GeoHistory.mapsdata – the primary storage file for Maps from iOS 8 – iOS 11(ish). mapsdata – was the primary storage file for Maps until iOS 8 Let’s take a historical look at Apple Maps. However, as a researcher, I must test all things. I have spent countless hours trying to find locations and you know what’s sad – I don’t even like Apple Maps. If you aren’t sure what I am referring to, please read my previous blogs on Apple Maps. Var/mobile/Containers/Shared/AppGroup//Maps/MapsSync_0.0.1_deviceLocalCache.dbĪpple Maps is the biggest change and to be honest, I thought I lost them again. Maps: var/mobile/Containers/Shared/AppGroup//Maps/MapsSync_0.0.1 Notes: var/mobile/Containers/Shared/AppGroup//NoteStore.sqlite – parsed by commercial tools □ And thanks to Scott Koenig for this query to parse it all. Thanks to Jared Barnhart for finding this first. The table ZGENERICASSET that we have relied upon for so long is now ZASSET. My colleagues and I are going to dive into the harder artifacts (KnowledgeC, locations, Health, etc.) and will do a separate blog on that.Ĭontacts: var/mobile/Library/AddressBook/AddressBook.sqlitedb – parsed by commercial toolsĬalls: var/mobile/Library/CallHistoryDB/CallHistory.storedata – – parsed by commercial tools These are the key items that everyone should examine for most cases, so I tend to start there. Bottom line do not trust what iTunes states regarding backups on the summary screen because the truth lies within the iOS device.įor this test, I created new Contacts, placed Calls (both FaceTime and regular), texted (used the new “reply to a message” feature, took photos, searched for directions (and even had to do extra drives to get really test Maps), created a note, and browsed using Safari. It makes sense if you think about it, but I know that the device stores this information, so I was surprised to see iTunes simply relying on the backup directory for this information. Keep in mind, I did about 10 backups of this device because I kept adding data and then pulling it. ITunes view after backup was moved from the MobileSync directory The issue I found when backing up to a Mac and saving the encryption passcode to the keychain is that the ist does not show the encryption flag and the tools do not request the passcode for parsing. Backup on a Mac using Finder – Encryption set but DID NOT save the password to the keychain.Backup on a Mac using Finder – No encryption set.Backup on a Mac using Finder – Encrypted.The ones in bold were the best acquisition. Since iOS13, best practices are to encrypt your backups! If you do not, you will not get all the databases needed for basic examinations.įor this blog, I acquired many ways to compare the differences. There are some strange things I noted and those will be shared. If you DO NOT encrypt the backup, you will NOT extract Calls, Apple Maps (some databases extracted but are empty), Safari, Health and probably a lot more!Īpple didn’t go of the beaten path to much for the primary artifacts. I know that vendors are releasing updates to support iOS14 shortly, so be patient. At this point in time, an encrypted iTunes backup seemed to be the most stable option. If you are a vendor and think something is missing – share it with me and I will try it for myself. If you think something is missing – share it. □ For this blog, I tested the tools that I have available to me personally. To keep with my previous trends, I focus on basic artifacts that impact almost every investigation and then dive in and take a bite from the apple. This blog is a cursory glance of iOS14, which was officially released this week.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |