The Complete Overview of iOS System Artifacts: What You Need to Know

Introduction

In the field of digital forensics, mobile devices are critical in discovering key evidence. Among these gadgets, Apple’s iOS systems stand out for their unique collection of artifacts that are critical in investigations. iOS devices, such as iPhones and iPads, save a large amount of data that can be used to understand user behaviour, interactions, and activities. In this detailed book, we will delve into the fundamental iOS system artifacts and explain their value in forensic investigations.

When conducting a digital examination, application artifacts such as chats and browsers are typically the first to be explored. However, system files offer a lot of promise on iOS devices. Apple devices capture and store a variety of user settings and actions, and some of these recordings may aid in the reconstruction of events and expose critical evidence.

In this post, we will examine a few famous iOS system artifacts, such as:

1. CellularUsage.db (phone numbers and SIM card IDs)
2. Accounts3.sqlite (contact details of the device owner)
3. ADDataStore.sqlitedb (device usage statistics)
4. Photos.sqlite (iOS gallery)
5. DataUsage.sqlite (network traffic usage)
6. KnowledgeC.db (activities on the device such as device usage, app usage, website visits, and interactions with other devices)

These artifacts, which are spread over multiple directories in the iOS file system, are invaluable in digital forensic investigations. They can expose crucial information about user behaviour, communication patterns, app usage, and network activities, which helps to rebuild timelines and comprehend the device owner’s activities.

CellularUsage.db

The CellularUsage.db file stores phone numbers and SIM card IDs connected with the device. It frequently keeps information about SIM cards that are no longer associated with the device, which might aid in identifying other phone numbers and when they were used by the device owner.

Key information that can typically be extracted from the CellularUsage.db file includes:

1. Phone Numbers: Records of incoming, outgoing, and missed calls along with associated phone numbers.
2. Call Duration: Information regarding the duration of each call made or received.
3. Call Timestamps: Time and date details indicating when calls were placed, received, or missed.
4. SIM Card IDs: Identification information related to the SIM card used in the device.

Digital forensic investigators can reconstruct call logs, identify communication trends, and develop call activity timelines by studying the data in the CellularUsage.db file. This information can be critical in comprehending the device owner’s interactions and communications, as well as corroborated or refuted alibis and testimonies in legal proceedings.

Forensic professionals use specialized tools and procedures to extract, evaluate, and analyze the data included in the CellularUsage.db file, preserving the evidence’s correctness and integrity while providing useful insights for investigative reasons.

File System location:

• Full file system: \private\var\wireless\Library\Databases\
• iTunes / iCloud backup: \WirelessDomain\Library\Databases\

Accounts3.sqlite

The Accounts3.sqlite file is another good place to look for extra contact information for the device owner. It contains email addresses connected with several iOS system functions and applications.

Key information that can typically be retrieved from the Accounts3.sqlite file includes:

1. Account Details: Information on the device’s numerous accounts, including Apple ID, iCloud, email accounts (such as Gmail or Outlook), social media accounts, and third-party app accounts.
2. User-specific Information: Usernames, email addresses, display names, and other identifiers linked to each account.
3. Authentication Tokens: Tokens or credentials associated with the accounts are used for authentication and access to services.
4. Account Settings: Configuration settings, preferences, and synchronization options for each account.
5. Communication Data: For some accounts, this file may also store communication-related data, such as email messages, contact lists, or other relevant information associated with the specific account.

Forensic study of the Accounts3.sqlite file is critical in digital investigations because it can provide significant information about the user’s digital footprint, online behaviours, and the numerous services or platforms they utilize. It helps investigators comprehend the apps and services used by the device user, as well as their interactions in those accounts.

Forensic professionals employ specialized tools and procedures to extract and analyze data from the Accounts3.sqlite file, preserving the evidence’s integrity while collecting relevant information for investigation reasons.

File System location:

• Full file system: \private\var\mobile\Library\Accounts\
• iTunes / iCloud backup: \HomeDomain\Library\Accounts\

Note: This database has a broader range of account records than the whole file system copies of an iOS device.

ADDataStore.sqlitedb

ADDataStore.sqlitedb is a versatile database that collects various device usage statistics. However, just a few of its records are useful for digital investigations and have simple interpretations.

Key information that can typically be obtained from the ADDataStore.sqlitedb file includes:

1. Aggregate Usage Data: Aggregated statistics on device usage, including screen time, app usage, battery consumption, and other metrics.
2. Application Usage Metrics: Information about the frequency and duration of app usage, helping to identify which applications were used more frequently by the device owner.
3. Battery Usage Patterns: Data related to battery usage, including app-specific battery consumption details.
4. Screen Time Data: Statistics on screen-on time, screen-off time, and the duration of device usage.
5. Device Activity Metrics: Metrics related to device interactions, such as device unlocks, number of notifications received, and other device usage patterns.
6. Usage Timestamps: Time and date information associated with various device activities and usage.

Forensic examination of the ADDataStore.sqlitedb file is critical in digital investigations because it gives information about the user’s behavioural habits, preferences, and the extent to which they engage with the device and installed programs.

Forensic professionals use specialized tools and procedures to extract, parse, and interpret data saved in the ADDataStore.sqlitedb file, ensuring that the evidence is preserved and accurate while collecting essential information for investigation.

If you wish to learn more about ADDataStore.sqlitedb, you can find it in the device’s file system:

• Full file system: \private\var\mobile\Library\AggregateDictionary\ADDataStore.sqlitedb
• iTunes / iCloud backup: N/A

Photos.sqlite

The Photos.sqlite file contains additional information about the images saved in the iOS Photos app. This database’s timestamp, which indicates when media files were destroyed, may be very useful.

When a user deletes photographs or videos from an album on iOS, the files are not immediately deleted from the device. Instead, they are relocated to the “Recently Deleted” storage for 30 days before being automatically deleted by the application or manually deleted by the user. If the user is ignorant of this functionality and tries to hide evidence by removing media files, Photos.sqlite will keep track of the behaviour. This information can help you decide which items from the picture profile to investigate first.

Key information that can typically be retrieved from the Photos.sqlite file includes:

1. Photo Metadata: Details such as file names, creation dates, modification dates, file sizes, resolutions, and formats (JPEG, HEIC, etc.) of photos and videos stored on the device.
2. Geolocation Data: Geotagging information indicating the location where the photo or video was captured, if enabled.
3. Album Information: Organization of photos and videos into albums or categories, along with album names and structures.
4. Relationships and Connections: Associations between photos, videos, and their respective albums, as well as information about shared albums or photo streams.
5. Deleted Photos Information: In some cases, deleted or hidden photos might still have entries or metadata stored in this database, offering insights into the device owner’s activities regarding media management.
6. Sync Information: Information about photo synchronization across devices linked to the same account (such as iCloud Photo Library), synchronization status, and last synchronization timestamps.

Forensic examination of the Photos.sqlite file is critical in digital investigations because it gives information about the device owner’s visual documentation, whereabouts, and perhaps deleted or concealed media assets. This information can help construct timelines, verify locations, and gather proof about the device user’s activities.

Forensic professionals employ specialized tools and procedures to extract, analyze, and interpret data from the Photos.sqlite file, preserving the evidence’s integrity and accuracy while retrieving significant information for investigation.

File System location:

• Full file system: \private\var\mobile\Media\PhotoData\
• iTunes / iCloud backup: \CameraRollDomain\Media\PhotoData\

DataUsage.sqlite

The DataUsage.sqlite database stores information on the device’s mobile network traffic usage. It can assist you in determining which applications were installed on the device and when they were first and last utilized. The amount of bandwidth used by each application and process may be useful as well.

Key information that can typically be obtained from the DataUsage.sqlite file includes:

• Network Usage Metrics: Data consumption details, including the amount of data sent and received by the device.
• App-specific Data Usage: Information on data usage by individual apps installed on the device, indicating the amount of data consumed by each application.
• Usage Periods and Timestamps: Time-based data detailing when data was used, providing insights into usage patterns and periods of high or low data consumption.
• Network Protocol Information: Details regarding the protocols (such as TCP, and UDP) and ports used by apps or services for data transmission.
• Cellular vs. Wi-Fi Usage: Differentiation between data usage over cellular networks and Wi-Fi connections.
• Reset and Periodic Usage Data: Records of data usage resets or periodic monitoring intervals, if applicable.

Forensic examination of the DataUsage.sqlite file is critical in digital investigations because it can provide information about the device owner’s internet usage patterns, app-specific data consumption, and potentially abnormal network activity.

Forensic professionals use specialized tools and procedures to extract and interpret data from the DataUsage.sqlite file, ensuring that the evidence is preserved and accurate while retrieving relevant information for investigation.

File System location:

• Full file system: \private\var\mobile\Library\Accounts\
• iTunes / iCloud backup: \HomeDomain\Library\Accounts\

Note: It should be noted that this database contains additional records from an iOS device’s entire file system copy.

KnowledgeC.db

The knowledgeC.db database stores information about a variety of device activities, including device usage, app usage, internet visits, interactions with other devices, and much more. It can only be accessed through the whole file system copy and contains critical data on iOS devices up to iOS 15.

Key information that can typically be obtained from the KnowledgeC.db file includes:

1. Device Usage Logs: Records of device usage patterns, including screen time, device unlocks, and idle times.
2. App Usage Data: Information about application usage, such as which apps were opened, how long they were used, and their interaction patterns.
3. Browser Activities: Records of web browsing history, visited URLs, search queries, and timestamps of internet activities.
4. Interactions with Other Devices: Details about interactions between the iOS device and other connected devices or networks.
5. Location and Geospatial Data: Geolocation-related information, including location tracking, GPS coordinates, Wi-Fi connections, and location-based app interactions.
6. Device Settings and Preferences: Information about device settings, configurations, and preferences configured by the user.

Forensic examination of the KnowledgeC.db file is important in digital investigations because it gives detailed information about the device owner’s digital footprint, app usage patterns, online activities, and interactions with the device and related services.

Forensic professionals use specialized tools and procedures to extract, parse, and analyze data from the KnowledgeC.db file, assuring the evidence’s protection and correctness while retrieving relevant information for investigation.

Conclusion

When it comes to digital investigations involving iOS devices, you can look beyond only application data. The often-overlooked system artifacts can give important insights and evidence.

We’ve gone over a few of them in this article, including how to find additional user contact information in CellularUsage.db and Accounts3.sqlite, how to determine when and how the device was unlocked using ADDataStore.sqlitedb, how to set priorities in media file examination with Photos.sqlite, and how to find application usage statistics with DataUsage.sqlite and KnowledgeC.db. Cellebrite UFED can help you acquire and analyze these vital databases, providing greater insights into your research.