The Ultimate Guide to Crime Scene Investigation
Introduction to Crime Scene “A crime scene refers to any specific physical area or site that could offer valuable evidence for investigation purposes. It may include a person’s body, any kind ...
Computer Forensics + Digital Forensics Jay Ravtole todayJanuary 10, 2024
In the field of digital forensics, mobile devices are critical in discovering key evidence. Among these gadgets, Apple’s iOS systems stand out for their unique collection of artifacts that are critical in investigations. iOS devices, such as iPhones and iPads, save a large amount of data that can be used to understand user behaviour, interactions, and activities. In this detailed book, we will delve into the fundamental iOS system artifacts and explain their value in forensic investigations.
When conducting a digital examination, application artifacts such as chats and browsers are typically the first to be explored. However, system files offer a lot of promise on iOS devices. Apple devices capture and store a variety of user settings and actions, and some of these recordings may aid in the reconstruction of events and expose critical evidence.
In this post, we will examine a few famous iOS system artifacts, such as:
These artifacts, which are spread over multiple directories in the iOS file system, are invaluable in digital forensic investigations. They can expose crucial information about user behaviour, communication patterns, app usage, and network activities, which helps to rebuild timelines and comprehend the device owner’s activities.
The CellularUsage.db file stores phone numbers and SIM card IDs connected with the device. It frequently keeps information about SIM cards that are no longer associated with the device, which might aid in identifying other phone numbers and when they were used by the device owner.
Key information that can typically be extracted from the CellularUsage.db file includes:
Digital forensic investigators can reconstruct call logs, identify communication trends, and develop call activity timelines by studying the data in the CellularUsage.db file. This information can be critical in comprehending the device owner’s interactions and communications, as well as corroborated or refuted alibis and testimonies in legal proceedings.
Forensic professionals use specialized tools and procedures to extract, evaluate, and analyze the data included in the CellularUsage.db file, preserving the evidence’s correctness and integrity while providing useful insights for investigative reasons.
File System location:
The Accounts3.sqlite file is another good place to look for extra contact information for the device owner. It contains email addresses connected with several iOS system functions and applications.
Key information that can typically be retrieved from the Accounts3.sqlite file includes:
Forensic study of the Accounts3.sqlite file is critical in digital investigations because it can provide significant information about the user’s digital footprint, online behaviours, and the numerous services or platforms they utilize. It helps investigators comprehend the apps and services used by the device user, as well as their interactions in those accounts.
Forensic professionals employ specialized tools and procedures to extract and analyze data from the Accounts3.sqlite file, preserving the evidence’s integrity while collecting relevant information for investigation reasons.
File System location:
Note: This database has a broader range of account records than the whole file system copies of an iOS device.
ADDataStore.sqlitedb is a versatile database that collects various device usage statistics. However, just a few of its records are useful for digital investigations and have simple interpretations.
Key information that can typically be obtained from the ADDataStore.sqlitedb
file includes:
Forensic examination of the ADDataStore.sqlitedb file is critical in digital investigations because it gives information about the user’s behavioural habits, preferences, and the extent to which they engage with the device and installed programs.
Forensic professionals use specialized tools and procedures to extract, parse, and interpret data saved in the ADDataStore.sqlitedb file, ensuring that the evidence is preserved and accurate while collecting essential information for investigation.
If you wish to learn more about ADDataStore.sqlitedb, you can find it in the device’s file system:
The Photos.sqlite file contains additional information about the images saved in the iOS Photos app. This database’s timestamp, which indicates when media files were destroyed, may be very useful.
When a user deletes photographs or videos from an album on iOS, the files are not immediately deleted from the device. Instead, they are relocated to the “Recently Deleted” storage for 30 days before being automatically deleted by the application or manually deleted by the user. If the user is ignorant of this functionality and tries to hide evidence by removing media files, Photos.sqlite will keep track of the behaviour. This information can help you decide which items from the picture profile to investigate first.
Key information that can typically be retrieved from the Photos.sqlite
file includes:
Forensic examination of the Photos.sqlite file is critical in digital investigations because it gives information about the device owner’s visual documentation, whereabouts, and perhaps deleted or concealed media assets. This information can help construct timelines, verify locations, and gather proof about the device user’s activities.
Forensic professionals employ specialized tools and procedures to extract, analyze, and interpret data from the Photos.sqlite file, preserving the evidence’s integrity and accuracy while retrieving significant information for investigation.
File System location:
The DataUsage.sqlite database stores information on the device’s mobile network traffic usage. It can assist you in determining which applications were installed on the device and when they were first and last utilized. The amount of bandwidth used by each application and process may be useful as well.
Key information that can typically be obtained from the DataUsage.sqlite
file includes:
Forensic examination of the DataUsage.sqlite file is critical in digital investigations because it can provide information about the device owner’s internet usage patterns, app-specific data consumption, and potentially abnormal network activity.
Forensic professionals use specialized tools and procedures to extract and interpret data from the DataUsage.sqlite file, ensuring that the evidence is preserved and accurate while retrieving relevant information for investigation.
File System location:
Note: It should be noted that this database contains additional records from an iOS device’s entire file system copy.
The knowledgeC.db database stores information about a variety of device activities, including device usage, app usage, internet visits, interactions with other devices, and much more. It can only be accessed through the whole file system copy and contains critical data on iOS devices up to iOS 15.
Key information that can typically be obtained from the KnowledgeC.db
file includes:
Forensic examination of the KnowledgeC.db file is important in digital investigations because it gives detailed information about the device owner’s digital footprint, app usage patterns, online activities, and interactions with the device and related services.
Forensic professionals use specialized tools and procedures to extract, parse, and analyze data from the KnowledgeC.db file, assuring the evidence’s protection and correctness while retrieving relevant information for investigation.
When it comes to digital investigations involving iOS devices, you can look beyond only application data. The often-overlooked system artifacts can give important insights and evidence.
We’ve gone over a few of them in this article, including how to find additional user contact information in CellularUsage.db and Accounts3.sqlite, how to determine when and how the device was unlocked using ADDataStore.sqlitedb, how to set priorities in media file examination with Photos.sqlite, and how to find application usage statistics with DataUsage.sqlite and KnowledgeC.db. Cellebrite UFED can help you acquire and analyze these vital databases, providing greater insights into your research.
Written by: Jay Ravtole
Tagged as: hawk eye forensic noida, Mobile device forensics, iOS file system, Digital forensics, Artifact analysis, iOS system artifacts, Device usage patterns, iPhone/iPad artifacts, App interactions, CellularUsage.db, Network activities, Accounts3.sqlite, User behavior analysis, ADDataStore.sqlitedb, Data extraction techniques, Photos.sqlite, Evidence preservation, Hawk Eye Forensic, DataUsage.sqlite, Investigative insights, Forensic Investigation, KnowledgeC.db.
General Forensics Kanchan Dogra
Introduction to Crime Scene “A crime scene refers to any specific physical area or site that could offer valuable evidence for investigation purposes. It may include a person’s body, any kind ...
Digital Forensics Anjali Singhal
Digital Forensics Anjali Singhal / May 20, 2024
Introduction In the modern digital landscape, the threat of malware looms large over individuals, businesses, and governments alike. Malware, short for malicious software, encompasses a variety of harmful programs designed to disrupt, damage, or gain unauthorized access to computer systems. With cyber threats becoming more sophisticated, the field of malware forensic analysis has become crucial. ...
Copyright 2023 all rights reserved by Hawk Eye Forensic.
Post comments (0)