iOS Forensics Cheatsheet

Terms

Very loose “translation” of names which can be found in iOS ecosystem

ubiquity = icloud
sharingd = AirDrop / continuity
Nano = Apple Watch

Data Acquisition

sysdiagnose
Full Filesystem (root required)
Backups
- Encrypted have much more data!
- Mac: ~/Library/Application Support/MobileSync/Backup/
- Windows Vista+: \Users\<user>\AppData\Roaming\Apple Computer\MobileSync\Backup\

Artifacts

Table(s) with paths to specific artefacts on iOS backup (likely encrypted) / iOS rooted

Artifact	iOS Backup	iOS (FFS)
Version & Serial Number	❔	`/System/Library/CoreServices/System Version.plist`
Device UUID	❔	`/private/var/Library/Safari/SyncedTabsMetadata.plist`
Installation date	❌	`/[private/var]/mobile/Library/Preferences/com.apple.purplebuddy.plist`
Cellural Info	`/wireless/Library/Preferences/com.apple.commcenter.data.plist`	`/private/var/wireless/Library/Preferences/com.apple.commcenter.data.plist`
iOS - Auto-Wipe Enabled (after failed pin)	❌	`[/private/var]/mobile/Library/Preferences/com.apple.springboard.plist`
Network Interfaces & System Model	❌	`/private/var/preferences/SystemConfiguration/NetworkInterfaces.plist`
Network Information (IP)	`/preferences/SystemConfiguration/preferences.plist`	`/private/var/preferences/SystemConfiguration/preferences.plist`
DHCP	`/db/dhcpclient/leases/`	`/private/var/db/dhcpclient/leases`
Known WiFi	❌	`[/private/var/]preferences/SystemConfiguration/com.apple.wifi.plist`
Configuration profiles	❌	`/private/var/mobile/Library/ConfigurationProfiles/`, `/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles`
Enterprise Provisioning Profiles	❌	`/private/var/MobileDevice/ProvisioningProfiles/`
FileSystem Events	❌	`<VOLUME ROOT>/.fseventsd`
Keychains	`/Keychains: keychain-backup.plist`	`/private/var/Keychains/keychain-2.db`
LaunchAgent (User)	❌	`/Library/LaunchAgents/`
LaunchDaemons (System)	❌	`/System/Library/LaunchDaemons`, `System/Library/NanoLaunchDaemons`, `Library/LaunchDaemons` (jailbroken with Cydia)
Keyboard - Dictionary - Spelling aka Passwords!	`/KeyboardDomain/Library/Keyboard`, `/mobile/Library/Keyboard`	`/private/var/mobile/Library/Keyboard/`
Finder / SpringBoard `Today View Archive. plist`, `IconState.plist`, `<GUID>-CarDisplayIconState.plist`	`/mobile/Library/SpringBoard/`	`/private/var/mobile/Library/SpringBoard/`
Notifications	`/mobile/Library/UserNotifications/`	`/private/var/mobile/Library/UserNotifications/`
Bluetooth Devices	❌	`com.apple.MobileBluetooth.devices.plist` , `com.apple.MobileBluetooth.ledevices.other.db`, `com.apple.MobileBluetooth.ledevices.paired.db`
Installation Log	❌	iOS 6: `/mobile/Library/Logs/MobileInstallation/` iOS 7–9: `/private/var/mobile/Library/Logs/MobileInstallation/` iOS 10+: `/private/var/installd/Library/Logs/MobileInstallation/` `/private/var/mobile/Library/FrontBoard/applicationState.db`
Unified Logs		Logs: `/var/db/diagnostics/`, Ref Data: `/var/db/uuidtext/`
Application Preferences	`/mobile/Applications/<bundle_id>/`, `/mobile/Library/Preferences`, `/mobile/Library/`	`/private/var/mobile/Containers/.../<bundle_id>/Preferences`, `/private/var/mobile/Preferences`, `/private/var/mobile/Library/`
Application Caches	❌	`/private/var/mobile/Containers/.../<bundle_id>/Library/Caches/`, `/private/var/mobile/Library/Cache/<bundle_id>`
App Shared Directories	❔	Normal App data: `/Data/Application/` Shared App data: `/Shared/AppGroup/`
Application Snaphosts (thumbs when app is backgrounded)	❌	`<app_dir>/Library/Caches/Snapshots/<bundle_id>/`
TCC (Transparency, Control Control) - permissions	`/mobile/Library/TCC/TCC.db`	`/private/var/mobile/Library/TCC/TCC.db`
Apps using Location Services	`/root/Library/Caches/locationd/clients.plist`	`/private/var/root/Library/Caches/locationd/clients.plist`
MRU - Recent Apps	❔(springboard?) `/mobile/Library/Recents/com.apple.corerecents.recentsd`	`com.apple.springboard.plist` `/private/var/mobile/Library/Recents/com.apple.corerecents.recentsd`
Internet Accounts	❌	`[/private/var]/mobile/Library/Accounts/Accounts{3,4}.sqlite`
App - Safari `History.db` `LastSession.plist` `BrowserState.db`	`/mobile/Library/Safari/`	`/private/var/mobile/Library/Safari/`, `/private/var/mobile/Containers/Data/Application/<GUID>/`
App - Safari (FFS only)	❌	`/private/var/mobile/Containers/Data/Application/<GUID>/Library/Caches/`, `/private/var/mobile/Containers/Data/Application/<GUID>/Library/Safari/Thumbnails/`, `/private/var/mobile/Library/Safari/CloudTabs.db` (synced tabs), `/private/var/mobile/Containers/Data/Application/<GUID>/Library/Caches/WebKit/` (website visit, cached items list), `com.apple.Safari.plist` (config & recent searches), `RecentlyClosedTabs.plist`, `Downloads.plist`
App - Mail `Envelope Index` (db)	`/mobile/Library/Mail/`	`/private/var/mobile/Library/Mail/`, `/private/var/mobile/Containers/Data/Application/<GUID>/`
App - Messages	`/mobile/Library/SMS/sms.db`	`/private/var/mobile/Library/SMS/sms.db`
App - Call History (`CallHistory.storedata`)	`/mobile/Library/CallHistoryDB/`	`/private/var/mobile/Library/CallHistoryDB/`
App - Voice Mail (voicemail.db, AMR, *.transcript files)	`/mobile/Library/Voicemail/`	`/private/var/mobile/Library/Voicemail/`
App - Calendar	`/mobile/Library/Calendar/`	`/private/var/mobile/Library/Calendar/`
App - Reminders (`Data-<GUID>.sqlite`)	`/mobile/Library/Reminders`	`/private/var/mobile/Library/Reminders/`
App - Address Book aka Contacts (`AddressBook-v22.abcddb`)	`/mobile/Library/AddressBook`	`[/private/var/]mobile/Library/AddressBook/`
App - Notes¹ (`NoteStore.sqlite`, `Media/`, `Preview/`)	`/mobile/Applications/com.apple.notes` `/mobile/Applications/Notes` (Legacy)	`/private/var/mobile/Containers/Shared/AppGroup/<GUID>` `/private/var/mobile/Library/Notes` (Legacy)
App - Wallet (Cards, Transactions, Peer Payments)	❌	`/private/var/mobile/Library/Passes`, `/private/var/mobile/Library/Mobile Documents/com~apple~shoebox/UbiquitosCards` (iCloud) `passes23.sqlite`
App - Photos (`Photos.sql`, photos - xattrs)	❔	`[/private/var/]mobile/Media/PhotoData`, `[private/var/]mobile/Media/`
App - Maps	`/mobile/Applications/com.apple.Maps/` (may not contain all files)	`/private/var/mobile/Containers/Data/Application/<GUID>/Maps`
App - ScreenTime	❌	`/private/var/mobile/Library/Application Support/com.apple.remotemanagementd`
AppleWatch	❌	`/mobile/Library/DeviceRegistry/`
Application Usage Media Playing Device Status (lock, powered) (more)²	❌	`/private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db`²
Application Usage Volume and Battery Level Call Status & Camera State (`CurrentPowerlog.PLSQL`) - issues with timestamps	Sysdiagnose	`/private/var/containers/Shared/SystemGroup/<GUID>/Library/BatteryLife/` (+`Archives/`)
Health	❌	`/private/var/mobile/Library/Health/healthdb_secure.sqlite`
Device Status - Lock	❌	`/private/var/mobile/Library/AggregateDictionary/ADDataStore.sqlitedb`
Location (significant locations)	❌	`/private/var/mobile/Library/Caches/com.apple.routined/`
Location (WiFi)	❌	`/private/var/root/library/caches/locationd/{cache_encrypted.db,lockCache_encrypted.db}`
Apple Document Versions/Revisions/History	❌	`/private/var/.DocumentRevisions-V100/`
iCloud Synced Preferences (`SyncedPreferences` dirs)	❌	`/private/var/mobile/Library/SyncedPreferences/` `/private/var/mobile/Containers`
iCloud - WiFi	❌	`com.apple.wifid.plist` (connected), `com.apple.airport.plist` (available ❔)
iCloud - Synced Documents	❌	`Mobile Documents/`

Uniqied Logs Queries

# show all alogs
log show --info
# Network usage
log show --info --predicate 'senderImagePath contains[cd] "IPConfiguration" and (eventMessage contains[cd] "SSID" or 6d861c1c51aeae2854076da982bf4829 eventMessage contains[cd] "Lease" or eventMessage contains[cd] "network changed")'

https://developer.apple.com/documentation/os/logging

SQL Queries

Tooling tips

Timestamps

Timestamps starting from 1 are likely to be UNIX Epoch timestamps, others (example 5) - Mac Epoch

Epoch Converter
eopchalypyse.py

Plists

plutil, plistutil, xcode
Plain text: 3C3F 786D 6C - <?xml
Binary: 6270 6c69 7374 3030 - bplist00

xattrs

# list all
xattr -lx <file>

# dump hex plist embedded in xattr
xattr -px com.apple.metadata:kMDItemDownloadedDate LiberiOS11.0.3.ipa | xxd -r -px | plutil -p -

sysdiagnose dump analyser

GitHub - cheeky4n6monkey/iOS_sysdiagnose_forensic_scripts

Mac_apt / iOS_apt (filesystem analyser)

GitHub - ydkhatri/mac_apt: macOS (& ios) Artifact Parsing Tool

keychains

Import to system keychain (visible under custom keychains) or security command
iOS requires decryption³:

python keychain_tool.py -d keychain-backup.plist Manifest.plist

apple system log

log or syslog

fsmon

monitor filesystem events

References

https://www.ciofecaforensics.com/2020/01/10/apple-notes-revisited/ Apple Notes ↩︎
https://github.com/mac4n6/APOLLO Apollo Project ↩︎ ↩︎
https://dpron.com/recovering-google-authenticator-keys-from-ios-backups/ Steps 1-3 ↩︎

Terms#

Data Acquisition#

Artifacts#

Uniqied Logs Queries#

SQL Queries#

Tooling tips#

Timestamps#

Plists#

xattrs#

sysdiagnose dump analyser#

Mac_apt / iOS_apt (filesystem analyser)#

keychains#

apple system log#

fsmon#

References#

Terms

Data Acquisition

Artifacts

Uniqied Logs Queries

SQL Queries

Tooling tips

Timestamps

Plists

xattrs

sysdiagnose dump analyser

Mac_apt / iOS_apt (filesystem analyser)

keychains

apple system log

fsmon

References