Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/RealityNet/iOS-Forensics-References

A curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file
https://github.com/RealityNet/iOS-Forensics-References

Last synced: 3 months ago
JSON representation

A curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file

Awesome Lists containing this project

README

        

# iOS Forensics References

Last update: April 17th 2023


DATA Partition (/private/var)


"/.fseventsd/" folder





  • /.fseventsd

    • Understanding MacOS File System Events with FSEventsParser

    • http://www.osdfcon.org/presentations/2017/Ibrahim-Understanding-MacOS-File-Ststem-Events-with-FSEvents-Parser.pdf
    • Mac OS X and iOS Forensics - Looking into the past with FSEvents

    • https://papers.put.as/papers/macosx/2017/summit_archive_1498158287.pdf
    • FSEvents Parser

    • https://github.com/dlcowen/FSEventsParser




"/containers/" folder





  • /containers/Data/System/"GUID"/Documents/storeSystem.db


  • /containers/Shared/SystemGroup/"GUID"/Library/BatteryLife/CurrentPowerlog.PLSQL

    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice

    • http://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice
    • On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving

    • http://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving
    • On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis

    • http://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis
    • On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage

    • http://www.mac4n6.com/blog/2018/12/20/on-the-seventh-day-of-apollo-my-true-love-gave-to-me-a-good-conversation-analysis-of-communications-and-data-usage
    • On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections

    • http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections
    • On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis

    • http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
    • APOLLO CurrentPowerLog Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_accessory_connection.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_airdrop.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_audio.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_deletion.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_info.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_nowplaying.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_app_usage_by_hour.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_assertion.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_audio_routing.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_awdl_states.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backcamera_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_backlight_brightness.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_battery_level_ui.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_bluetooth_device_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_button_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_camera_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_coalition_interval.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_lock_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_screen_autolock.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_activity.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_telephony_registration.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_device_volume.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_display_brightness.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_frontcamera_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_ids_messages.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_incallservice.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_kernel_task_monitor.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightning_connector_status.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_lightnining_connector_status.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_client_status.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_location_tech_status.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_mobilebackup.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_network_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_paired_device_config.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_power_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_powernap.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_data_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_id.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_process_monitor_dynamic.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_push_message_received.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_rapport_received_message.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_bulletins.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_springboard_aggregate_notifications.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_timezone.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_torch_state.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmfile.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_cmhls.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_video_vtsession.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_card.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wallet_transaction.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/powerlog_wifi_properties.txt
    • Time Well Spent: Precision Timing, Monotonic Clocks, and the PowerLogs Database for iOS

    • https://www.forensicfocus.com/webinars/time-well-spent-precision-timing-monotonic-clocks-and-the-powerlogs-database-for-ios/
    • Oh no! I have a wiped iPhone, now what?

    • https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.other.db

    • Bluetooth – iOS

    • https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/
    • How to Use iOS Bluetooth Connections to Solve Crimes Faster

    • https://dfir.pubpub.org/pub/frknihlg/release/1
    • How to Use iOS Bluetooth Connections to Solve Crimes Faster

    • https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/
    • iLEAPP Bluetooth Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /containers/Shared/SystemGroup/"GUID"/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db

    • Bluetooth – iOS

    • https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/
    • How to Use iOS Bluetooth Connections to Solve Crimes Faster

    • https://dfir.pubpub.org/pub/frknihlg/release/1
    • How to Use iOS Bluetooth Connections to Solve Crimes Faster

    • https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/
    • iLEAPP Bluetooth Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py
    • EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY

    • https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /containers/Shared/SystemGroup/"GUID"/Library/Preferences/com.apple.MobileBluetooth.devices.plist

    • Bluetooth – iOS

    • https://bitsplease4n6.wordpress.com/2020/12/17/bluetooth-ios/
    • How to Use iOS Bluetooth Connections to Solve Crimes Faster

    • https://dfir.pubpub.org/pub/frknihlg/release/1
    • How to Use iOS Bluetooth Connections to Solve Crimes Faster

    • https://cellebrite.com/en/how-to-use-ios-bluetooth-connections-to-solve-crimes-faster/
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Cellebrite CTF 2020: Juan Mortyme

    • https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iLEAPP Bluetooth Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/bluetooth.py
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083




"/db/" folder





  • /db/biome/

    • iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1

    • https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html
    • iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html
    • iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
    • iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html
    • iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html
    • Bringing it Back With Biome Data

    • https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/
    • iLEAPP Biome Plugins

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py



  • /db/dhcpd_leases*

    • iLEAPP DHCP Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcphp.py



  • /db/dhcpclient/

    • MAC Apt Networking Plugin

    • https://github.com/ydkhatri/mac_apt/wiki/NETWORKING
    • Cellebrite CTF 2020: Juan Mortyme

    • https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
    • Apple TV Forensics 03: Analysis

    • https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iLEAPP DHCP Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/dhcpl.py



  • /db/diagnostics/

    • Apple Unified Logging and Activity Tracing formats

    • https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc
    • Browsing the unified log in difficult circumstances

    • https://eclecticlight.co/2017/09/25/browsing-the-unified-log-in-difficult-circumstances/
    • Reviewing macOS Unified Logs

    • https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs
    • Finding Waldo: Leveraging the Apple Unified Log for Incident Response

    • https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/
      https://objectivebythesea.org/v3/talks/OBTS_v3_jMusunuri_eMartin.pdf
    • Unified Log Reader

    • https://github.com/ydkhatri/UnifiedLogReader
    • Upgrade From NULL—Detecting iOS Wipe Artifacts

    • https://dfir.pubpub.org/pub/6i7d593n/release/1
    • Logs Unite! - Forensic Analysis of Apple Unified Logs

    • https://github.com/mac4n6/Presentations/blob/master/Logs%20Unite!%20-%20Forensic%20Analysis%20of%20Apple%20Unified%20Logs/LogsUnite.pdf
    • Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]

    • https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0




"/installd/" folder





  • /installd/Library/Logs/MobileInstallation/mobile_installation.log.*

    • CyberDefenders - Jailbreak CTF

    • https://www.netscylla.com/blog/2022/06/09/Cyberdefenders-Jailbreak-CTF.html
    • iOS Mobile Installation Logs

    • https://dfir.pubpub.org/pub/e5xlbw88/release/2
    • iOS Mobile Installation Logs

    • https://dfrws.org/wp-content/uploads/2019/10/2019_review-ios_mobile_installation_logs.pdf
    • iOS Mobile Installation Logs Parser

    • https://abrignoni.blogspot.com/2019/01/ios-mobile-installation-logs-parser.html
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Using Apple “Bug Reporting” for forensic purposes

    • https://for585.com/sysdiagnose
    • Apple TV Forensics 03: Analysis

    • https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
    • iLEAPP Mobile Installation Log Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileInstall.py



  • /installd/Library/Logs/MobileInstallation/LastBuildInfo.plist

    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Cellebrite CTF 2020: Ruth Langmore

    • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
    • iLEAPP Last Build Info Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/lastBuild.py



  • /installd/Library/Logs/MobileInstallation/MigrationInfo.plist

    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/



  • /installd/Library/Logs/MobileInstallation/RoleUserMigration.plist

    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/



"/logs/" folder





  • /logs/lockdownd.log

    • So Long Lockdown!

    • http://www.doubleblak.com/m/blogPosts.php?id=9
    • KnowledgeC (and Friends)

    • http://www.doubleblak.com/m/blogPosts.php?id=2
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /logs/usermanagerd.log.*


  • /logs/wifimanager.log



"/mobile/Containers/" folder





  • /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Caches/com.apple.mobilesafari/Cache.db

    • Getting Started with iOS Forensics

    • https://www.systoolsgroup.com/forensics/sqlite/ios.html
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Containers/Data/Application//Library/Caches/com.apple.WebAppCache/ApplicationCache.db

    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Containers/Data/Application//Library/Cookies/Cookies.binarycookies

    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/ImageCache/Favicons/Favicon.db

    • Favicons

    • https://www.doubleblak.com/m/blogPosts.php?id=13
    • iLEAPP Favicon Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariFavicons.py



  • /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Preferences/com.apple.mobilesafari.plist

    • iOS 14 - First Thoughts and Analysis

    • https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
    • iLEAPP Recent Web Searches Safari Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariRecentWebSearches.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Downloads/Downloads.plist

    • iOS / macOS - Tracking Downloads from Safari Without Downloads

    • https://blog.d204n6.com/2021/05/ios-macos-tracking-downloads-from.html
    • Safari and iPhone Internet History Parser

    • http://az4n6.blogspot.com/2014/07/safari-and-iphone-internet-history.html



  • /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/Safari/Thumbnails/

    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Containers/Data/Application/"Apple Safari GUID"/Library/WebKit/WebsiteData/LocalStorage/

    • Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS

    • https://www.mdpi.com/2076-3417/12/21/11180
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf



  • /mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Maps/GeoHistory.mapsdata

    • Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics

    • http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics
    • ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET

    • https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
    • HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?

    • https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/
    • FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?

    • https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • Find Me If You Can: Mobile GPS Mapping Applications Forensic Analysis & SNAVP the Open Source, Modular, Extensible Parser Analysis & SNAVP the Open Source, Modular, Extensible Parser

    • https://commons.erau.edu/cgi/viewcontent.cgi?article=1414&context=jdfsl
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Containers/Data/Application/"Apple Maps GUID"/Library/Preferences/com.apple.Maps.plist

    • HOW THE GRINCH STOLE APPLE MAPS ARTIFACTS… OR DID HE JUST HIDE THEM?

    • https://smarterforensics.com/2016/12/how-the-grinch-stole-apple-maps-artifacts-or-did-he-just-hide-them/
    • FIRST THE GRINCH AND NOW THE EASTER BUNNY! WHERE IS APPLE MAPS HIDING?

    • https://smarterforensics.com/2018/03/first-the-grinch-and-now-the-easter-bunny-where-is-apple-maps-hiding/
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Containers/Shared/AppGroup/"Apple Maps GUID"/Maps/MapsSync_0.0.1

    • What Apple Maps Activity Can be Found Using a Logical Extraction

    • https://lordtemplar1.wordpress.com/2022/05/08/what-apple-maps-activity-can-be-found-using-a-logical-extraction/
    • iOS14 Maps History BLOB Script

    • http://cheeky4n6monkey.blogspot.com/2020/11/ios14-maps-history-blob-script.html
      https://github.com/cheeky4n6monkey/4n6-scripts/blob/master/iOS/ios14_maps_history.py
    • ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET

    • https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
    • iLEAPP Maps Sync Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mapsSync.py




"/mobile/Library/" folder





  • /mobile/Library/Accounts/Accounts3.sqlite

    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS - Tracking Device Migration

    • https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • Cellebrite CTF 2022 - Beth's iPhone

    • https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html
    • Magnet Forensics Virtual Summit 2023 CTF – iOS

    • https://www.forgottennook.com/blog/magnet-ios-2023
    • Case Study: Forensic Analysis of TikTok on iOS

    • https://dfir.pubpub.org/pub/h6vyh33u/release/1
    • iLEAPP Accounts Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/accs.py
    • Accounts3.sqlite query

    • https://github.com/kacos2000/Queries/blob/master/Accounts3_sqlite.sql
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/AddressBook/AddressBook.sqlitedb

    • Getting Started with iOS Forensics

    • https://www.systoolsgroup.com/forensics/sqlite/ios.html
    • Identification and analysis of email and contacts artefacts on iOS and OS X

    • https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf
    • TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11

    • https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET

    • https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
    • How To Identify When an IPhone or iPad was Factory Reset

    • https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
    • A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices

    • https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf
    • Upgrade From NULL—Detecting iOS Wipe Artifacts

    • https://dfir.pubpub.org/pub/6i7d593n/release/1
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • AddressBook.sqlitedb query

    • https://github.com/kacos2000/Queries/blob/master/AddressBook_sqlite.sql
    • iPhone Artifacts - Champlain College

    • https://www.champlain.edu/Documents/LCDI/iPhone%20Artifacts.pdf
    • iLEAPP Address Book Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/addressBook.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/AddressBook/AddressBookImages.sqlitedb

    • Identification and analysis of email and contacts artefacts on iOS and OS X

    • https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf
    • IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES

    • https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/
    • AddressBookImages.sqlitedb query

    • https://github.com/kacos2000/Queries/blob/master/AddressBookImages_sqlite.sql
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb

    • Pincodes, Passcodes, & TouchID on iOS - An Introduction to the Aggregate Dictionary Database (ADDataStore.sqlite)

    • https://www.mac4n6.com/blog/2017/3/12/introduction-to-the-aggregate-dictionary-database-addatastoresqlite
    • On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!

    • https://www.mac4n6.com/blog/2018/12/18/on-the-fifth-day-of-apollo-my-true-love-gave-to-me-a-stocking-full-of-random-junk-some-of-which-might-be-useful
    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • Forensics Tools: Stop Miscalculating iOS Usage Analytics!

    • https://www.zdziarski.com/blog/?p=2686
    • SANS 2022 DFIR Summit Queries

    • https://for585.com/dfirsummit22
    • APOLLO ADDataStore Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_scalars.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/aggregate_dictionary_distributed_keys.txt



  • /mobile/Library/AppConduit/AvailableApps.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/AppConduit/AvailableCompanionApps.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Cloud.sqlite


    /mobile/Library/Application Support/com.apple.remotemanagmentd/RMAdminStore-Local.sqlite

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • ScreenTimeController

    • https://github.com/Evian-Zhang/ScreenTimeController/blob/master/README.md
    • Data Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts

    • https://cellebrite.com/en/data-quality-and-quantity-how-to-get-the-best-of-both-worlds-part-2-examining-screen-time-artifacts/
    • A Look Into Apple’s Screen Time Feature and What Insights It Lends To Digital Intelligence

    • https://cellebrite.com/en/a-look-into-apples-screen-time-feature-and-what-insights-it-lends-to-digital-intelligence/
    • iOS Screentine And Android Digital Wellbeing Apps

    • https://www.forensicfocus.com/webinars/ios-screentine-and-android-digital-wellbeing-apps/
    • Getting Evidence from iOS Screen Time Artifacts

    • https://www.magnetforensics.com/blog/getting-evidence-from-ios-screen-time-artifacts/
    • Plaso iOS SceenTime Parser

    • https://plaso.readthedocs.io/en/latest/_modules/plaso/parsers/sqlite_plugins/ios_screentime.html
    • A Look Into Apple’s Screen Time Feature and What Insights It Lends To Forensics

    • https://www.goldencelle.com/post/a-look-into-apple-s-screen-time-feature-and-what-insights-it-lends-to-forensics
    • Cellebrite CTF 2020: Ruth Langmore

    • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
    • Magnet Forensics Virtual Summit 2023 CTF – iOS

    • https://www.forgottennook.com/blog/magnet-ios-2023
    • Magnet 2022 CTF – iOS15

    • https://bakerstreetforensics.com/2022/07/28/magnet-2022-ctf-ios15/
    • MAC Apt SceenTime Plugin

    • https://github.com/ydkhatri/mac_apt/blob/master/plugins/screentime.py
    • APOLLO ScreenTime Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_timed_items.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_counted_items.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_hour.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/screentime_by_category.txt



  • /mobile/Library/ApplicationSync/AssetSortOrder.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/Assistant/SiriAnalytics.db

    • Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

    • https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html



  • /mobile/Library/Biome/

    • Analyzing iOS Biome AppIntent Files

    • https://bluecrewforensics.com/2022/03/07/ios-app-intents/
    • iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1

    • https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html
    • iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-2.html
    • iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
    • iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html
    • iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..."

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-5-hey.html
    • Bringing it Back With Biome Data

    • https://www.magnetforensics.com/blog/bringing-it-back-with-biome-data/
    • An Alternate Location for Deleted SMS/iMessage Data in Apple Devices

    • https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/
      https://dfir.pubpub.org/pub/yp6efc8q/release/1
    • Lagging for the Win: Querying for Negative Evidence in the sms.db

    • https://belkasoft.com/lagging-for-win
    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/
    • Magnet Forensics Virtual Summit 2023 CTF – iOS

    • https://www.forgottennook.com/blog/magnet-ios-2023
    • Magnet Virtual Summit 2023 CTF - iOS 16 iPhone

    • https://www.stark4n6.com/2023/03/magnet-virtual-summit-2023-ctf-ios-16.html
    • iLEAPP Biome Plugins

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeAppinstall.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBacklight.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBattperc.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeBluetooth.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeCarplayisconnected.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeDevplugin.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeHardware.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeInfocus.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeIntents.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeLocationactivity.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotes.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNotificationsPub.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeNowplaying.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSafari.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeSync.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeTextinputses.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeUseractmeta.py
      https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/biomeWifi.py



  • /mobile/Library/BulletinBoard/ClearedSections.plist

    • Artifacts of an IOS device

    • https://infosecaddicts.com/artifacts-ios-device/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/



  • /mobile/Library/Caches/com.apple.Pasteboard/*


  • /mobile/Library/Caches/com.apple.findmy.fmipcore/

    • Stored AirTag (and Other) Aritfacts

    • https://blog.d204n6.com/2022/04/airtag-youre-it.html
    • AirTags within iOS File Systems

    • https://medium.com/@Appalachian4n6/airtags-within-ios-file-systems-279dc783b69f
    • iLEAPP AirTags Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/airtags.py



  • /mobile/Library/Caches/com.apple.routined/Cache.sqlite

    • Locations, Locations, Locations

    • https://doubleblak.com/blogPosts.php?id=14
      https://doubleblak.com/BlogArticles/14/PDF2.pdf
    • On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis

    • http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • iOS Location Artifacts Explained

    • https://cellebrite.com/en/ios-location-artifacts-explained/
    • Location Data on iOS and Android Devices

    • https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/
    • Apple Probably Knows What You Did Last Summer

    • https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/
    • UAV Forensics: DJI Mini 2 Case Study

    • https://www.researchgate.net/publication/352058134_UAV_Forensics_DJI_Mini_2_Case_Study
    • Magnet User Summit 2022 CTF - iPhone

    • https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
    • Building a Pattern of Life - Leveraging Location and Health Data

    • https://www.youtube.com/watch?v=eU7THDwFkiM
    • SANS 2022 DFIR Summit Queries

    • https://for585.com/dfirsummit22
    • iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table

    • https://theforensicscooter.com/2021/09/22/iphone-device-speeds-in-cache-sqlite-zrtcllocationmo/
    • Vehicle and iPhone Speed Comparison

    • https://theforensicscooter.com/2022/07/01/vehicle-and-iphone-speed-comparison/
    • Cache.sqlite query

    • https://github.com/ScottKjr3347/iOS_Cache.sqlite_Queries
    • APOLLO iOS Routined Cache Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrtcllocationmo.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrthintmo.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cache_zrvisitmo.txt
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Caches/com.apple.routined/Cloud.sqlite


    /mobile/Library/Caches/com.apple.routined/Cloud-V2.sqlite

    • Locations, Locations, Locations

    • https://doubleblak.com/blogPosts.php?id=14
      https://doubleblak.com/BlogArticles/14/PDF2.pdf
    • On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis

    • http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • iOS Location Artifacts Explained

    • https://cellebrite.com/en/ios-location-artifacts-explained/
    • Location Data on iOS and Android Devices

    • https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Apple Probably Knows What You Did Last Summer

    • https://blog.elcomsoft.com/2018/06/apple-probably-knows-what-you-did-last-summer/
    • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

    • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
    • Building a Pattern of Life - Leveraging Location and Health Data

    • https://www.youtube.com/watch?v=eU7THDwFkiM
    • SANS 2022 DFIR Summit Queries

    • https://for585.com/dfirsummit22
    • APOLLO iOS Routined Cloud Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_entry.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_exit.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_start.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_inbound_stop.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_start.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_visit_outbound_stop.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_address.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_cloud_mapitem.txt
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Caches/com.apple.routined/Local.sqlite

    • Locations, Locations, Locations

    • https://doubleblak.com/blogPosts.php?id=14


      https://doubleblak.com/BlogArticles/14/PDF2.pdf
    • On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis

    • http://www.mac4n6.com/blog/2018/12/23/on-the-tenth-day-of-apollo-my-true-love-gave-to-me-an-oddly-detailed-map-of-my-recent-travels-ios-location-analysis
    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • iOS Location Artifacts Explained

    • https://cellebrite.com/en/ios-location-artifacts-explained/
    • Location Data on iOS and Android Devices

    • https://cellebrite.com/en/episode-15-ibeg-to-dfir-location-data-on-ios-and-android-devices/
    • Building a Pattern of Life - Leveraging Location and Health Data

    • https://www.youtube.com/watch?v=eU7THDwFkiM
    • SANS 2022 DFIR Summit Queries

    • https://for585.com/dfirsummit22
    • Cellebrite CTF 2022 - Beth's iPhone

    • https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html
    • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

    • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
    • APOLLO iOS Routined Local Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_entry.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_exit.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_start.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_learned_location_of_interest_transition_stop.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/routined_local_vehicle_parked_history.txt
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Calendar/Calendar.sqlitedb

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Magnet User Summit 2022 CTF - iPhone

    • https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
    • Calendar.sqlitedb query

    • https://github.com/kacos2000/queries/blob/master/calendar_sqlitedb.sql
    • iLEAPP Calendar Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/calendarAll.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Calendar/Extras.db

    • Extras.db query

    • https://github.com/kacos2000/queries/blob/master/calendar_extras.sql



  • /mobile/Library/CallHistoryDB/CallHistory.storedata

    • Missing SQLite Records Analysis

    • https://dfir.pubpub.org/pub/33vkc2ul/release/1
    • A GLIMPSE OF IOS 10 FROM A SMARTPHONE FORENSIC PERSPECTIVE

    • https://smarterforensics.com/2016/09/a-glimpse-of-ios-10-from-a-smartphone-forensic-perspective/
    • TIME IS NOT ON OUR SIDE WHEN IT COMES TO MESSAGES IN IOS 11

    • https://smarterforensics.com/2017/09/time-is-not-on-our-side-when-it-comes-to-messages-in-ios-11/
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • IOS 13 – SUMMARY FOR THOSE OF YOU WHO ENJOY THE CLIFFSNOTES

    • https://smarterforensics.com/2019/09/ios-13-summary-for-those-of-you-who-enjoy-the-cliffsnotes/
    • ROTTEN TO THE CORE? NAH, IOS14 IS MOSTLY SWEET

    • https://smarterforensics.com/2020/09/rotten-to-the-core-nah-ios14-is-mostly-sweet/
    • How To Identify When an IPhone or iPad was Factory Reset

    • https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
    • iOS 14 - First Thoughts and Analysis

    • https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
    • Cellebrite CTF 2022 - Marsha's iPhone

    • https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html
    • Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.

    • https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • CallHistory Query

    • https://github.com/kacos2000/queries/blob/master/callhistory_storedata.sql
    • APOLLO CallHistory Module

    • https://github.com/mac4n6/APOLLO/blob/master/modules/call_history.txt
    • iLEAPP CallHistory Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/callHistory.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/CallHistoryDB/CallHistoryTemp.storedata

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/CallHistoryTransactions/


  • /mobile/Library/com.apple.ClipServices.clipserviced/ClipData.db

    • iOS 14 - Tracking App Clips in iOS 14

    • https://blog.d204n6.com/2020/09/ios-14-tracking-app-clips-in-ios-14.html



  • /mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/



  • /mobile/Library/com.apple.itunesstored/kvs.sqlitedb

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/CoreDuet/Knowledge/knowledgeC.db

    • Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage

    • http://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage
    • Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db

    • https://www.mac4n6.com/blog/2018/9/12/knowledge-is-power-ii-a-day-in-the-life-of-my-iphone-using-knowledgecdb
    • Extensive knowledgeC APOLLO Updates!

    • https://www.mac4n6.com/blog/2020/6/17/extensive-knowledgec-apollo-updates
    • Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules

    • https://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules
    • Providing Context to iOS App Usage with knowledgeC.db and APOLLO

    • https://www.mac4n6.com/blog/2020/1/13/apollo-into-the-details-with-application-activities
    • On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice

    • https://www.mac4n6.com/blog/2018/12/16/on-the-third-day-of-apollo-my-true-love-gave-to-me-application-usage-to-determine-who-has-been-naughty-or-nice
    • On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving

    • https://www.mac4n6.com/blog/2018/12/17/on-the-fourth-day-of-apollo-my-true-love-gave-to-me-media-analysis-to-prove-you-listened-to-all-i-want-for-christmas-is-you-over-and-over-since-before-thanksgiving
    • On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis

    • https://www.mac4n6.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis
    • On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections

    • http://www.mac4n6.com/blog/2018/12/21/on-the-eighth-day-of-apollo-my-true-love-gave-to-me-a-glorious-lightshow-analysis-of-device-connections
    • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

    • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
    • Apple TV Forensics 03: Analysis

    • https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
    • iOS KnowledgeC.db Notifications

    • https://theforensicscooter.com/2021/10/03/ios-knowledgec-db-notifications/
    • iOS KnowledgeC.db Notifications

    • https://dfir.pubpub.org/pub/g2v1z97i/release/1
    • KnowledgeC: Now Playing entries

    • https://www.forensicmike1.com/2019/10/07/knowledgec-now-playing-entries/
    • USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG

    • https://dfir.pubpub.org/pub/v19rksyf/release/1
      https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
    • KnowledgeC (and Friends)

    • http://www.doubleblak.com/m/blogPosts.php?id=2
    • Building a Pattern of Life - Leveraging Location and Health Data

    • https://www.youtube.com/watch?v=eU7THDwFkiM
    • iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1

    • https://blog.d204n6.com/2022/09/ios-16-now-you-c-it-now-you-dont.html
    • iOS - Tracking Traces of Deleted Applications

    • https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
    • Tracking Traces of Deleted Applications - SANS DFIR Summit 2019

    • https://www.youtube.com/watch?v=4LcQm4ErXpA
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Magnet User Summit 2022 CTF - iPhone

    • https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
    • KwnoledgeC queries

    • https://github.com/ScottKjr3347/iOS_KnowledgeC.db_Queries
    • SANS 2022 DFIR Summit Queries

    • https://for585.com/dfirsummit22
    • APOLLO KnowledgeC Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_activity_level_feedback.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_airplay_prediction.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_calendar.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_clock.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_mail.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_maps.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_notes.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_passbook.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_photos.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_safari.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_activity_weather.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_inFocus.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_install.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_intents.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_location_activity.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_media_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_relevantshortcuts.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_app_webusage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_bluetooth_connected.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_input_route.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_media_nowplaying.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_audio_output_route.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_calendar_event_title.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_charging_smart_topoff_checkpoint.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_activity_profile.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_battery_temperature.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_dasd_control_effort.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_battery_saver.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_batterylevel.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_carplay_connected.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_inferred_motion.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_is_backlit.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_keybag_locked.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_locked_imputed.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_low_power_mode.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_orientation.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_pluggedin.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_watch_nearby.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_signals.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_discoverability_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_disk_subsystem_access.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_event_tombstone.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_family_prediction.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_inferred_microlocation_visit.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_knowledge_sync_addition_window.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_notification_usage.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_paired_device_nearby.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_all.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_deletes_recent.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_edit_all.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_engagement.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_favorites_other.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_airdrop.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_all.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_photos_share_extension.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_entity.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_portrait_topic.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_safari_browsing.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_segment_monitor.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_settings_doNotDisturb.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sharesheet_feedback.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_activites.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_flow_activity.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_siri_service.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_spotlight_viewer_event.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_standby_timer.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_addition_window.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_sync_deletion_bookmark.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_airplane_mode.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_tlc.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_system_userwakingevent.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_first_backlight_after_wakeup.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_user_interaction_app_directory.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_refresh.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widget_view.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_widgets_viewed.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_wifi_connection.txt
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/CoreDuet/People/interactionC.db

    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • KnowledgeC (and Friends)

    • http://www.doubleblak.com/m/blogPosts.php?id=2
    • Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules

    • http://www.mac4n6.com/blog/2020/6/21/socially-distant-but-still-interacting-new-and-improved-updates-to-macosios-coreduet-interactioncdb-apollo-modules
    • Local Photo Library Photos.sqlite Query Variations & WHERE statements

    • https://theforensicscooter.com/2022/02/21/photos-sqlite-update/
    • Comparison of iOS backups: Encrypted vs Unencrypted

    • https://www.arcpointforensics.com/news/comparison-of-ios-backups
    • SANS 2022 DFIR Summit Queries

    • https://for585.com/dfirsummit22
    • APOLLO interactionC Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/interaction_contact_interactions_keywords.txt
    • iLEAPP interactionC Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/interactionCcontacts.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/DataAccess/

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • Artifacts of an IOS device

    • https://infosecaddicts.com/artifacts-ios-device/
    • A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices

    • https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf



  • /mobile/Library/DeviceRegistry.state/activeStateMachine.plist

    • Apple Watch Forensics 02: Analysis

    • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
    • APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?

    • https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
      https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
    • Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices

    • https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices



  • /mobile/Library/DeviceRegistry.state/historySecureProperties.plist

    • Apple Watch Forensics 02: Analysis

    • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
    • APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?

    • https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
      https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
    • Data Extraction and Forensic Analysis for Smartphone Paired Wearables and IoT Devices

    • https://www.researchgate.net/publication/339022164_Data_Extraction_and_Forensic_Analysis_for_Smartphone_Paired_Wearables_and_IoT_Devices



  • /mobile/Library/DoNotDisturb/DB/Settings.sqlite


  • /mobile/Library/DoNotDisturb/DB/IDSSyncEngineMetadata.plist

    • iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html



  • /mobile/Library/DuetExpertCenter/streams/userNotificationEvent/local

    • Peeking at User Notification Events in iOS 15

    • https://gforce4n6.blogspot.com/2022/05/peeking-at-user-notification-events-in.html
    • Peeking at User Notification Events in iOS 15

    • https://dfrws.org/presentation/dfir-review-showcase-peeking-at-user-notification-events-in-ios-15/
    • iOS 16 - "Paul unsent a message." ... OR DID HE?!

    • https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html
    • Magnet Forensics Virtual Summit 2023 CTF – iOS

    • https://www.forgottennook.com/blog/magnet-ios-2023
    • iLEAPP User Notifications Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsDuet.py



  • /mobile/Library/FrontBoard/applicationState.db

    • Identifying installed and uninstalled apps in iOS

    • https://abrignoni.blogspot.com/2018/12/identifying-installed-and-uninstalled.html
    • iOS - Tracking Traces of Deleted Applications

    • https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
    • Tracking Traces of Deleted Applications - SANS DFIR Summit 2019

    • https://www.youtube.com/watch?v=4LcQm4ErXpA
    • iOS Application Groups & Shared data

    • http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html
    • iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins

    • https://blog.d204n6.com/2020/09/ios-tracking-bundle-ids-for-containers.html
    • iOS – Tracking Bundle IDs for Containers, Shared Containers, and Plugins

    • https://www.magnetforensics.com/blog/ios-tracking-bundle-ids-for-containers-shared-containers-and-plugins/
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Magnet Virtual Summit 2020 CTF (iOS)

    • https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html
    • iLEAPP Application State Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/applicationstate.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Health/ActivitySharing/contacts.dat

    • #DFIRFIT or Bust - A forensic exploration of iOS Health Data

    • https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf
      https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf
    • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

    • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf



  • /mobile/Library/Health/healthdb.sqlite

    • #DFIRFIT or Bust - A forensic exploration of iOS Health Data

    • https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf
      https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf
    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database

    • https://dfir.pubpub.org/pub/xqvcn3hj/release/1
    • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

    • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
    • Apple Health

    • https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf
    • Health and Activity

    • https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf
    • Making a Murderer: Health Activity Edition

    • https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • Audio and App Usage in Apple Health

    • https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • healthdb.sqlite query

    • https://github.com/kacos2000/Queries/blob/master/healthdb.sql



  • /mobile/Library/Health/healthdb_secure.sqlite

    • #DFIRFIT or Bust - A forensic exploration of iOS Health Data

    • https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf
      https://papers.put.as/papers/ios/2018/summit_archive_1528385073.pdf
    • FROM APPLE SEEDS TO APPLE PIE

    • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
    • On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data

    • https://www.mac4n6.com/blog/2018/12/15/on-the-second-day-of-apollo-my-true-love-gave-to-me-holiday-treats-and-a-trip-to-the-gym-a-look-at-ios-health-data
    • Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics

    • http://www.mac4n6.com/blog/2019/9/27/just-call-me-buffy-the-proto-slayer-an-initial-look-into-protobuf-data-in-mac-and-ios-forensics
    • The iPhone Health App from a forensic perspective: can steps and distances registered during walking and running be used as digital evidence?

    • https://www.sciencedirect.com/science/article/pii/S1742287619300313
      https://dfrws.org/sites/default/files/session-files/2019_EU_paper-the_iphone_health_app_from_a_forensic_perspective.pdf
    • The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones

    • https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780
    • Interpreting the location data extracted from the Apple Health database

    • https://www.sciencedirect.com/science/article/pii/S2666281723000057
    • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

    • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
    • Apple Health

    • https://media.rootcon.org/ROOTCON%2012/Talks/Apple%20Health.pdf
    • Health and Activity

    • https://www.elcomsoft.com/presentations/20200129_health_and_activity_evidence_en.pdf
    • Making a Murderer: Health Activity Edition

    • https://smarterforensics.com/wp-content/uploads/2018/11/Making-a-Murderer-Health-Edition_Stockholm.pdf
    • …WON’T YOU BACK THAT THING UP: A GLIMPSE OF IOS 13 ARTIFACTS

    • https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/
    • Audio and App Usage in Apple Health

    • https://www.stark4n6.com/2022/08/audio-and-app-usage-in-apple-health.html
    • Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database

    • https://dfir.pubpub.org/pub/xqvcn3hj/release/1
      https://sqlmcgee.wordpress.com/2022/04/01/enriching-investigations-with-apple-watch-data-through-the-healthdb_secure-sqlite-database/
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • Securing and Extracting Health Data: Apple Health vs. Google Fit

    • https://blog.elcomsoft.com/2019/01/securing-and-extracting-health-data-apple-health-vs-google-fit/
    • Building a Pattern of Life - Leveraging Location and Health Data

    • https://www.youtube.com/watch?v=eU7THDwFkiM
    • Health Data Types

    • https://www.doubleblak.com/blogPosts.php?id=21
    • Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!

    • http://prodigital4n6.blogspot.com/2017/07/personal-injury-insurance-fraud.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • healthdb_secure.sqlite query

    • https://github.com/kacos2000/Queries/blob/master/healthdb_secure.sql
    • APOLLO health_secure.sqlite Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/health_distance.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_ecg_average_heart_rate.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_flights.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_heart_rate.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_steps.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_stood_up.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_weight.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_cadence.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_elevation.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_general.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_humidity.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_indoor.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_latitude.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_location_longitude.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_max_ground_elevation.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_mets.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_min_ground_elevation.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_temperature.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_timeofday.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/health_workout_weather.txt



  • /mobile/Library/Health/Client/HealthApp.sqlite

    • Health Data Types

    • https://www.doubleblak.com/blogPosts.php?id=21



  • /mobile/Library/homed/datastore.sqlite

    • A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)

    • https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html
    • Forensic Analysis of Apple HomePod & Apple HomeKit Environment w/ Mattia Epifani - SANS DFIR Summit

    • https://www.youtube.com/watch?v=D8AOXCBkaTY



  • /mobile/Library/Keyboard/-dynamic.lm/dynamic-lexicon.dat

    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • iLEAPP Keyboard Lexicon

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardLexicon.py



  • /mobile/Library/Keyboard/app_usage_database.plist

    • iLEAPP App Usage Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/keyboardAppUsage.py



  • /mobile/Library/Keyboard/langlikelihood.dat

    • Cellebrite CTF 2021 Writeup

    • https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708



  • /mobile/Library/Keyboard/UserDictionary.sqlite

    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/



  • /mobile/Library/Logs/AppConduit/

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Using Apple “Bug Reporting” for forensic purposes

    • https://for585.com/sysdiagnose
    • iOS Sysdiagnose AppConduit script

    • https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-appconduit.py
    • iLEAPP AppConduit Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appConduit.py



  • /mobile/Library/Logs/AppleSupport/general.log


  • /mobile/Library/Logs/mobile_installation_helper.log*


  • /mobile/Library/Logs/mobileactivationd/

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Using Apple “Bug Reporting” for forensic purposes

    • https://for585.com/sysdiagnose
    • Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

    • https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
    • A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)

    • https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html
    • Apple TV Forensics 03: Analysis

    • https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
    • iLEAPP Mobile Activation Logs Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileActivationLogs.py



  • /mobile/Library/Mail/

    • iOS Mail

    • https://www.doubleblak.com/m/blogPosts.php?id=10
    • Identification and analysis of email and contacts artefacts on iOS and OS X

    • https://researchonline.gcu.ac.uk/ws/portalfiles/portal/24600592/K.Ovens_PID4325955.pdf
    • A Digital Forensic Analysis on the iCloud® and its Synchronization to Apple® Devices

    • https://www.marshall.edu/forensics/files/FRIEDMANRACHEL-Research-Paper-08242012.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Getting Started with iOS Forensics

    • https://www.systoolsgroup.com/forensics/sqlite/ios.html
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/MedicalID/MedicalIDData.Archive

    • Magnet Virtual Summit 2020 CTF (iOS)

    • https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html
    • iLEAPP MedicalID Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/medicalID.py



  • /mobile/Library/NanoBackup/


  • /mobile/Library/NanoMusicSync/


  • /mobile/Library/NanoPreferencesSync/

    • Apple Watch Forensics 02: Analysis

    • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/



  • /mobile/Library/NanoTimeKit/


  • /mobile/Library/Passes/passes23.sqlite

    • Pocket Litter A Peek Inside Your Apple Wallet

    • https://objectivebythesea.org/v4/talks/OBTS_v4_sEdwards.pdf
    • Analysing Apple Pay Transactions

    • https://blog.elcomsoft.com/2018/08/analysing-apple-pay-transactions/
    • Cellebrite CTF 2020: Juan Mortyme

    • https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
    • Cellebrite CTF 2021 Writeup

    • https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts)

    • http://www.mac4n6.com/blog/2019/1/17/apple-pattern-of-life-lazy-outputer-apollo-updates-amp-40-new-modules-location-chat-calls-apple-pay-transactions-wallet-passes-safari-amp-health-workouts?rq=passes23.sqlite
    • APOLLO passes23.sqlite Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_unique_passes_cards.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_passes.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/passes23_wallet_transactions.txt
    • iLEAPP passes23.sqlite Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWalletTransactions.py



  • /mobile/Library/PersonalizationPortrait/PPSQLDatabase.db

    • Guest Post by @bizzybarney! A Peek Inside the PPSQLDatabase.db Personalization Portrait Database

    • http://www.mac4n6.com/blog/2020/6/2/guest-post-by-bizzybarney-a-peek-inside-the-ppsqldatabasedb-personalization-portrait-database
    • Lucky (iOS) #13: Time to Press Your Bets w/ Jared Barnhart - SANS DFIR Summit 2020

    • https://www.youtube.com/watch?v=8Fy83iQ4f8Q



  • /mobile/Library/Preferences/.GlobalPreferences.plist

    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf



  • /mobile/Library/Preferences/addaily.plist


  • /mobile/Library/Preferences/com.apple.accountsettings.plist

    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/



  • /mobile/Library/Preferences/com.apple.ActivitySharing.plist


  • /mobile/Library/Preferences/com.apple.AdLib.plist


  • /mobile/Library/Preferences/com.apple.aggregated.plist


  • /mobile/Library/Preferences/com.apple.AppStore.plist

    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Hacking and Securing iOS Applications by Jonathan Zdziarski, Chapter 4

    • https://www.oreilly.com/library/view/hacking-and-securing/9781449325213/ch04.html



  • /mobile/Library/Preferences/com.apple.assistant.backedup.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/



  • /mobile/Library/Preferences/com.apple.assetsd.plist

    • Shared with You Syndication Photo Library – Message Attachments & Linked Assets

    • https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/



  • /mobile/Library/Preferences/com.apple.atc.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

    • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/



  • /mobile/Library/Preferences/com.apple.BatteryCenter.BatteryWidget.plist


  • /mobile/Library/Preferences/com.apple.camera.plist

    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
    • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

    • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/



  • /mobile/Library/Preferences/com.apple.carplay.plist

    • Ridin’ With Apple CarPlay

    • https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/
    • They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto

    • https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf
    • iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-3.html
    • Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlay

    • https://www.mdpi.com/1424-8220/22/19/7196/pdf
    • Cellebrite CTF 2021 Writeup

    • https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
    • Cellebrite CTF 2021 - Marsha's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-iphone.html
    • Auto-Parser: Android Auto and Apple CarPlay Forensics

    • https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
      https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay



  • /mobile/Library/Preferences/com.apple.celestial.plist

    • Ridin’ With Apple CarPlay

    • https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/
    • Auto-Parser: Android Auto and Apple CarPlay Forensics

    • https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
      https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay



  • /mobile/Library/Preferences/com.apple.cloud.quota.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/Preferences/com.apple.cloudphotod.plist

    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/




  • /mobile/Library/Preferences/com.apple.cmfsyncagent.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/



  • /mobile/Library/Preferences/com.apple.commcenter.shared.plist

    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.conference.plist


  • /mobile/Library/Preferences/com.apple.contacts.donation-agent.plist


  • /mobile/Library/Preferences/com.apple.contextstored.plist


  • /mobile/Library/Preferences/com.apple.CoreDuet.plist


  • /mobile/Library/Preferences/com.apple.CoreDuet.QueuedDenials.plist


  • /mobile/Library/Preferences/com.apple.coreduetd.batterysaver.state.plist


  • /mobile/Library/Preferences/com.apple.coreduetd.plist

    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/



  • /mobile/Library/Preferences/com.apple.corerecents.recentsd.plist


  • /mobile/Library/Preferences/com.apple.corespotlightui.plist


  • /mobile/Library/Preferences/com.apple.FeedbackAssistant.plist


  • /mobile/Library/Preferences/com.apple.homesharing.plist

    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf



  • /mobile/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist


  • /mobile/Library/Preferences/com.apple.icloud.fmfd.plist

    • iOS - Tracking Device Migration

    • https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html



  • /mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist

    • How iOS Properties Files Can Confirm a Suspect’s Contacts Even If Deleted

    • https://cellebrite.com/en/how-ios-properties-files-can-confirm-a-suspects-contacts-even-if-data-deleted/
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • Making the most of Property Lists

    • https://forensicskween.com/research/making-the-most-of-property-lists/
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.imservice*.plist


  • /mobile/Library/Preferences/com.apple.locationd.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Location Services and System Services are they ON or OFF

    • https://dfir.pubpub.org/pub/4sv4kxyh/release/2
    • iOS Location Services and System Services ON or OFF?

    • https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.madrid.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Preferences/com.apple.messages.pinning.plist

    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/



  • /mobile/Library/Preferences/com.apple.migration.plist

    • iOS - Tracking Device Migration

    • https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/



  • /mobile/Library/Preferences/com.apple.mmcs.plist


  • /mobile/Library/Preferences/com.apple.mobile.ldbackup.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.mobilegestalt.plist

    • WHO IS THE OWNER OF THE MOBILE DEVICE?

    • https://www.digitalforensics.com/blog/articles/who-is-the-owner-of-the-mobile-device/
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.mobilephone.plist

    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.mobileslideshow.plist

    • How to find iOS Hidden Assets

    • https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
    • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

    • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/



  • /mobile/Library/Preferences/com.apple.MobileSMS.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • What is the likelihood of recovering deleted iPhone messages?

    • https://improsec.com/tech-blog/what-is-the-likelihood-of-recovering-deleted-iphone-messages
    • Missing Pieces: Tips and Tricks on how to ensure your acquisitions aren’t missing critical data

    • https://static1.squarespace.com/static/62ab5b933d903d4c55e5d716/t/62fa28d8fd3a89429f8a9a80/1660561630138/MissingPieces_Hyde_Quezada_Final.pdf
    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Preferences/com.apple.mt.lastLaunch.plist


  • /mobile/Library/Preferences/com.apple.nano.plist


  • /mobile/Library/Preferences/com.apple.nanoregistry.plist


  • /mobile/Library/Preferences/com.apple.preferences.datetime.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.preferences.network.plist

    • Artifacts of an IOS device

    • https://infosecaddicts.com/artifacts-ios-device/
    • Wireless Network Preferences – iOS

    • https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/



  • /mobile/Library/Preferences/com.apple.Preferences.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.purplebuddy.plist

    • iOS - Tracking Device Migration

    • https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
    • Putting a User Behind an iOS Device

    • https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf
    • How was an iPhone set up?

    • https://dfir.pubpub.org/pub/2q177smo/release/5
    • Upgrade From NULL—Detecting iOS Wipe Artifacts

    • https://dfir.pubpub.org/pub/6i7d593n/release/1
    • How was an iPhone set up?

    • https://smarterforensics.com/2019/01/how-was-an-iphone-setup/
    • How To Identify When an IPhone or iPad was Factory Reset

    • https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf



  • /mobile/Library/Preferences/com.apple.sharingd.plist

    • Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge

    • http://www.mac4n6.com/blog/2020/6/5/analysis-of-apple-unified-logs-quarantine-edition-entry-11-airdropping-some-knowledge
    • EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY

    • https://smarterforensics.com/wp-content/uploads/2014/06/The-Cider-Press-DFIR_Summit2017.pdf
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/Preferences/com.apple.springboard.plist

    • Recover your iPhone Screen Time or restrictions passcode (supports iOS 14)

    • https://www.iphonebackupextractor.com/guides/recover-screen-time-parental-restrictions-passcode/
    • Artifacts of an IOS device

    • https://infosecaddicts.com/artifacts-ios-device/
    • Auto-Parser: Android Auto and Apple CarPlay Forensics

    • https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
      https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



  • /mobile/Library/Preferences/com.apple.timed.plist

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



  • /mobile/Library/Preferences/com.apple.weather.plist


  • /mobile/Library/Recents/Recents

    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • Recents query

    • https://github.com/kacos2000/queries/blob/master/recents.sql



  • /mobile/Library/Reminders/

    • Cellebrite CTF 2020: Ruth Langmore

    • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
    • iLEAPP Reminders Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/reminders.py



  • /mobile/Library/Safari/Bookmarks.db

    • iOS 14 - First Thoughts and Analysis

    • https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
    • Getting Started with iOS Forensics

    • https://www.systoolsgroup.com/forensics/sqlite/ios.html
    • iLEAPP Safari Bookmarks Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariBookmarks.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Safari/BrowserState.db

    • Examining mobile devices: identiffying private internet browking activity in Mobile Safari

    • https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf
    • iOS 14 - First Thoughts and Analysis

    • https://blog.d204n6.com/2020/09/ios-14-first-thoughts-and-analysis.html
    • iLEAPP Safari Tabs Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Safari/CloudTabs.db

    • iLEAPP Safari Tabs Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariTabs.py
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Safari/History.db

    • Missing SQLite Records Analysis

    • https://dfir.pubpub.org/pub/33vkc2ul/release/1
    • Examining mobile devices: identiffying private internet browking activity in Mobile Safari

    • https://www.opentext.com/file_source/OpenText/en_US/PDF/Examining-mobiledevices-&-private-internet-browsing-activity-whitepaper-en.pdf
    • KnowledgeC (and Friends)

    • http://www.doubleblak.com/m/blogPosts.php?id=2
    • Cellebrite CTF 2020: Ruth Langmore

    • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
    • Magnet User Summit 2022 CTF - iPhone

    • https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
    • Magnet User Summit 2022 CTF - iPhone

    • https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Reading Your Browser's History with SQLite

    • http://2016.padjo.org/tutorials/sqlite-your-browser-history/
    • APOLLO Safari History Module

    • https://github.com/mac4n6/APOLLO/blob/master/modules/safari_history.txt
    • iLEAPP Safari History Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/safariHistory.py
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/Safari/SafariTabs.db

    • iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari

    • https://blog.d204n6.com/2022/09/ios-16-breaking-down-biomes-part-4.html
    • iOS 16: What Digital Investigators Need to Know

    • https://www.magnetforensics.com/blog/ios-16-what-digital-investigators-need-to-know/
    • Checking in on iOS 16 in Magnet AXIOM 6.8

    • https://www.magnetforensics.com/blog/checking-in-on-ios-16-in-magnet-axiom-6-8/



  • /mobile/Library/SMS/Attachments/

    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/
    • Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?

    • https://dfir.pubpub.org/pub/v19rksyf/release/1
      https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
    • Shared with You Syndication Photo Library – Message Attachments & Linked Assets

    • https://theforensicscooter.com/2022/09/16/shared-with-you-syndication-photo-library-message-attachments-linked-assets/
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/SMS/Drafts/

    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
    • iLEAPP Draft SMS Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/draftmessage.py
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/SMS/sms.db

    • The Meaning of Messages

    • https://www.magnetforensics.com/blog/the-meaning-of-messages/
    • iOS16 iMessages

    • https://doubleblak.com/blogPosts.php?id=27
    • iOS 16 - "Paul unsent a message." ... OR DID HE?!

    • https://blog.d204n6.com/2022/09/ios-16-paul-unsent-message-or-did-he.html
    • Message Reactions

    • https://doubleblak.com/blogPosts.php?id=24
    • Sharing Locations in iOS Messages

    • https://thebinaryhick.blog/2021/09/29/sharing-locations-in-ios-messages/
    • iOS 14 - Message Mentions and Threading

    • https://blog.d204n6.com/2020/09/ios-14-message-mentions-and-threading.html
    • Cellebrite CTF 2020: Juan Mortyme

    • https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • iOS Analysis Test No. 19-5551 Summary Report

    • https://cts-forensics.com/reports/19-5551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • Lagging for the Win: Querying for Negative Evidence in the sms.db

    • https://belkasoft.com/lagging-for-win
    • An Alternate Location for Deleted SMS/iMessage Data in Apple Devices

    • https://sqlmcgee.wordpress.com/2022/03/28/an-alternate-location-for-deleted-sms-imessage-data-in-apple-devices-2/
      https://dfir.pubpub.org/pub/yp6efc8q/release/1
    • Missing SQLite Records Analysis

    • https://dfir.pubpub.org/pub/33vkc2ul/release/1
    • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

    • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
    • How To Identify When an IPhone or iPad was Factory Reset

    • https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
    • KnowledgeC (and Friends)

    • http://www.doubleblak.com/m/blogPosts.php?id=2
    • Temporal Analysis Anomalies with iOS iMessage Communication Exchange

    • https://personal.cis.strath.ac.uk/george.weir/cyfor14/papers/4_govan_ovans.pdf
    • iLEAPP SMS Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/sms.py
    • APOLLO SMS Modules

    • https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_delivered.txt
      https://github.com/mac4n6/APOLLO/blob/master/modules/sms_chat_message_read.txt
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/SMS/sms-temp.db

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics for Investigators

    • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



  • /mobile/Library/SpringBoard/HomeBackgroundThumbnail.jpg


  • /mobile/Library/SpringBoard/IconState.plist

    • Today, Widgets, & Ignored Apps in iOS

    • https://thebinaryhick.blog/2021/07/25/today-widgets-ignored-apps-in-ios/
    • Recover iOS App Screen Layouts with the New iOS Home Screen Items Artifact

    • https://www.magnetforensics.com/blog/recover-ios-app-screen-layouts-with-the-new-ios-home-screen-items-artifact/
    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iLEAPP Icon State Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/iconsScreen.py
    • A Few Interesting iOS Forensic Artefacts

    • https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/
    • iOS - Tracking Traces of Deleted Applications

    • https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
    • Tracking Traces of Deleted Applications - SANS DFIR Summit 2019

    • https://www.youtube.com/watch?v=4LcQm4ErXpA
    • Auto-Parser: Android Auto and Apple CarPlay Forensics

    • https://link.springer.com/chapter/10.1007/978-3-031-06365-7_4
      https://github.com/BiTLab-BaggiliTruthLab/Auto-Parser-Android-Auto-Apple-CarPlay
    • They See Us Rollin’; They Hatin’: Forensics of iOS CarPlay and Android Auto

    • https://papers.put.as/papers/ios/2019/summit_archive_1564072550.pdf



  • /mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg


    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520


  • /mobile/Library/SpringBoard/LockBackgroundThumbnaildark.jpg


    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520


  • /mobile/Library/SpringBoard/TodayViewArchive.plist


  • /mobile/Library/SpringBoard/PushStore/

    • pushstore_parser

    • https://github.com/jakev/pushstore-parser
    • iLEAPP PushStore Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXI.py



  • /mobile/Library/Suggestions/query_predictions.db

    • iLEAPP Query Predictions Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/queryPredictions.py
    • APOLLO Query Predictions Module

    • https://github.com/mac4n6/APOLLO/blob/master/modules/query_predictions.txt



  • /mobile/Library/TCC/TCC.db

    • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

    • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
    • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

    • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
    • iOS Forensics: HFS+ file system, partitions and relevant evidences

    • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module

    • http://www.mac4n6.com/blog/2020/6/1/analysis-of-apple-unified-logs-quarantine-edition-entry-10-you-down-with-tcc-yea-you-know-me-tracking-app-permissions-and-the-tcc-apollo-module?rq=tcc
    • iLEAPP TCC Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/tcc.py
    • APOLLO TCC Module

    • https://github.com/mac4n6/APOLLO/blob/master/modules/tcc_db.txt



  • /mobile/Library/UserConfigurationProfiles/PublicEffectiveUserSettings.plist

    • iOS Settings Display Auto-Lock & Require Passcode

    • https://theforensicscooter.com/2021/09/05/ios-settings-display-auto-lock-require-passcode/
    • iOS Settings Display Auto-Lock & Require Passcode

    • https://dfir.pubpub.org/pub/khnqi0ff/release/1
    • Cellebrite CTF 2021 - Beth's iPhone

    • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-beths-iphone.html
    • Cellebrite CTF 2021 Writeup

    • https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708



  • /mobile/Library/UserConfigurationProfiles/UserSettings.plist


  • /mobile/Library/UserNotifications/

    • Magnet User Summit 2022 CTF - iPhone

    • https://www.stark4n6.com/2022/06/magnet-user-summit-2022-ctf-iphone.html
    • iLEAPP User Notifications Plugin

    • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/notificationsXII.py
    • Mobile Cyber Forensic Investigations of Web3 Wallets on Android and iOS

    • https://www.mdpi.com/2076-3417/12/21/11180



  • /mobile/Library/Voicemail/voicemail.db

    • iOS Voicemail Transcripts

    • https://www.linkedin.com/pulse/ios-voicemail-transcripts-charlie-rubisoff/
    • Dude, Where's My Banana? Retrieving data from an iPhone voicemail database

    • http://cheeky4n6monkey.blogspot.com/2013/01/dude-wheres-my-banana-retrieving-data.html
    • Dude, Where's My Data?

    • http://az4n6.blogspot.com/2012/12/dude-wheres-my-data.html
    • iOS Analysis Test No. 18-5551 Summary Report

    • https://cts-forensics.com/reports/38551_Web.pdf
    • iOS Analysis Test No. 20-5551 Summary Report

    • https://cts-forensics.com/reports/20-5551_Web.pdf
    • iOS Analysis Test No. 21-5551 Summary Report

    • https://cts-forensics.com/reports/21-5551_Web.pdf
    • iOS Analysis Test No. 22-5551 Summary Report

    • https://cts-forensics.com/reports/22-5551_Web.pdf
    • Practical Mobile Forensics - Fourth Edition

    • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520


  • "/mobile/Media/" folder





    • /mobile/Media/DCIM/

      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
      • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

      • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
      • How to find iOS Hidden Assets

      • https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
      • USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG

      • https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
        https://dfir.pubpub.org/pub/v19rksyf/release/1
      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Cellebrite CTF 2021 Writeup

      • https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
      • Cellebrite CTF 2020: Juan Mortyme

      • https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
      • Cellebrite CTF 2022 - Marsha's iPhone

      • https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html
      • Magnet Forensics Virtual Summit 2023 CTF – iOS

      • https://www.forgottennook.com/blog/magnet-ios-2023
      • iOS Analysis Test No. 18-5551 Summary Report

      • https://cts-forensics.com/reports/38551_Web.pdf
      • iOS Analysis Test No. 19-5551 Summary Report

      • https://cts-forensics.com/reports/19-5551_Web.pdf
      • iOS Analysis Test No. 20-5551 Summary Report

      • https://cts-forensics.com/reports/20-5551_Web.pdf
      • iOS Analysis Test No. 21-5551 Summary Report

      • https://cts-forensics.com/reports/21-5551_Web.pdf
      • iOS Analysis Test No. 22-5551 Summary Report

      • https://cts-forensics.com/reports/22-5551_Web.pdf
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Cellebrite CTF 2020: Ruth Langmore

      • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
      • Apple TV Forensics 03: Analysis

      • https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
      • Forensicating The Apple TV

      • https://www.forensicfocus.com/webinars/forensicating-the-apple-tv/
      • Apple Watch Forensics 02: Analysis

      • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
      • APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?

      • https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
        https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
      • iLEAPP Media Library Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mediaLibrary.py



    • /mobile/Media/iTunesControl/iTunes/iTunesPrefs

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Forensic Analysis of iTunes Backups

      • https://farleyforensics.com/2019/04/14/forensic-analysis-of-itunes-backups/



    • /mobile/Media/MediaAnalysis/mediaanalysis.db

      • Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney)

      • http://www.mac4n6.com/blog/2020/7/19/follow-on-to-dfir-summit-talk-lucky-ios-13-time-to-press-your-bets-via-bizzybarney
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /mobile/Media/PhotoData/AlbumsMetadata/

      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/



    • /mobile/Media/PhotoData/PhotoCloudSharingData/

      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
      • Local Photo Library Photos.sqlite Query Variations & WHERE statements

      • https://theforensicscooter.com/2022/02/21/photos-sqlite-update/
      • Photos.sqlite ZINTERNALRESOURCE Table Reference Guide

      • https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/
      • Sharing is Caring – An Overview of Shared Albums in iOS

      • https://gforce4n6.blogspot.com/2020/09/sharing-is-caring-overview-of-shared.html
      • iLEAPP Shared Albumbs Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/icloudSharedalbums.py
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /mobile/Media/PhotoData/Caches/GraphService/CLSPublicEventCache.sqlite


    • /mobile/Media/PhotoData/CPL/

      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
      • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

      • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
      • How to find iOS Hidden Assets

      • https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



    • /mobile/Media/PhotoData/Photos.sqlite

      • Photos.sqlite Queries – Original Blog Posting

      • https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/
      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
      • Local Photo Library Photos.sqlite Query Variations & WHERE statements

      • https://theforensicscooter.com/2022/02/21/photos-sqlite-update/
      • How to find iOS Hidden Assets

      • https://theforensicscooter.com/2022/07/29/how-to-find-ios-hidden-assets/
      • Photos.sqlite ZINTERNALRESOURCE Table Reference Guide

      • https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/
      • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

      • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
      • Part B Filling a device internal storage for Optimize iPhone Storage Research

      • https://theforensicscooter.com/2022/12/03/part-b-filling-a-device-internal-storage-for-optimize-iphone-storage-research/
      • iOS Media Adjustments

      • https://www.doubleblak.com/blogPosts.php?id=23
      • iOS Local Photo Library (PL) Photos.sqlite Queries

      • https://github.com/ScottKjr3347/iOS_Local_PL_Photos.sqlite_Queries
      • USING PHOTOS.SQLITE TO SHOW THE RELATIONSHIPS BETWEEN PHOTOS AND THE APPLICATION THEY WERE CREATED WITH? BY SCOTT KOENIG

      • https://smarterforensics.com/2020/08/does-photos-sqlite-have-relations-with-cameramessagesapp-by-scott-koenig/
        https://dfir.pubpub.org/pub/v19rksyf/release/1
      • How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database

      • https://msab.com/guides-whitepapers/forensic-dive-into-ios-photos-sqlite-database/
      • How Did That Photo Get on That iPhone: Media Attribution for iOS

      • https://www.msab.com/blog/media-attribution-for-ios/
      • iOS Photos.sqlite Forensics

      • https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/
      • macOS & iOS Photos Support with Magnet AXIOM

      • https://www.magnetforensics.com/blog/macos-ios-photos-support-with-magnet-axiom/
      • Apple Watch Forensics 02: Analysis

      • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
      • Apple iOS: Recently Deleted images

      • https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html
      • The Apple Photos library

      • https://www.tonkata.com/posts/apple-photos/
      • Photos.sqlite query

      • https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql
      • iLEAPP Photos Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/photosMetadata.py
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /mobile/Media/PhotoData/Thumbnails/

      • iPhone Photodata Thumbnails

      • https://athenaforensics.co.uk/iphone-photodata-thumbnails/
      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
      • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?

      • https://theforensicscooter.com/2022/12/05/do-you-have-a-full-sized-assetor-just-a-thumbnail-did-optimized-iphone-storage-process-occur/
      • Photos.sqlite ZINTERNALRESOURCE Table Reference Guide

      • https://theforensicscooter.com/2022/12/03/photos-sqlite-zinternalresource-table-reference-guide/
      • iOS iThmbs

      • http://dig-forensics.blogspot.com/2013/05/ios-ithmbs.html
      • iThmb Converter

      • https://www.ithmbconverter.com/
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /mobile/Media/Recordings/

      • Forensic originality identification of iPhone’s voice memos

      • https://iopscience.iop.org/article/10.1088/1742-6596/1345/5/052053/pdf
      • A method of forensic authentication of audio recordings generated using the Voice Memos application in the iPhone

      • https://www.sciencedirect.com/science/article/abs/pii/S0379073821000220
      • Advanced forensic procedure for the authentication of audio recordings generated by Voice Memos application of iOS14

      • https://onlinelibrary.wiley.com/doi/abs/10.1111/1556-4029.15016
      • Cellebrite CTF 2020: Juan Mortyme

      • https://ciofecaforensics.com/2020/10/30/cellebrite-ctf-juan/
      • iLEAPP Voice Recordings Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/voiceRecordings.py
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520




    "/mobile/MobileSoftwareUpdate/" folder





    • /mobile/MobileSoftwareUpdate/restore.log

      • Restore Log - Tracking iOS Update History

      • https://www.stark4n6.com/2021/10/restore-log-tracking-ios-update-history.html
      • Cellebrite CTF 2021 Writeup

      • https://medium.com/@williamskosasi/cellebrite-ctf-2021-writeup-b73d821a708
      • iLEAPP restore.log Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/restoreLog.py




    "/networkd/" folder





    • /networkd/netusage.sqlite

      • Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases

      • http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases
      • iOS - Tracking Traces of Deleted Applications

      • https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
      • Tracking Traces of Deleted Applications - SANS DFIR Summit 2019

      • https://www.youtube.com/watch?v=4LcQm4ErXpA
      • iOS Forensics: HFS+ file system, partitions and relevant evidences

      • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
      • iLEAPP Net Usage Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py
      • APOLLO Netusage Module

      • https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zprocess.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliveusage.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliverouteperf.txt




    "/preferences/" folder





    • /preferences/com.apple.networkextension.plist


    • /preferences/com.apple.wifi.known-networks.plist

      • Apple Private Wi-Fi Addresses

      • https://ciofecaforensics.com/2020/10/24/apple-private-addresses/
      • Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

      • https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
      • mac_apt WiFi Plugin

      • https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py



    • /preferences/SystemConfiguration/com.apple.accounts.exists.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iLEAPP Conf Accounts Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/confaccts.py



    • /preferences/SystemConfiguration/com.apple.networkidentification.plist

      • Artifacts of an IOS device

      • https://infosecaddicts.com/artifacts-ios-device/
      • Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask

      • https://blog.elcomsoft.com/2014/03/itunes-icloud-backups/



    • /preferences/SystemConfiguration/com.apple.radios.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /preferences/SystemConfiguration/com.apple.wifi.plist

      • From iPhone to Access Point

      • https://www.forensicfocus.com/articles/from-iphone-to-access-point/
      • Apple Private Wi-Fi Addresses

      • https://ciofecaforensics.com/2020/10/24/apple-private-addresses/
      • Using Apple “Bug Reporting” for forensic purposes

      • https://for585.com/sysdiagnose
      • Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

      • https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
      • Wifi Networks – iOS

      • https://bitsplease4n6.wordpress.com/2020/12/08/wifi-networks-ios/
      • Apple Watch Forensics 02: Analysis

      • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
      • iOS Forensics: HFS+ file system, partitions and relevant evidences

      • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
      • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

      • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
      • APPLE WATCH FORENSICS: IS IT EVER POSSIBLE, AND WHAT IS THE PROFIT?

      • https://www.forensicfocus.com/webinars/apple-watch-forensics-is-it-ever-possible-and-what-is-the-profit/
        https://dfrws.org/wp-content/uploads/2019/06/2019_EU_pres-apple_watch_forensics_is_it_ever_possible_and_what_is_the_profit.pdf
      • A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)

      • https://blog.digital-forensics.it/2021/01/a-journey-into-iot-forensics-episode-5.html
      • Cellebrite CTF 2020: Ruth Langmore

      • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/
      • iOS Analysis Test No. 18-5551 Summary Report

      • https://cts-forensics.com/reports/38551_Web.pdf
      • iOS Analysis Test No. 19-5551 Summary Report

      • https://cts-forensics.com/reports/19-5551_Web.pdf
      • iOS Analysis Test No. 20-5551 Summary Report

      • https://cts-forensics.com/reports/20-5551_Web.pdf
      • iOS Analysis Test No. 21-5551 Summary Report

      • https://cts-forensics.com/reports/21-5551_Web.pdf
      • iOS Analysis Test No. 22-5551 Summary Report

      • https://cts-forensics.com/reports/22-5551_Web.pdf
      • iOS Sysdiagnose Wi-Fi script

      • https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-wifi-plist.py
      • iLEAPP WiFi Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py
      • mac_apt WiFi Plugin

      • https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist

      • Apple Private Wi-Fi Addresses

      • https://ciofecaforensics.com/2020/10/24/apple-private-addresses/
      • iLEAPP WiFi Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/appleWifiPlist.py
      • mac_apt WiFi Plugin

      • https://github.com/ydkhatri/mac_apt/blob/master/plugins/ios_wifi.py



    • /preferences/SystemConfiguration/NetworkInterfaces.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iOS Sysdiagnose Network Interfaces script

      • https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-networkinterfaces.py
      • Using Apple “Bug Reporting” for forensic purposes

      • https://for585.com/sysdiagnose
      • iOS Analysis Test No. 21-5551 Summary Report

      • https://cts-forensics.com/reports/21-5551_Web.pdf
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /preferences/SystemConfiguration/preferences.plist



    "/root/" folder





    • /root/.obliterated

      • Upgrade From NULL—Detecting iOS Wipe Artifacts

      • https://dfir.pubpub.org/pub/6i7d593n/release/1
      • How To Identify When an IPhone or iPad was Factory Reset

      • https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
      • iOS Analysis Test No. 20-5551 Summary Report

      • https://cts-forensics.com/reports/20-5551_Web.pdf
      • iOS Analysis Test No. 21-5551 Summary Report

      • https://cts-forensics.com/reports/21-5551_Web.pdf
      • iOS Analysis Test No. 22-5551 Summary Report

      • https://cts-forensics.com/reports/22-5551_Web.pdf
      • Cellebrite CTF 2020: Ruth Langmore

      • https://ciofecaforensics.com/2020/11/02/cellebrite-ctf-ruth/



    • /root/Library/Application Support/com.apple.wifianalyticsd/DeviceAnalyticsModel.sqlite


    • /root/Library/Application Support/com.apple.wifianalyticsd/WiFiNetworkStoreModel.sqlite

      • iLEAPP WifiNetworkStoreModel Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/wifiNetworkStoreModel.py



    • /root/Library/Caches/com.apple.wifid/ThreeBars.sqlite

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Locations, Locations, Locations

      • https://doubleblak.com/blogPosts.php?id=14
      • Harvested Locations

      • https://www.doubleblak.com/blogPosts.php?id=16



    • /root/Library/Caches/locationd/cache.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Ridin’ With Apple CarPlay

      • https://thebinaryhick.blog/2019/05/08/ridin-with-apple-carplay/



    • /root/Library/Caches/locationd/cache_encryptedA.db

      • New Script – iOS Locations Scraper

      • http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper
      • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

      • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
      • Getting Started with iOS Forensics

      • https://www.systoolsgroup.com/forensics/sqlite/ios.html
      • APOLLO cache_ecnryptedA/B Modules

      • https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt



    • /root/Library/Caches/locationd/cache_encryptedB.db

      • FROM APPLE SEEDS TO APPLE PIE

      • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
      • New Script – iOS Locations Scraper

      • http://www.mac4n6.com/blog/2016/6/6/new-script-ios-locations-scraper
      • Smartphone Privacy: How Your Smartphone Tracks Your Entire Life

      • https://conference.hitb.org/hitbsecconf2018pek/materials/D2T2%20-%20How%20Your%20Smartphone%20Tracks%20Your%20Entire%20Life%20-%20Vladimir%20Katalov.pdf
      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Harvested Locations

      • https://www.doubleblak.com/blogPosts.php?id=16
      • APOLLO cache_ecnryptedA/B Modules

      • https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_cdmacelllocation.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocation.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationlocal.txt
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /root/Library/Caches/locationd/cache_encryptedC.db

      • FROM APPLE SEEDS TO APPLE PIE

      • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
      • SANS 2022 DFIR Summit Queries

      • https://for585.com/dfirsummit22
      • APOLLO cache_ecnryptedC Modules

      • https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_motionstatehistory.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_stepcounthistory.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedC_nataliehistory.txt
      • The phone reveals your motion: Digital traces of walking, driving and other movements on iPhones

      • https://www.sciencedirect.com/science/article/abs/pii/S2666281721000780
      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /root/Library/Caches/locationd/clients.plist

      • iOS Location Services and System Services ON or OFF?

      • https://theforensicscooter.com/2021/09/20/ios-location-services-and-system-services-on-or-off/
      • iOS Location Services and System Services are they ON or OFF

      • https://dfir.pubpub.org/pub/4sv4kxyh/release/2
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



    • /root/Library/Caches/locationd/consolidated.db

      • iOS GeoFences

      • http://www.doubleblak.com/m/blogPosts.php?id=22
      • BELKASOFT CTF JULY 2022: WRITE-UP

      • https://belkasoft.com/belkactf-jul2022-writeup
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /root/Library/Lockdown/data_ark.plist

      • Putting a User Behind an iOS Device

      • https://dfrws.org/wp-content/uploads/2020/06/2020_USA_pres-putting_a_user_behind_an_ios_device.pdf
      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Oh no! I have a wiped iPhone, now what?

      • https://blog.digital-forensics.it/2021/05/oh-no-i-have-wiped-iphone-now-what.html
      • KnowledgeC (and Friends)

      • http://www.doubleblak.com/m/blogPosts.php?id=2
      • Magnet Virtual Summit 2020 CTF (iOS)

      • https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html
      • iOS - Tracking Device Migration

      • https://blog.d204n6.com/2021/06/ios-tracking-device-migration.html
      • iOS Analysis Test No. 22-5551 Summary Report

      • https://cts-forensics.com/reports/22-5551_Web.pdf
      • Artifacts of an IOS device

      • https://infosecaddicts.com/artifacts-ios-device/



    • /root/Library/Lockdown/escrow_records/

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Understanding usbmux and the iOS lockdown service

      • https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



    • /root/Library/Lockdown/pair_records/

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Understanding usbmux and the iOS lockdown service

      • https://jon-gabilondo-angulo-7635.medium.com/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



    • /root/Library/Logs/MobileContainerManager

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • How To Identify When an IPhone or iPad was Factory Reset

      • https://athenaforensics.co.uk/how-to-identify-when-an-iphone-or-ipad-was-factory-reset/
      • So Long Lockdown!

      • http://www.doubleblak.com/m/blogPosts.php?id=9
      • Upgrade From NULL—Detecting iOS Wipe Artifacts

      • https://dfir.pubpub.org/pub/6i7d593n/release/1
      • Using Apple “Bug Reporting” for forensic purposes

      • https://for585.com/sysdiagnose
      • Apple Watch Forensics 02: Analysis

      • https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
      • Apple TV Forensics 03: Analysis

      • https://blog.elcomsoft.com/2019/09/apple-tv-forensics-03-analysis/
      • iLEAPP Mobile Container Manager Logs Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/mobileContainerManager.py



    • /root/Library/MobileContainerManager/containers.sqlite3

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iOS Application Groups & Shared data

      • http://www.swiftforensics.com/2021/01/ios-application-groups-shared-data.html



    • /root/Library/Preferences/com.apple.MobileBackup.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • Using Apple “Bug Reporting” for forensic purposes

      • https://for585.com/sysdiagnose
      • Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

      • https://blog.digital-forensics.it/2022/11/sysdiagnose-in-ios-16-first-look-from.html
      • iOS Sysdiagnose Mobile Backup script

      • https://github.com/cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts/blob/master/sysdiagnose-mobilebackup.py
      • Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts

      • https://theforensicscooter.com/2022/05/02/photos-sqlite-query-documentation-notable-artifacts/
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



    • /root/Library/Preferences/com.apple.preferences.network.plist

      • Artifacts of an IOS device

      • https://infosecaddicts.com/artifacts-ios-device/
      • Wireless Network Preferences – iOS

      • https://bitsplease4n6.wordpress.com/2020/12/17/wireless-network-preferences-ios/




    "/wireless/" folder





    • /wireless/Library/Databases/CellularUsage.db

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • A Few Interesting iOS Forensic Artefacts

      • https://salt4n6.com/2018/05/15/a-few-interesting-ios-forensic-artefacts/
      • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

      • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
      • Cellebrite CTF 2021 - Marsha's Backup

      • https://www.stark4n6.com/2021/10/cellebrite-ctf-2021-marshas-backup.html
      • iOS Analysis Test No. 20-5551 Summary Report

      • https://cts-forensics.com/reports/20-5551_Web.pdf
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520



    • /wireless/Library/Databases/DataUsage.sqlite

      • Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases

      • http://www.mac4n6.com/blog/2019/1/6/network-and-application-usage-using-netusagesqlite-amp-datausagesqlite-ios-databases
      • FROM APPLE SEEDS TO APPLE PIE

      • https://objectivebythesea.org/v1/talks/OBTS_v1_Edwards.pdf
      • iOS - Tracking Traces of Deleted Applications

      • https://blog.d204n6.com/2019/09/ios-tracking-traces-of-deleted.html
      • Tracking Traces of Deleted Applications - SANS DFIR Summit 2019

      • https://www.youtube.com/watch?v=4LcQm4ErXpA
      • iOS Analysis Test No. 20-5551 Summary Report

      • https://cts-forensics.com/reports/20-5551_Web.pdf
      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

      • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
      • iOS Forensics: HFS+ file system, partitions and relevant evidences

      • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
      • APOLLO DataUsage Modules

      • https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zprocess.txt
        https://github.com/mac4n6/APOLLO/blob/master/modules/datausage_zliveusage.txt
      • iLEAPP DataUsage Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/netusage.py
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083



    • /wireless/Library/preferences/com.apple.commcenter.callservices.plist


    • /wireless/Library/Preferences/com.apple.commcenter.counts.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



    • /wireless/Library/Preferences/com.apple.commcenter.data.plist

      • Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs.

      • https://thebinaryhick.blog/2022/12/06/mo-sims-mo-problems-examining-phones-with-dual-sims/
      • iLEAPP SimInfo Plugin

      • https://github.com/abrignoni/iLEAPP/blob/main/scripts/artifacts/simInfo.py



    • /wireless/Library/Preferences/com.apple.commcenter.device_specific_nobackup.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html



    • /wireless/Library/Preferences/com.apple.commcenter.plist

      • Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

      • https://blog.digital-forensics.it/2019/12/checkra1n-era-ep-4-analyzing.html
      • iOS Forensics: HFS+ file system, partitions and relevant evidences

      • https://andreafortuna.org/2020/08/31/ios-forensics-hfs-file-system-partitions-and-relevant-evidences/
      • iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n

      • https://andreafortuna.org/2020/01/10/ios-forensics-bfu-before-first-unlock-acquisition-using-checkra1n/
      • Artifacts of an IOS device

      • https://infosecaddicts.com/artifacts-ios-device/
      • iOS Analysis Test No. 18-5551 Summary Report

      • https://cts-forensics.com/reports/38551_Web.pdf
      • iOS Analysis Test No. 21-5551 Summary Report

      • https://cts-forensics.com/reports/21-5551_Web.pdf
      • iOS Analysis Test No. 22-5551 Summary Report

      • https://cts-forensics.com/reports/22-5551_Web.pdf
      • Practical Mobile Forensics - Fourth Edition

      • https://www.packtpub.com/product/practical-mobile-forensics-fourth-edition/9781838647520
      • iOS Forensics for Investigators

      • https://www.packtpub.com/product/ios-forensics-for-investigators/9781803234083