iOS is the Operating System for mobile, deployed by Apple Inc. It is the OS of applications such as, iPhones, iPads and iPods. For the success of forensics, keen observation of data is very essentials. In iOS devices, you will come across some of the things listed below.<\/p>\n
- \n
- Notes<\/li>\n
- Calendars<\/li>\n
- Photos<\/li>\n
- Keystrokes<\/li>\n
- iTunes<\/li>\n
- Map<\/li>\n
- Clock<\/li>\n<\/ul>\n
During iOS forensic analysis, some of the applications such as, Calendar, Notes, Text Messages, Photos etc. use Sqlite database structure<\/a><\/strong> for storing and organizing the data.<\/p>\n
iOS is the structure common. The on all iOS devices structure corresponds to UNIX layout and the files are stored in text format, enabling an iOS artifacts forensics.<\/p>\n
Applications store the data by default in;<\/p>\n
private\/var\/mobile\/Library<\/em><\/p>\n
Photos<\/strong><\/p>\n
Location is;<\/p>\n
private\/var\/mobile\/media\/DCIM<\/em><\/p>\n
In this location all the iOS forensic artifacts like photos taken will be stored. The pictures will have timestamp metadata and if the photos are seen within the 100APPLE folder then, it shows that they are taken from the device.<\/p>\n
Apart from the ability to take the photos, it facilitates taking screenshots. Users can find these files from DCIM\/999Apple folder.<\/p>\n
Keystrokes<\/strong><\/p>\n
While conducting iOS forensic analysis \u201cKeystrokes\u201d are seen in;<\/p>\n
\/private\/var\/mobile\/Library\/Keybord<\/p>\n
Here, you will find the words typed during the usage of the device. The words typed while using Safari, Messages, Notes, Facebook etc. will be captured up. This will help the agents in finding out the words related with their cases.<\/p>\n
Notes<\/strong><\/p>\n
The \u2018Notes\u2019 are located in \/private\/var\/mobile\/Library\/Notes.<\/p>\n
Investigators can collect the keyword and other evidence from here. This database consists of 9 tables and among them ZNote is the important one. In ZNote table, you can see ZTITLE that holds the title of note, CREATIONDATE and MODIFICATIONDATE. The ZCONTENT column contains the body of the note.<\/p>\n
Call History<\/strong><\/p>\n
The \u2018Call History\u2019 file is the most important file in iOS forensic analysis that an investigator will look for since it reveals out many clues or evidence. The call_history.db file contains date of call, duration, phone number and the reference ID of contact. The flag field indicates incoming as well as outgoing; former one with number 4 and other number 5.<\/p>\n
Location: \/private\/var\/Library\/CallHistory<\/em><\/p>\n
Browser Cookies<\/strong><\/p>\n
Cookies give the information on the websites visited. These iOS forensic artifacts help the investigator to browse the sites that the suspect has visited.<\/p>\n
Located at;<\/p>\n
\/private\/var\/mobile\/Library<\/em><\/p>\n
Text Messages <\/strong><\/p>\n
Located in;<\/p>\n
\/private\/var\/mobile<\/em><\/p>\n
Apart from the web browser history, agent can get good pieces of evidence from the text messages and SMS as well.<\/p>\n
iOS forensic analysis helps investigator to collect information on SMS from;<\/p>\n
\/private\/var\/mobile\/Library\/SMS<\/p>\n
sms.db file will be present which gives the detail of the current i.e. existing and the old conversation, even if it is deleted.<\/p>\n
AddressBook<\/strong><\/p>\n
Address book stores the details of the owner and is located in;<\/p>\n
\/private\/var\/mobile\/Library\/AddressBook<\/em><\/p>\n
The data gets stored in AddressBook.sqlitedb file and the ABPerson table contained in the database file shows the details such as, first name, last name, job, birthday, nickname etc.<\/p>\n
The AddressBook.sqlitedb<\/strong> file is a type of Sqlite file that can be viewed by using Sqlite Forensics Viewer<\/a><\/strong>.<\/p>\n
![\"download\"](\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/11\/download.png\")
<\/a><\/p><\/blockquote>\n