Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/RealityNet/iOS-Forensics-References
A curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file
https://github.com/RealityNet/iOS-Forensics-References
Last synced: 3 months ago
JSON representation
A curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file
- Host: GitHub
- URL: https://github.com/RealityNet/iOS-Forensics-References
- Owner: RealityNet
- Created: 2023-04-14T09:16:33.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-12-01T10:12:47.000Z (11 months ago)
- Last Synced: 2024-05-16T13:05:43.653Z (6 months ago)
- Homepage:
- Size: 149 KB
- Stars: 174
- Watchers: 10
- Forks: 21
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- Crypto-OpSec-SelfGuard-RoadMap - iOS Forensics References
- Crypto-OpSec-SelfGuard-RoadMap - iOS Forensics References
README
# iOS Forensics References
Last update: April 17th 2023
DATA Partition (/private/var)
"/.fseventsd/" folder
/.fseventsd
- Understanding MacOS File System Events with FSEventsParser
http://www.osdfcon.org/presentations/2017/Ibrahim-Understanding-MacOS-File-Ststem-Events-with-FSEvents-Parser.pdf- Mac OS X and iOS Forensics - Looking into the past with FSEvents
https://papers.put.as/papers/macosx/2017/summit_archive_1498158287.pdf- FSEvents Parser
https://github.com/dlcowen/FSEventsParser"/containers/" folder
/containers/Data/System/"GUID"/Documents/storeSystem.db
/containers/Shared/SystemGroup/"GUID"/Library/BatteryLife/CurrentPowerlog.PLSQL
- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
http://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
http://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
http://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis- On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage
http://www.mac4n6.com/blog/2018/12/20/on-the-seventh-day-of-apollo-my-true-love-gave-to-me-a-good-conversation-analysis-of-communications-and-data-usage- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis- APOLLO CurrentPowerLog Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_accessory_connection.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_airdrop.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_audio.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_deletion.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_info.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_nowplaying.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage_by_hour.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_assertion.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_audio_routing.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_awdl_states.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backcamera_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backlight_brightness.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level_ui.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_bluetooth_device_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_button_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_camera_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_coalition_interval.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_lock_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_screen_autolock.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_activity.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_registration.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_volume.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display_brightness.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_frontcamera_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_ids_messages.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_incallservice.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_kernel_task_monitor.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightning_connector_status.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightnining_connector_status.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_client_status.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_tech_status.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_mobilebackup.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_network_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_paired_device_config.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_power_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_powernap.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_data_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_id.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_monitor_dynamic.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_push_message_received.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_rapport_received_message.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_bulletins.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_notifications.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_timezone.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_torch_state.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmfile.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmhls.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_vtsession.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_card.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_transaction.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wifi_properties.txt- Time Well Spent: Precision Timing, Monotonic Clocks, and the PowerLogs Database for iOS
https://www.forensicfocus.com/webinars/time-well-spent-precision-timing-monotonic-clocks-and-the-powerlogs-database-for-ios/- Oh no! I have a wiped iPhone, now what?
https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.other.db
- Bluetooth – iOS
https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/- How to Use iOS Bluetooth Connections to Solve Crimes Faster
https://dfir.pubpub.org/pub/frknihlg/release/1- How to Use iOS Bluetooth Connections to Solve Crimes Faster
https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/- iLEAPP Bluetooth Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db
- Bluetooth – iOS
https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/- How to Use iOS Bluetooth Connections to Solve Crimes Faster
https://dfir.pubpub.org/pub/frknihlg/release/1- How to Use iOS Bluetooth Connections to Solve Crimes Faster
https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/- iLEAPP Bluetooth Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py- EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY
https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/containers/Shared/SystemGroup/"GUID"/Library/Preferences/com.apple.MobileBluetooth.devices.plist
- Bluetooth – iOS
https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/- How to Use iOS Bluetooth Connections to Solve Crimes Faster
https://dfir.pubpub.org/pub/frknihlg/release/1- How to Use iOS Bluetooth Connections to Solve Crimes Faster
https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Cellebrite CTF 2020: Juan Mortyme
https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iLEAPP Bluetooth Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083"/db/" folder
/db/biome/
- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1
https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html- iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html- iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html- Bringing it Back With Biome Data
https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/- iLEAPP Biome Plugins
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py
/db/dhcpd_leases*
- iLEAPP DHCP Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcphp.py
/db/dhcpclient/
- MAC Apt Networking Plugin
https://github.com/ydkhatri/mac_apt/wiki/NETWORKING- Cellebrite CTF 2020: Juan Mortyme
https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/- Apple TV Forensics 03: Analysis
https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iLEAPP DHCP Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcpl.py
/db/diagnostics/
- Apple Unified Logging and Activity Tracing formats
https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc- Browsing the unified log in difficult circumstances
https://eclecticlight.co/2017/09/25/browsing-the-unified-log-in-difficult-circumstances/- Reviewing macOS Unified Logs
https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs- Finding Waldo: Leveraging the Apple Unified Log for Incident Response
https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/
https://objectivebythesea.org/v3/talks/OBTS_v3_jMusunuri_eMartin.pdf- Unified Log Reader
https://github.com/ydkhatri/UnifiedLogReader- Upgrade From NULL—Detecting iOS Wipe Artifacts
https://dfir.pubpub.org/pub/6i7d593n/release/1- Logs Unite! - Forensic Analysis of Apple Unified Logs
https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf- Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]
https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0"/installd/" folder
/installd/Library/Logs/MobileInstallation/mobile_installation.log.*
- CyberDefenders - Jailbreak CTF
https://www.netscylla.com/blog/2022/06/09/Cyberdefenders-Jailbreak-CTF.html- iOS Mobile Installation Logs
https://dfir.pubpub.org/pub/e5xlbw88/release/2- iOS Mobile Installation Logs
https://dfrws.org/wp-content/uploads/2019/10/2019_review-ios_mobile_installation_logs.pdf- iOS Mobile Installation Logs Parser
https://abrignoni.blogspot.com/2019/01/ios-mobile-installation-logs-parser.html- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- Apple TV Forensics 03: Analysis
https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/- iLEAPP Mobile Installation Log Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileInstall.py
/installd/Library/Logs/MobileInstallation/LastBuildInfo.plist
- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/- iLEAPP Last Build Info Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/lastBuild.py
/installd/Library/Logs/MobileInstallation/MigrationInfo.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
/installd/Library/Logs/MobileInstallation/RoleUserMigration.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/"/logs/" folder
/logs/lockdownd.log
- So Long Lockdown!
http://www.doubleblak.com/m/blogPosts.php?id=9- KnowledgeC (and Friends)
http://www.doubleblak.com/m/blogPosts.php?id=2- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/logs/usermanagerd.log.*
/logs/wifimanager.log"/mobile/Containers/" folder
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Caches/com.apple.mobilesafari/Cache.db
- Getting Started with iOS Forensics
https://www.systoolsgroup.com/forensics/sqlite/ios.html- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Containers/Data/Application//Library/Caches/com.apple.WebAppCache/ApplicationCache.db
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Containers/Data/Application//Library/Cookies/Cookies.binarycookies
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/ImageCache/Favicons/Favicon.db
- Favicons
https://www.doubleblak.com/m/blogPosts.php?id=13- iLEAPP Favicon Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariFavicons.py
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Preferences/com.apple.mobilesafari.plist
- iOS 14 - First Thoughts and Analysis
https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html- iLEAPP Recent Web Searches Safari Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariRecentWebSearches.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Downloads/Downloads.plist
- iOS / macOS - Tracking Downloads from Safari Without Downloads
https://blog.d204n6.com/2021/05/ios-macos-tracking-downloads-from.html- Safari and iPhone Internet History Parser
http://az4n6.blogspot.com/2014/07/safari-and-iphone-internet-history.html
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Thumbnails/
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Containers/Data/Application/"Apple Safari GUID"/Library/WebKit/WebsiteData/LocalStorage/
- Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS
https://www.mdpi.com/2076-3417/12/21/11180- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf
/mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Maps/GeoHistory.mapsdata
- Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics
http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/- HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?
https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/- FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?
https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- Find Me If You Can: Mobile GPS Mapping Applications Forensic Analysis & SNAVP the Open Source, Modular, Extensible Parser Analysis & SNAVP the Open Source, Modular, Extensible Parser
https://commons.erau.edu/cgi/viewcontent.cgi?article=1414&context=jdfsl- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Preferences/com.apple.Maps.plist
- HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?
https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/- FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?
https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Containers/Shared/AppGroup/"Apple Maps GUID"/Maps/MapsSync_0.0.1
- What Apple Maps Activity Can be Found Using a Logical Extraction
https://lordtemplar1.wordpress.com/2022/05/08/what-apple-maps-activity-can-be-found-using-a-logical-extraction/- iOS14 Maps History BLOB Script
http://cheeky4n6monkey.blogspot.com/2020/11/ios14-maps-history-blob-script.html
https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/iOS/ios14_maps_history.py- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/- iLEAPP Maps Sync Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mapsSync.py"/mobile/Library/" folder
/mobile/Library/Accounts/Accounts3.sqlite
- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS - Tracking Device Migration
https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- Cellebrite CTF 2022 - Beth's iPhone
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html- Magnet Forensics Virtual Summit 2023 CTF – iOS
https://www.forgottennook.com/blog/magnet-ios-2023- Case Study: Forensic Analysis of TikTok on iOS
https://dfir.pubpub.org/pub/h6vyh33u/release/1- iLEAPP Accounts Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/accs.py- Accounts3.sqlite query
https://github.com/kacos2000/Queries/blob/master/Accounts3_sqlite.sql- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/AddressBook/AddressBook.sqlitedb
- Getting Started with iOS Forensics
https://www.systoolsgroup.com/forensics/sqlite/ios.html- Identification and analysis of email and contacts artefacts on iOS and OS X
https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf- TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11
https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/- How To Identify When an IPhone or iPad was Factory Reset
https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices
https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf- Upgrade From NULL—Detecting iOS Wipe Artifacts
https://dfir.pubpub.org/pub/6i7d593n/release/1- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- AddressBook.sqlitedb query
https://github.com/kacos2000/Queries/blob/master/AddressBook_sqlite.sql- iPhone Artifacts - Champlain College
https://www.champlain.edu/Documents/LCDI/iPhone%20Artifacts.pdf- iLEAPP Address Book Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/addressBook.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/AddressBook/AddressBookImages.sqlitedb
- Identification and analysis of email and contacts artefacts on iOS and OS X
https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf- IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES
https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/- AddressBookImages.sqlitedb query
https://github.com/kacos2000/Queries/blob/master/AddressBookImages_sqlite.sql- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb
- Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite)
https://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite- On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!
https://www.mac4n6.com/blog/2018/12/18/on-the-fifth-day-of-apollo-my-true-love-gave-to-me-a-stocking-full-of-random-junk-some-of-which-might-be-useful- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- Forensics Tools: Stop Miscalculating iOS Usage Analytics!
https://www.zdziarski.com/blog/?p=2686- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- APOLLO ADDataStore Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_scalars.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_distributed_keys.txt
/mobile/Library/AppConduit/AvailableApps.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/AppConduit/AvailableCompanionApps.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Cloud.sqlite
/mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Local.sqlite
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- ScreenTimeController
https://github.com/Evian-Zhang/ScreenTimeController/blob/master/README.md- Data Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts
https://cellebrite.com/en/data-quality-and-quantity-how-to-get-the-best-of-both-worlds-part-2-examining-screen-time-artifacts/- A Look Into Apple’s Screen Time Feature and What Insights It Lends To Digital Intelligence
https://cellebrite.com/en/a-look-into-apples-screen-time-feature-and-what-insights-it-lends-to-digital-intelligence/- iOS Screentine And Android Digital Wellbeing Apps
https://www.forensicfocus.com/webinars/ios-screentine-and-android-digital-wellbeing-apps/- Getting Evidence from iOS Screen Time Artifacts
https://www.magnetforensics.com/blog/getting-evidence-from-ios-screen-time-artifacts/- Plaso iOS SceenTime Parser
https://plaso.readthedocs.io/en/latest/_modules/plaso/parsers/sqlite_plugins/ios_screentime.html- A Look Into Apple’s Screen Time Feature and What Insights It Lends To Forensics
https://www.goldencelle.com/post/a-look-into-apple-s-screen-time-feature-and-what-insights-it-lends-to-forensics- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/- Magnet Forensics Virtual Summit 2023 CTF – iOS
https://www.forgottennook.com/blog/magnet-ios-2023- Magnet 2022 CTF – iOS15
https://bakerstreetforensics.com/2022/07/28/magnet-2022-ctf-ios15/- MAC Apt SceenTime Plugin
https://github.com/ydkhatri/mac_apt/blob/master/plugins/screentime.py- APOLLO ScreenTime Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_timed_items.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_counted_items.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_hour.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_category.txt
/mobile/Library/ApplicationSync/AssetSortOrder.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/Assistant/SiriAnalytics.db
- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
/mobile/Library/Biome/
- Analyzing iOS Biome AppIntent Files
https://bluecrewforensics.com/2022/03/07/ios-app-intents/- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1
https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html- iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html- iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html- Bringing it Back With Biome Data
https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/- An Alternate Location for Deleted SMS/iMessage Data in Apple Devices
https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/
https://dfir.pubpub.org/pub/yp6efc8q/release/1- Lagging for the Win: Querying for Negative Evidence in the sms.db
https://belkasoft.com/lagging-for-win- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/- Magnet Forensics Virtual Summit 2023 CTF – iOS
https://www.forgottennook.com/blog/magnet-ios-2023- Magnet Virtual Summit 2023 CTF - iOS 16 iPhone
https://www.stark4n6.com/2023/03/magnet-virtual-summit-2023-ctf-ios-16.html- iLEAPP Biome Plugins
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py
/mobile/Library/BulletinBoard/ClearedSections.plist
- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
/mobile/Library/Caches/com.apple.Pasteboard/*
/mobile/Library/Caches/com.apple.findmy.fmipcore/
- Stored AirTag (and Other) Aritfacts
https://blog.d204n6.com/2022/04/airtag-youre-it.html- AirTags within iOS File Systems
https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f- iLEAPP AirTags Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/airtags.py
/mobile/Library/Caches/com.apple.routined/Cache.sqlite
- Locations, Locations, Locations
https://doubleblak.com/blogPosts.php?id=14
https://doubleblak.com/BlogArticles/14/PDF2.pdf- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- iOS Location Artifacts Explained
https://cellebrite.com/en/ios-location-artifacts-explained/- Location Data on iOS and Android Devices
https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/- Apple Probably Knows What You Did Last Summer
https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/- UAV Forensics: DJI Mini 2 Case Study
https://www.researchgate.net/publication/352058134_UAV_Forensics_DJI_Mini_2_Case_Study- Magnet User Summit 2022 CTF - iPhone
https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html- Building a Pattern of Life - Leveraging Location and Health Data
https://www.youtube.com/watch?v=eU7THDwFkiM- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table
https://theforensicscooter.com/2021/09/22/iphone-device-speeds-in-cache-sqlite-zrtcllocationmo/- Vehicle and iPhone Speed Comparison
https://theforensicscooter.com/2022/07/01/vehicle-and-iphone-speed-comparison/- Cache.sqlite query
https://github.com/ScottKjr3347/iOS_Cache.sqlite_Queries- APOLLO iOS Routined Cache Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrtcllocationmo.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrthintmo.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrvisitmo.txt- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Caches/com.apple.routined/Cloud.sqlite
/mobile/Library/Caches/com.apple.routined/Cloud-V2.sqlite
- Locations, Locations, Locations
https://doubleblak.com/blogPosts.php?id=14
https://doubleblak.com/BlogArticles/14/PDF2.pdf- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- iOS Location Artifacts Explained
https://cellebrite.com/en/ios-location-artifacts-explained/- Location Data on iOS and Android Devices
https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Apple Probably Knows What You Did Last Summer
https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- Building a Pattern of Life - Leveraging Location and Health Data
https://www.youtube.com/watch?v=eU7THDwFkiM- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- APOLLO iOS Routined Cloud Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_entry.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_exit.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_start.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_stop.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_start.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_stop.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_address.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_mapitem.txt- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Caches/com.apple.routined/Local.sqlite
- Locations, Locations, Locations
https://doubleblak.com/blogPosts.php?id=14
https://doubleblak.com/BlogArticles/14/PDF2.pdf- On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- iOS Location Artifacts Explained
https://cellebrite.com/en/ios-location-artifacts-explained/- Location Data on iOS and Android Devices
https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/- Building a Pattern of Life - Leveraging Location and Health Data
https://www.youtube.com/watch?v=eU7THDwFkiM- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- Cellebrite CTF 2022 - Beth's iPhone
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- APOLLO iOS Routined Local Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_entry.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_exit.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_start.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_stop.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked_history.txt- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Calendar/Calendar.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Magnet User Summit 2022 CTF - iPhone
https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html- Calendar.sqlitedb query
https://github.com/kacos2000/queries/blob/master/calendar_sqlitedb.sql- iLEAPP Calendar Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/calendarAll.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Calendar/Extras.db
- Extras.db query
https://github.com/kacos2000/queries/blob/master/calendar_extras.sql
/mobile/Library/CallHistoryDB/CallHistory.storedata
- Missing SQLite Records Analysis
https://dfir.pubpub.org/pub/33vkc2ul/release/1- A GLIMPSE OF IOS 10 FROM A SMARTPHONE FORENSIC PERSPECTIVE
https://smarterforensics.com/2016/09/a-glimpse-of-ios-10-from-a-smartphone-forensic-perspective/- TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11
https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES
https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/- ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET
https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/- How To Identify When an IPhone or iPad was Factory Reset
https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/- iOS 14 - First Thoughts and Analysis
https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html- Cellebrite CTF 2022 - Marsha's iPhone
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html- Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.
https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- CallHistory Query
https://github.com/kacos2000/queries/blob/master/callhistory_storedata.sql- APOLLO CallHistory Module
https://github.com/mac4n6/APOLLO/blob/master/modules/call_history.txt- iLEAPP CallHistory Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/callHistory.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/CallHistoryDB/CallHistoryTemp.storedata
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/CallHistoryTransactions/
/mobile/Library/com.apple.ClipServices.clipserviced/ClipData.db
- iOS 14 - Tracking App Clips in iOS 14
https://blog.d204n6.com/2020/09/ios-14-tracking-app-clips-in-ios-14.html
/mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
/mobile/Library/com.apple.itunesstored/kvs.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
- Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
http://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage- Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db
https://www.mac4n6.com/blog/2018/9/12/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb- Extensive knowledgeC APOLLO Updates!
https://www.mac4n6.com/blog/2020/6/17/extensive-knowledgec-apollo-updates- Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
https://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules- Providing Context to iOS App Usage with knowledgeC.db and APOLLO
https://www.mac4n6.com/blog/2020/1/13/apollo-into-the-details-with-application-activities- On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
https://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice- On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
https://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving- On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
https://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis- On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- Apple TV Forensics 03: Analysis
https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/- iOS KnowledgeC.db Notifications
https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-notifications/- iOS KnowledgeC.db Notifications
https://dfir.pubpub.org/pub/g2v1z97i/release/1- KnowledgeC: Now Playing entries
https://www.forensicmike1.com/2019/10/07/knowledgec-now-playing-entries/- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG
https://dfir.pubpub.org/pub/v19rksyf/release/1
https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/- KnowledgeC (and Friends)
http://www.doubleblak.com/m/blogPosts.php?id=2- Building a Pattern of Life - Leveraging Location and Health Data
https://www.youtube.com/watch?v=eU7THDwFkiM- iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1
https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html- iOS - Tracking Traces of Deleted Applications
https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
https://www.youtube.com/watch?v=4LcQm4ErXpA- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Magnet User Summit 2022 CTF - iPhone
https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html- KwnoledgeC queries
https://github.com/ScottKjr3347/iOS_KnowledgeC.db_Queries- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- APOLLO KnowledgeC Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level_feedback.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_airplay_prediction.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_calendar.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_clock.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_mail.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_maps.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_notes.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_passbook.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_photos.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_safari.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_weather.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_inFocus.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_install.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_intents.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_location_activity.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_media_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_relevantshortcuts.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_webusage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_bluetooth_connected.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_input_route.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_media_nowplaying.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_output_route.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_calendar_event_title.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_charging_smart_topoff_checkpoint.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_activity_profile.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_battery_temperature.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_control_effort.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_battery_saver.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_batterylevel.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_carplay_connected.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_inferred_motion.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_is_backlit.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_keybag_locked.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked_imputed.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_low_power_mode.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_orientation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_pluggedin.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_watch_nearby.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_signals.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_disk_subsystem_access.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_event_tombstone.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_family_prediction.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_inferred_microlocation_visit.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_knowledge_sync_addition_window.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_notification_usage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_paired_device_nearby.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_all.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_recent.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_edit_all.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_engagement.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_favorites_other.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_airdrop.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_all.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_extension.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_entity.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_topic.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_safari_browsing.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_segment_monitor.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_settings_doNotDisturb.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sharesheet_feedback.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_activites.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_flow_activity.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_service.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_spotlight_viewer_event.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_standby_timer.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_addition_window.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_deletion_bookmark.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_airplane_mode.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_tlc.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_userwakingevent.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_first_backlight_after_wakeup.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_interaction_app_directory.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_refresh.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_view.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widgets_viewed.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_wifi_connection.txt- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/CoreDuet/People/interactionC.db
- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- KnowledgeC (and Friends)
http://www.doubleblak.com/m/blogPosts.php?id=2- Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
http://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules- Local Photo Library Photos.sqlite Query Variations & WHERE statements
https://theforensicscooter.com/2022/02/21/photos-sqlite-update/- Comparison of iOS backups: Encrypted vs Unencrypted
https://www.arcpointforensics.com/news/comparison-of-ios-backups- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- APOLLO interactionC Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions_keywords.txt- iLEAPP interactionC Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/interactionCcontacts.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/DataAccess/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices
https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf
/mobile/Library/DeviceRegistry.state/activeStateMachine.plist
- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf- Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices
https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices
/mobile/Library/DeviceRegistry.state/historySecureProperties.plist
- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf- Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices
https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices
/mobile/Library/DoNotDisturb/DB/Settings.sqlite
/mobile/Library/DoNotDisturb/DB/IDSSyncEngineMetadata.plist
- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
/mobile/Library/DuetExpertCenter/streams/userNotificationEvent/local
- Peeking at User Notification Events in iOS 15
https://gforce4n6.blogspot.com/2022/05/peeking-at-user-notification-events-in.html- Peeking at User Notification Events in iOS 15
https://dfrws.org/presentation/dfir-review-showcase-peeking-at-user-notification-events-in-ios-15/- iOS 16 - "Paul unsent a message." ... OR DID HE?!
https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html- Magnet Forensics Virtual Summit 2023 CTF – iOS
https://www.forgottennook.com/blog/magnet-ios-2023- iLEAPP User Notifications Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsDuet.py
/mobile/Library/FrontBoard/applicationState.db
- Identifying installed and uninstalled apps in iOS
https://abrignoni.blogspot.com/2018/12/identifying-installed-and-uninstalled.html- iOS - Tracking Traces of Deleted Applications
https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
https://www.youtube.com/watch?v=4LcQm4ErXpA- iOS Application Groups & Shared data
http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html- iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins
https://blog.d204n6.com/2020/09/ios-tracking-bundle-ids-for-containers.html- iOS – Tracking Bundle IDs for Containers, Shared Containers, and Plugins
https://www.magnetforensics.com/blog/ios-tracking-bundle-ids-for-containers-shared-containers-and-plugins/- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Magnet Virtual Summit 2020 CTF (iOS)
https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html- iLEAPP Application State Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/applicationstate.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Health/ActivitySharing/contacts.dat
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data
https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf
https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
/mobile/Library/Health/healthdb.sqlite
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data
https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf
https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database
https://dfir.pubpub.org/pub/xqvcn3hj/release/1- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- Apple Health
https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf- Health and Activity
https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf- Making a Murderer: Health Activity Edition
https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- Audio and App Usage in Apple Health
https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- healthdb.sqlite query
https://github.com/kacos2000/Queries/blob/master/healthdb.sql
/mobile/Library/Health/healthdb_secure.sqlite
- #DFIRFIT or Bust - A forensic exploration of iOS Health Data
https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf
https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data
https://www.mac4n6.com/blog/2018/12/15/on-the-second-day-of-apollo-my-true-love-gave-to-me-holiday-treats-and-a-trip-to-the-gym-a-look-at-ios-health-data- Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics
http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics- The iPhone Health App from a forensic perspective: can steps and distances registered during walking and running be used as digital evidence?
https://www.sciencedirect.com/science/article/pii/S1742287619300313
https://dfrws.org/sites/default/files/session-files/2019_EU_paper-the_iphone_health_app_from_a_forensic_perspective.pdf- The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones
https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780- Interpreting the location data extracted from the Apple Health database
https://www.sciencedirect.com/science/article/pii/S2666281723000057- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- Apple Health
https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf- Health and Activity
https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf- Making a Murderer: Health Activity Edition
https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf- …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS
https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/- Audio and App Usage in Apple Health
https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html- Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database
https://dfir.pubpub.org/pub/xqvcn3hj/release/1
https://sqlmcgee.wordpress.com/2022/04/01/enriching-investigations-with-apple-watch-data-through-the-healthdb_secure-sqlite-database/- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- Securing and Extracting Health Data: Apple Health vs. Google Fit
https://blog.elcomsoft.com/2019/01/securing-and-extracting-health-data-apple-health-vs-google-fit/- Building a Pattern of Life - Leveraging Location and Health Data
https://www.youtube.com/watch?v=eU7THDwFkiM- Health Data Types
https://www.doubleblak.com/blogPosts.php?id=21- Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!
http://prodigital4n6.blogspot.com/2017/07/personal-injury-insurance-fraud.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- healthdb_secure.sqlite query
https://github.com/kacos2000/Queries/blob/master/healthdb_secure.sql- APOLLO health_secure.sqlite Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/health_distance.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_ecg_average_heart_rate.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_flights.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_heart_rate.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_steps.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_stood_up.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_weight.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_cadence.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_elevation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_general.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_humidity.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_indoor.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_latitude.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_longitude.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_max_ground_elevation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_mets.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_min_ground_elevation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_temperature.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_timeofday.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_weather.txt
/mobile/Library/Health/Client/HealthApp.sqlite
- Health Data Types
https://www.doubleblak.com/blogPosts.php?id=21
/mobile/Library/homed/datastore.sqlite
- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html- Forensic Analysis of Apple HomePod & Apple HomeKit Environment w/ Mattia Epifani - SANS DFIR Summit
https://www.youtube.com/watch?v=D8AOXCBkaTY
/mobile/Library/Keyboard/-dynamic.lm/dynamic-lexicon.dat
- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- iLEAPP Keyboard Lexicon
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardLexicon.py
/mobile/Library/Keyboard/app_usage_database.plist
- iLEAPP App Usage Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardAppUsage.py
/mobile/Library/Keyboard/langlikelihood.dat
- Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
/mobile/Library/Keyboard/UserDictionary.sqlite
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
/mobile/Library/Logs/AppConduit/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- iOS Sysdiagnose AppConduit script
https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-appconduit.py- iLEAPP AppConduit Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appConduit.py
/mobile/Library/Logs/AppleSupport/general.log
/mobile/Library/Logs/mobile_installation_helper.log*
/mobile/Library/Logs/mobileactivationd/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html- Apple TV Forensics 03: Analysis
https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/- iLEAPP Mobile Activation Logs Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileActivationLogs.py
/mobile/Library/Mail/
- iOS Mail
https://www.doubleblak.com/m/blogPosts.php?id=10- Identification and analysis of email and contacts artefacts on iOS and OS X
https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf- A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices
https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Getting Started with iOS Forensics
https://www.systoolsgroup.com/forensics/sqlite/ios.html- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/MedicalID/MedicalIDData.Archive
- Magnet Virtual Summit 2020 CTF (iOS)
https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html- iLEAPP MedicalID Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/medicalID.py
/mobile/Library/NanoBackup/
/mobile/Library/NanoMusicSync/
/mobile/Library/NanoPreferencesSync/
- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
/mobile/Library/NanoTimeKit/
/mobile/Library/Passes/passes23.sqlite
- Pocket Litter A Peek Inside Your Apple Wallet
https://objectivebythesea.org/v4/talks/OBTS_v4_sEdwards.pdf- Analysing Apple Pay Transactions
https://blog.elcomsoft.com/2018/08/analysing-apple-pay-transactions/- Cellebrite CTF 2020: Juan Mortyme
https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/- Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts)
http://www.mac4n6.com/blog/2019/1/17/apple-pattern-of-life-lazy-outputer-apollo-updates-amp-40-new-modules-location-chat-calls-apple-pay-transactions-wallet-passes-safari-amp-health-workouts?rq=passes23.sqlite- APOLLO passes23.sqlite Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_unique_passes_cards.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_passes.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_transactions.txt- iLEAPP passes23.sqlite Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWalletTransactions.py
/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db
- Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database
http://www.mac4n6.com/blog/2020/6/2/guest-post-by-bizzybarney-a-peek-inside-the-ppsqldatabasedb-personalization-portrait-database- Lucky (iOS) #13: Time to Press Your Bets w/ Jared Barnhart - SANS DFIR Summit 2020
https://www.youtube.com/watch?v=8Fy83iQ4f8Q
/mobile/Library/Preferences/.GlobalPreferences.plist
- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf
/mobile/Library/Preferences/addaily.plist
/mobile/Library/Preferences/com.apple.accountsettings.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
/mobile/Library/Preferences/com.apple.ActivitySharing.plist
/mobile/Library/Preferences/com.apple.AdLib.plist
/mobile/Library/Preferences/com.apple.aggregated.plist
/mobile/Library/Preferences/com.apple.AppStore.plist
- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Hacking and Securing iOS Applications by Jonathan Zdziarski, Chapter 4
https://www.oreilly.com/library/view/hacking-and-securing/9781449325213/ch04.html
/mobile/Library/Preferences/com.apple.assistant.backedup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
/mobile/Library/Preferences/com.apple.assetsd.plist
- Shared with You Syndication Photo Library – Message Attachments & Linked Assets
https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/
/mobile/Library/Preferences/com.apple.atc.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
/mobile/Library/Preferences/com.apple.BatteryCenter.BatteryWidget.plist
/mobile/Library/Preferences/com.apple.camera.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
/mobile/Library/Preferences/com.apple.carplay.plist
- Ridin’ With Apple CarPlay
https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/- They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto
https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf- iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html- Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlay
https://www.mdpi.com/1424-8220/22/19/7196/pdf- Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708- Cellebrite CTF 2021 - Marsha's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-iphone.html- Auto-Parser: Android Auto and Apple CarPlay Forensics
https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
/mobile/Library/Preferences/com.apple.celestial.plist
- Ridin’ With Apple CarPlay
https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/- Auto-Parser: Android Auto and Apple CarPlay Forensics
https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
/mobile/Library/Preferences/com.apple.cloud.quota.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/Preferences/com.apple.cloudphotod.plist
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
/mobile/Library/Preferences/com.apple.cmfsyncagent.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/
/mobile/Library/Preferences/com.apple.commcenter.shared.plist
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.conference.plist
/mobile/Library/Preferences/com.apple.contacts.donation-agent.plist
/mobile/Library/Preferences/com.apple.contextstored.plist
/mobile/Library/Preferences/com.apple.CoreDuet.plist
/mobile/Library/Preferences/com.apple.CoreDuet.QueuedDenials.plist
/mobile/Library/Preferences/com.apple.coreduetd.batterysaver.state.plist
/mobile/Library/Preferences/com.apple.coreduetd.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
/mobile/Library/Preferences/com.apple.corerecents.recentsd.plist
/mobile/Library/Preferences/com.apple.corespotlightui.plist
/mobile/Library/Preferences/com.apple.FeedbackAssistant.plist
/mobile/Library/Preferences/com.apple.homesharing.plist
- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf
/mobile/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist
/mobile/Library/Preferences/com.apple.icloud.fmfd.plist
- iOS - Tracking Device Migration
https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist
- How iOS Properties Files Can Confirm a Suspect’s Contacts Even If Deleted
https://cellebrite.com/en/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- Making the most of Property Lists
https://forensicskween.com/research/making-the-most-of-property-lists/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.imservice*.plist
/mobile/Library/Preferences/com.apple.locationd.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Location Services and System Services are they ON or OFF
https://dfir.pubpub.org/pub/4sv4kxyh/release/2- iOS Location Services and System Services ON or OFF?
https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.madrid.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Preferences/com.apple.messages.pinning.plist
- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/
/mobile/Library/Preferences/com.apple.migration.plist
- iOS - Tracking Device Migration
https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
/mobile/Library/Preferences/com.apple.mmcs.plist
/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.mobilegestalt.plist
- WHO IS THE OWNER OF THE MOBILE DEVICE?
https://www.digitalforensics.com/blog/articles/who-is-the-owner-of-the-mobile-device/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.mobilephone.plist
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.mobileslideshow.plist
- How to find iOS Hidden Assets
https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
/mobile/Library/Preferences/com.apple.MobileSMS.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- What is the likelihood of recovering deleted iPhone messages?
https://improsec.com/tech-blog/what-is-the-likelihood-of-recovering-deleted-iphone-messages- Missing Pieces: Tips and Tricks on how to ensure your acquisitions aren’t missing critical data
https://static1.squarespace.com/static/62ab5b933d903d4c55e5d716/t/62fa28d8fd3a89429f8a9a80/1660561630138/MissingPieces_Hyde_Quezada_Final.pdf- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Preferences/com.apple.mt.lastLaunch.plist
/mobile/Library/Preferences/com.apple.nano.plist
/mobile/Library/Preferences/com.apple.nanoregistry.plist
/mobile/Library/Preferences/com.apple.preferences.datetime.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.preferences.network.plist
- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- Wireless Network Preferences – iOS
https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/
/mobile/Library/Preferences/com.apple.Preferences.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.purplebuddy.plist
- iOS - Tracking Device Migration
https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html- Putting a User Behind an iOS Device
https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf- How was an iPhone set up?
https://dfir.pubpub.org/pub/2q177smo/release/5- Upgrade From NULL—Detecting iOS Wipe Artifacts
https://dfir.pubpub.org/pub/6i7d593n/release/1- How was an iPhone set up?
https://smarterforensics.com/2019/01/how-was-an-iphone-setup/- How To Identify When an IPhone or iPad was Factory Reset
https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf
/mobile/Library/Preferences/com.apple.sharingd.plist
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge
http://www.mac4n6.com/blog/2020/6/5/analysis-of-apple-unified-logs-quarantine-edition-entry-11-airdropping-some-knowledge- EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY
https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/Preferences/com.apple.springboard.plist
- Recover your iPhone Screen Time or restrictions passcode (supports iOS 14)
https://www.iphonebackupextractor.com/guides/recover-screen-time-parental-restrictions-passcode/- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- Auto-Parser: Android Auto and Apple CarPlay Forensics
https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/Preferences/com.apple.timed.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/mobile/Library/Preferences/com.apple.weather.plist
/mobile/Library/Recents/Recents
- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- Recents query
https://github.com/kacos2000/queries/blob/master/recents.sql
/mobile/Library/Reminders/
- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/- iLEAPP Reminders Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/reminders.py
/mobile/Library/Safari/Bookmarks.db
- iOS 14 - First Thoughts and Analysis
https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html- Getting Started with iOS Forensics
https://www.systoolsgroup.com/forensics/sqlite/ios.html- iLEAPP Safari Bookmarks Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariBookmarks.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Safari/BrowserState.db
- Examining mobile devices: identiffying private internet browking activity in Mobile Safari
https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf- iOS 14 - First Thoughts and Analysis
https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html- iLEAPP Safari Tabs Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Safari/CloudTabs.db
- iLEAPP Safari Tabs Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Safari/History.db
- Missing SQLite Records Analysis
https://dfir.pubpub.org/pub/33vkc2ul/release/1- Examining mobile devices: identiffying private internet browking activity in Mobile Safari
https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf- KnowledgeC (and Friends)
http://www.doubleblak.com/m/blogPosts.php?id=2- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/- Magnet User Summit 2022 CTF - iPhone
https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html- Magnet User Summit 2022 CTF - iPhone
https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Reading Your Browser's History with SQLite
http://2016.padjo.org/tutorials/sqlite-your-browser-history/- APOLLO Safari History Module
https://github.com/mac4n6/APOLLO/blob/master/modules/safari_history.txt- iLEAPP Safari History Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariHistory.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/Safari/SafariTabs.db
- iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari
https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html- iOS 16: What Digital Investigators Need to Know
https://www.magnetforensics.com/blog/ios-16-what-digital-investigators-need-to-know/- Checking in on iOS 16 in Magnet AXIOM 6.8
https://www.magnetforensics.com/blog/checking-in-on-ios-16-in-magnet-axiom-6-8/
/mobile/Library/SMS/Attachments/
- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/- Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?
https://dfir.pubpub.org/pub/v19rksyf/release/1
https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/- Shared with You Syndication Photo Library – Message Attachments & Linked Assets
https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/SMS/Drafts/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- iLEAPP Draft SMS Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/draftmessage.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/SMS/sms.db
- The Meaning of Messages
https://www.magnetforensics.com/blog/the-meaning-of-messages/- iOS16 iMessages
https://doubleblak.com/blogPosts.php?id=27- iOS 16 - "Paul unsent a message." ... OR DID HE?!
https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html- Message Reactions
https://doubleblak.com/blogPosts.php?id=24- Sharing Locations in iOS Messages
https://thebinaryhick.blog/2021/09/29/sharing-locations-in-ios-messages/- iOS 14 - Message Mentions and Threading
https://blog.d204n6.com/2020/09/ios-14-message-mentions-and-threading.html- Cellebrite CTF 2020: Juan Mortyme
https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- Lagging for the Win: Querying for Negative Evidence in the sms.db
https://belkasoft.com/lagging-for-win- An Alternate Location for Deleted SMS/iMessage Data in Apple Devices
https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/
https://dfir.pubpub.org/pub/yp6efc8q/release/1- Missing SQLite Records Analysis
https://dfir.pubpub.org/pub/33vkc2ul/release/1- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- How To Identify When an IPhone or iPad was Factory Reset
https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/- KnowledgeC (and Friends)
http://www.doubleblak.com/m/blogPosts.php?id=2- Temporal Analysis Anomalies with iOS iMessage Communication Exchange
https://personal.cis.strath.ac.uk/george.weir/cyfor14/papers/4_govan_ovans.pdf- iLEAPP SMS Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/sms.py- APOLLO SMS Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_delivered.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_read.txt- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/SMS/sms-temp.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Library/SpringBoard/HomeBackgroundThumbnail.jpg
/mobile/Library/SpringBoard/IconState.plist
- Today, Widgets, & Ignored Apps in iOS
https://thebinaryhick.blog/2021/07/25/today-widgets-ignored-apps-in-ios/- Recover iOS App Screen Layouts with the New iOS Home Screen Items Artifact
https://www.magnetforensics.com/blog/recover-ios-app-screen-layouts-with-the-new-ios-home-screen-items-artifact/- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iLEAPP Icon State Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/iconsScreen.py- A Few Interesting iOS Forensic Artefacts
https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/- iOS - Tracking Traces of Deleted Applications
https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
https://www.youtube.com/watch?v=4LcQm4ErXpA- Auto-Parser: Android Auto and Apple CarPlay Forensics
https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay- They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto
https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf
/mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/SpringBoard/LockBackgroundThumbnaildark.jpg
- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Library/SpringBoard/TodayViewArchive.plist
/mobile/Library/SpringBoard/PushStore/
- pushstore_parser
https://github.com/jakev/pushstore-parser- iLEAPP PushStore Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXI.py
/mobile/Library/Suggestions/query_predictions.db
- iLEAPP Query Predictions Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/queryPredictions.py- APOLLO Query Predictions Module
https://github.com/mac4n6/APOLLO/blob/master/modules/query_predictions.txt
/mobile/Library/TCC/TCC.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module
http://www.mac4n6.com/blog/2020/6/1/analysis-of-apple-unified-logs-quarantine-edition-entry-10-you-down-with-tcc-yea-you-know-me-tracking-app-permissions-and-the-tcc-apollo-module?rq=tcc- iLEAPP TCC Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/tcc.py- APOLLO TCC Module
https://github.com/mac4n6/APOLLO/blob/master/modules/tcc_db.txt
/mobile/Library/UserConfigurationProfiles/PublicEffectiveUserSettings.plist
- iOS Settings Display Auto-Lock & Require Passcode
https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/- iOS Settings Display Auto-Lock & Require Passcode
https://dfir.pubpub.org/pub/khnqi0ff/release/1- Cellebrite CTF 2021 - Beth's iPhone
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html- Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
/mobile/Library/UserConfigurationProfiles/UserSettings.plist
/mobile/Library/UserNotifications/
- Magnet User Summit 2022 CTF - iPhone
https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html- iLEAPP User Notifications Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXII.py- Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS
https://www.mdpi.com/2076-3417/12/21/11180
/mobile/Library/Voicemail/voicemail.db
- iOS Voicemail Transcripts
https://www.linkedin.com/pulse/ios-voicemail-transcripts-charlie-rubisoff/- Dude, Where's My Banana? Retrieving data from an iPhone voicemail database
http://cheeky4n6monkey.blogspot.com/2013/01/dude-wheres-my-banana-retrieving-data.html- Dude, Where's My Data?
http://az4n6.blogspot.com/2012/12/dude-wheres-my-data.html- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520"/mobile/Media/" folder
/mobile/Media/DCIM/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/- How to find iOS Hidden Assets
https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG
https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
https://dfir.pubpub.org/pub/v19rksyf/release/1- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708- Cellebrite CTF 2020: Juan Mortyme
https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/- Cellebrite CTF 2022 - Marsha's iPhone
https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html- Magnet Forensics Virtual Summit 2023 CTF – iOS
https://www.forgottennook.com/blog/magnet-ios-2023- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/- Apple TV Forensics 03: Analysis
https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/- Forensicating The Apple TV
https://www.forensicfocus.com/webinars/forensicating-the-apple-tv/- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf- iLEAPP Media Library Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mediaLibrary.py
/mobile/Media/iTunesControl/iTunes/iTunesPrefs
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Forensic Analysis of iTunes Backups
https://farleyforensics.com/2019/04/14/forensic-analysis-of-itunes-backups/
/mobile/Media/MediaAnalysis/mediaanalysis.db
- Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney)
http://www.mac4n6.com/blog/2020/7/19/follow-on-to-dfir-summit-talk-lucky-ios-13-time-to-press-your-bets-via-bizzybarney- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Media/PhotoData/AlbumsMetadata/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
/mobile/Media/PhotoData/PhotoCloudSharingData/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Local Photo Library Photos.sqlite Query Variations & WHERE statements
https://theforensicscooter.com/2022/02/21/photos-sqlite-update/- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/- Sharing is Caring – An Overview of Shared Albums in iOS
https://gforce4n6.blogspot.com/2020/09/sharing-is-caring-overview-of-shared.html- iLEAPP Shared Albumbs Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/icloudSharedalbums.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Media/PhotoData/Caches/GraphService/CLSPublicEventCache.sqlite
/mobile/Media/PhotoData/CPL/
- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/- How to find iOS Hidden Assets
https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/mobile/Media/PhotoData/Photos.sqlite
- Photos.sqlite Queries – Original Blog Posting
https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Local Photo Library Photos.sqlite Query Variations & WHERE statements
https://theforensicscooter.com/2022/02/21/photos-sqlite-update/- How to find iOS Hidden Assets
https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/- Part B Filling a device internal storage for Optimize iPhone Storage Research
https://theforensicscooter.com/2022/12/03/part-b-filling-a-device-internal-storage-for-optimize-iphone-storage-research/- iOS Media Adjustments
https://www.doubleblak.com/blogPosts.php?id=23- iOS Local Photo Library (PL) Photos.sqlite Queries
https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries- USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG
https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
https://dfir.pubpub.org/pub/v19rksyf/release/1- How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database
https://msab.com/guides-whitepapers/forensic-dive-into-ios-photos-sqlite-database/- How Did That Photo Get on That iPhone: Media Attribution for iOS
https://www.msab.com/blog/media-attribution-for-ios/- iOS Photos.sqlite Forensics
https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/- macOS & iOS Photos Support with Magnet AXIOM
https://www.magnetforensics.com/blog/macos-ios-photos-support-with-magnet-axiom/- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/- Apple iOS: Recently Deleted images
https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html- The Apple Photos library
https://www.tonkata.com/posts/apple-photos/- Photos.sqlite query
https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql- iLEAPP Photos Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/photosMetadata.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Media/PhotoData/Thumbnails/
- iPhone Photodata Thumbnails
https://athenaforensics.co.uk/iphone-photodata-thumbnails/- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/- Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/- iOS iThmbs
http://dig-forensics.blogspot.com/2013/05/ios-ithmbs.html- iThmb Converter
https://www.ithmbconverter.com/- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/mobile/Media/Recordings/
- Forensic originality identification of iPhone’s voice memos
https://iopscience.iop.org/article/10.1088/1742-6596/1345/5/052053/pdf- A method of forensic authentication of audio recordings generated using the Voice Memos application in the iPhone
https://www.sciencedirect.com/science/article/abs/pii/S0379073821000220- Advanced forensic procedure for the authentication of audio recordings generated by Voice Memos application of iOS14
https://onlinelibrary.wiley.com/doi/abs/10.1111/1556-4029.15016- Cellebrite CTF 2020: Juan Mortyme
https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/- iLEAPP Voice Recordings Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/voiceRecordings.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520"/mobile/MobileSoftwareUpdate/" folder
/mobile/MobileSoftwareUpdate/restore.log
- Restore Log - Tracking iOS Update History
https://www.stark4n6.com/2021/10/restore-log-tracking-ios-update-history.html- Cellebrite CTF 2021 Writeup
https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708- iLEAPP restore.log Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/restoreLog.py"/networkd/" folder
/networkd/netusage.sqlite
- Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases
http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases- iOS - Tracking Traces of Deleted Applications
https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
https://www.youtube.com/watch?v=4LcQm4ErXpA- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- iLEAPP Net Usage Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py- APOLLO Netusage Module
https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zprocess.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliveusage.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliverouteperf.txt"/preferences/" folder
/preferences/com.apple.networkextension.plist
/preferences/com.apple.wifi.known-networks.plist
- Apple Private Wi-Fi Addresses
https://ciofecaforensics.com/2020/10/24/apple-private-addresses/- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html- mac_apt WiFi Plugin
https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py
/preferences/SystemConfiguration/com.apple.accounts.exists.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iLEAPP Conf Accounts Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/confaccts.py
/preferences/SystemConfiguration/com.apple.networkidentification.plist
- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask
https://blog.elcomsoft.com/2014/03/itunes-icloud-backups/
/preferences/SystemConfiguration/com.apple.radios.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/preferences/SystemConfiguration/com.apple.wifi.plist
- From iPhone to Access Point
https://www.forensicfocus.com/articles/from-iphone-to-access-point/- Apple Private Wi-Fi Addresses
https://ciofecaforensics.com/2020/10/24/apple-private-addresses/- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html- Wifi Networks – iOS
https://bitsplease4n6.wordpress.com/2020/12/08/wifi-networks-ios/- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?
https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf- A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 19-5551 Summary Report
https://cts-forensics.com/reports/19-5551_Web.pdf- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- iOS Sysdiagnose Wi-Fi script
https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-wifi-plist.py- iLEAPP WiFi Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py- mac_apt WiFi Plugin
https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist
- Apple Private Wi-Fi Addresses
https://ciofecaforensics.com/2020/10/24/apple-private-addresses/- iLEAPP WiFi Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py- mac_apt WiFi Plugin
https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py
/preferences/SystemConfiguration/NetworkInterfaces.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Sysdiagnose Network Interfaces script
https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-networkinterfaces.py- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/preferences/SystemConfiguration/preferences.plist"/root/" folder
/root/.obliterated
- Upgrade From NULL—Detecting iOS Wipe Artifacts
https://dfir.pubpub.org/pub/6i7d593n/release/1- How To Identify When an IPhone or iPad was Factory Reset
https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Cellebrite CTF 2020: Ruth Langmore
https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
/root/Library/Application Support/com.apple.wifianalyticsd/DeviceAnalyticsModel.sqlite
/root/Library/Application Support/com.apple.wifianalyticsd/WiFiNetworkStoreModel.sqlite
- iLEAPP WifiNetworkStoreModel Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/wifiNetworkStoreModel.py
/root/Library/Caches/com.apple.wifid/ThreeBars.sqlite
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Locations, Locations, Locations
https://doubleblak.com/blogPosts.php?id=14- Harvested Locations
https://www.doubleblak.com/blogPosts.php?id=16
/root/Library/Caches/locationd/cache.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Ridin’ With Apple CarPlay
https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/
/root/Library/Caches/locationd/cache_encryptedA.db
- New Script – iOS Locations Scraper
http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- Getting Started with iOS Forensics
https://www.systoolsgroup.com/forensics/sqlite/ios.html- APOLLO cache_ecnryptedA/B Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt
/root/Library/Caches/locationd/cache_encryptedB.db
- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- New Script – iOS Locations Scraper
http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper- Smartphone Privacy: How Your Smartphone Tracks Your Entire Life
https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Harvested Locations
https://www.doubleblak.com/blogPosts.php?id=16- APOLLO cache_ecnryptedA/B Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/root/Library/Caches/locationd/cache_encryptedC.db
- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- SANS 2022 DFIR Summit Queries
https://for585.com/dfirsummit22- APOLLO cache_ecnryptedC Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_motionstatehistory.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_stepcounthistory.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_nataliehistory.txt- The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones
https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/root/Library/Caches/locationd/clients.plist
- iOS Location Services and System Services ON or OFF?
https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/- iOS Location Services and System Services are they ON or OFF
https://dfir.pubpub.org/pub/4sv4kxyh/release/2- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/root/Library/Caches/locationd/consolidated.db
- iOS GeoFences
http://www.doubleblak.com/m/blogPosts.php?id=22- BELKASOFT CTF JULY 2022: WRITE-UP
https://belkasoft.com/belkactf-jul2022-writeup- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/root/Library/Lockdown/data_ark.plist
- Putting a User Behind an iOS Device
https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Oh no! I have a wiped iPhone, now what?
https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html- KnowledgeC (and Friends)
http://www.doubleblak.com/m/blogPosts.php?id=2- Magnet Virtual Summit 2020 CTF (iOS)
https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html- iOS - Tracking Device Migration
https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/
/root/Library/Lockdown/escrow_records/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Understanding usbmux and the iOS lockdown service
https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/root/Library/Lockdown/pair_records/
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Understanding usbmux and the iOS lockdown service
https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/root/Library/Logs/MobileContainerManager
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- How To Identify When an IPhone or iPad was Factory Reset
https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/- So Long Lockdown!
http://www.doubleblak.com/m/blogPosts.php?id=9- Upgrade From NULL—Detecting iOS Wipe Artifacts
https://dfir.pubpub.org/pub/6i7d593n/release/1- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- Apple Watch Forensics 02: Analysis
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/- Apple TV Forensics 03: Analysis
https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/- iLEAPP Mobile Container Manager Logs Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileContainerManager.py
/root/Library/MobileContainerManager/containers.sqlite3
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Application Groups & Shared data
http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html
/root/Library/Preferences/com.apple.MobileBackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- Using Apple “Bug Reporting” for forensic purposes
https://for585.com/sysdiagnose- Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective
https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html- iOS Sysdiagnose Mobile Backup script
https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-mobilebackup.py- Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/root/Library/Preferences/com.apple.preferences.network.plist
- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- Wireless Network Preferences – iOS
https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/"/wireless/" folder
/wireless/Library/Databases/CellularUsage.db
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- A Few Interesting iOS Forensic Artefacts
https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- Cellebrite CTF 2021 - Marsha's Backup
https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-backup.html- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
/wireless/Library/Databases/DataUsage.sqlite
- Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases
http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases- FROM APPLE SEEDS TO APPLE PIE
https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf- iOS - Tracking Traces of Deleted Applications
https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html- Tracking Traces of Deleted Applications - SANS DFIR Summit 2019
https://www.youtube.com/watch?v=4LcQm4ErXpA- iOS Analysis Test No. 20-5551 Summary Report
https://cts-forensics.com/reports/20-5551_Web.pdf- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- APOLLO DataUsage Modules
https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zprocess.txt
https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zliveusage.txt- iLEAPP DataUsage Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083
/wireless/Library/preferences/com.apple.commcenter.callservices.plist
/wireless/Library/Preferences/com.apple.commcenter.counts.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/wireless/Library/Preferences/com.apple.commcenter.data.plist
- Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.
https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/- iLEAPP SimInfo Plugin
https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/simInfo.py
/wireless/Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
/wireless/Library/Preferences/com.apple.commcenter.plist
- Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html- iOS Forensics: HFS+ file system, partitions and relevant evidences
https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/- iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/- Artifacts of an IOS device
https://infosecaddicts.com/artifacts-ios-device/- iOS Analysis Test No. 18-5551 Summary Report
https://cts-forensics.com/reports/38551_Web.pdf- iOS Analysis Test No. 21-5551 Summary Report
https://cts-forensics.com/reports/21-5551_Web.pdf- iOS Analysis Test No. 22-5551 Summary Report
https://cts-forensics.com/reports/22-5551_Web.pdf- Practical Mobile Forensics - Fourth Edition
https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520- iOS Forensics for Investigators
https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083