracking Traces of Deleted Applications</li> https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html <li>Tracking Traces of Deleted Applications - SANS DFIR Summit 2019</li> https://www.youtube.com/watch?v=4LcQm4ErXpA <li>iOS Analysis Test No. 20-5551 Summary Report</li> https://cts-forensics.com/reports/20-5551_Web.pdf <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>APOLLO DataUsage Modules</li> https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zprocess.txt https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zliveusage.txt <li>iLEAPP DataUsage Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> <li> /wireless/Library/preferences/com.apple.commcenter.callservices.plist </li> <li> /wireless/Library/Preferences/com.apple.commcenter.counts.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /wireless/Library/Preferences/com.apple.commcenter.data.plist <ul> <li>Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.</li> https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/ <li>iLEAPP SimInfo Plugin</li> https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/simInfo.py </ul> </li> <li> /wireless/Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html </ul> </li> <li> /wireless/Library/Preferences/com.apple.commcenter.plist <ul> <li>Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"</li> https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html <li>iOS Forensics: HFS+ file system, partitions and relevant evidences</li> https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/ <li>iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n</li> https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/ <li>Artifacts of an IOS device</li> https://infosecaddicts.com/artifacts-ios-device/ <li>iOS Analysis Test No. 18-5551 Summary Report</li> https://cts-forensics.com/reports/38551_Web.pdf <li>iOS Analysis Test No. 21-5551 Summary Report</li> https://cts-forensics.com/reports/21-5551_Web.pdf <li>iOS Analysis Test No. 22-5551 Summary Report</li> https://cts-forensics.com/reports/22-5551_Web.pdf <li>Practical Mobile Forensics - Fourth Edition</li> https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520 <li>iOS Forensics for Investigators</li> https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083 </ul> </li> </ul> </div>