Hidden gems in Apple iOS digital forensics
Apple iOS devices contain large amounts of artifacts, from both apps and the system itself. These artifacts are for the most part stored inside SQLite databases or Apple Property List (PList) files. Sometimes the data you are looking for is embedded several layers down.
When you remove an app, the data it contains will be lost forever. The reason behind this is that the apps typically store their data in a sandbox, and the sandbox is removed when the app is uninstalled.
Data may also be lost when deleted in the apps themselves. If the data is stored in an SQLite database you may have a chance of recovery, provided that your tools, such as XRY, support locating deleted data.
There are some places of special interest in the file system, that are easily overlooked, where you may find data that has been deleted from within the apps. By carefully examining these hidden gems, you may be able to locate invaluable information that is no longer obtainable from the data stored by the apps.
Undoubtedly, XRY stands out as an exceptional ally in this pursuit, offering support in deciphering data from each of the gems I will delve into shortly. Following this, with XAMN, you will have the opportunity to efficiently review and analyze the data gathered. This will allow you to get many valuable insights that might have otherwise slipped past unnoticed.
Hidden Gem: The Recents database
Location:
- “/private/var/mobile/Library/Recents/Recents”
This SQLite database contains basic information about recent app activity. Unfortunately, it’s limited to activity on Apple apps, such as Phone, Messages, Calendar etc. The information is interesting but very limited since it contains no directions and no specific details (like message text for the Messages app). It does, however, contain timestamps for all interactions.
This data is available via an iTunes backup extraction.
Hidden Gem: The interactionC database
Location:
- “/private/var/mobile/Library/CoreDuet/People/interactionC.db”
This SQLite database contains basic information about recent app activity. The information is of interest but still limited since it contains no specific details. It does, however, contain more information than the Recents database and is not limited to Apple apps.
This data is available via an iTunes backup extraction.
To learn more about decoding data from iTunes backups, check out our blog post.
Hidden Gem: The knowledgeC database
Location:
- “/private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db”
This SQLite database contains detailed information about not only apps but system activities as well. The information is of great interest since it contains so many details from a variety of sources. The details are often stored inside a PList and/or a Google Protocol Buffer, sometimes embedded in layers, that you must decode to locate the wanted information.
This data is only available via a full file system extraction.
Hidden Gem: The Biome data files
Location:
- “/private/var/mobile/Library/Biome/streams/{type}/{name}/local/{fileName}”
- “/private/var/mobile/Library/Biome/streams/{type}/{name}/remote/{remoteId}/fileName}”
- “/private/var/db/biome/streams/{type}/{name}/local/{fileName}”
- “/private/var/db/biome/streams/{type}/{name}/remote/{remoteId}/{fileName}”
The data files within this location are using the Biome binary file format that was introduced in iOS 15 and which remains the same in iOS 16. The file format was later changed in iOS 17.
The Biome data files were probably created as a more efficient and more secure alternative to the knowledgeC database. The purpose is very likely the same, to store large amounts of measurement and activity data, intended for measuring how apps and the system itself behaves.
The data stored in the Biome data files is very similar to that of the knowledgeC database, being of great interest with many details and covering not only apps but system activities as well. The details are often stored inside a PList and/or a Google Protocol Buffer, sometimes embedded in layers, that you must decode to locate the wanted information.
This data is only available via a full file system extraction.
Hidden Gem: File system events
Location:
- “/private/var/.fseventsd/”
The file system events folder contains binary data files. Each file contains up to three or four compressed data buffers that have been concatenated. Each buffer, when decompressed, contains a file system event log that can be decoded.
The information from the file system event log tells you what happened to each file or folder and when it happened. The event types it supports include creating, cloning, modifying, removing etc.
One of the most interesting parts here is not only to be able to find out when a file was accessed last but also finding out if files have been removed and when. Of particular interest is finding evidence of removing files in certain areas, like the media partition (containing photos and videos).
This data is only available via a full file system extraction.
Tools
When examining the data, access to good tools is a must. Listed below are some basic suggestions for tools that perform well that you could use to help validate findings made by your primary tools.
- Hex editor: HxD
- PList Viewer: plist Editor
- Google Protocol Buffers: protoc or an online tool such as CyberChef
- SQLite viewer: SQLite Expert Personal or DB Browser for SQLite
Summary
The truly great value of these hidden gems comes from the fact that the data is stored separately from the apps themselves and that the information is often available long after the original data has been deleted. An obvious reason for the information to be available longer is that the cleanup routines of the apps are different from that of the hidden gems.
As mentioned before, XRY naturally supports decoding data from all these gems, so you can review this important data in XAMN and utilize all its powerful analysis features to aid you in discovering the information that you are looking for.
About the author:
Johan Persson is a software developer working with the Smartphone team at MSAB. Johan has a master’s degree in computer science and technology and is a keen iOS enthusiast who has been with MSAB for 15 years.
Stay up to date
Want to receive the MSAB blog posts straight to your inbox? Sign up for our newsletter and join our community.
Contact us
If you would like to request a quote or learn more about our products, contact sales
If you have a general question, let us know here and we will reach out to you as soon as possible.
"*" indicates required fields