ABTraceTogether | Analysis of the ABTraceTogether app (iOS) |
AirTags | AirTags within iOS File Systems - Appalachian4n6 |
AirTags | [Air]Tag You're It! - D20 Forensics |
Anonymous Chat Rooms (Dating App) | Finding messages in Anonymous Chat Rooms, Dating app - Chuan-lun (Johnson) Chou |
AppInstalls, AppLaunch, & AppIntents | iOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents - D20 Forensics |
AppIntent | Analyzing iOS Biome AppIntent Files - Blue Crew Forensics |
Apple Accounts | Investigating Apple Accounts |
Apple CarPlay | Ridin’ With Apple CarPlay |
Apple Crash Logs | Investigating Apple Crash Logs |
Apple Data Usage | Investigating Apple Data Usage |
Apple Health | Audio and App Usage in Apple Health - Stark4n6 |
Apple Mail | Apple Mail - A Forensic Insight |
Apple Maps | What Apple Maps Activity Can be Found Using a Logical Extraction - Lord Templar1 |
Apple Maps | Apple Maps - Visited Location? |
Apple Notes | Revisiting Apple Notes (1): Improved Note Parsing |
Apple Notes | Revisiting Apple Notes (2): Easy Embedded Objects |
Apple Notes | Revisiting Apple Notes (3): Embedded Tables |
Apple Notes | Revisiting Apple Notes (4): Gallery Objects |
Apple Notes | Revisiting Apple Notes (5): Encrypted Notes |
Apple Notes | Revisiting Apple Notes (6): The Protobuf |
Apple Notes | Revisiting Apple Notes (7): Cloudkit Data |
Apple Notes | Investigating Apple Notes |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 3] – Playing in the Sandbox, Enumerating Files and Directories |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 2] – sudo make me a sandwich |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 1] – Converting Log Archive Files on 10.15 (Catalina) |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring USBMSC devices with --style |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 5] – Login Inception!? Yes! – Local Logins! |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 4] – It’s Login Week! |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you're binging Netflix! Now Playing on your Apple Devices! |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module |
Apple Unified Logs | Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge |
Apple Unified Logs | Analysis of Apple Unified Logs [Entry 12] – Quick & Easy Unified Log Collection from iOS Devices for Testing |
Apple Watch | Apple Watch Forensics 02: Analysis |
Apple Watch Data | Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database - James McGee |
Apple Watch/Apple TV | Apple TV and Apple Watch Forensics 01: Acquisition |
Application Execution | Has the user ever used the XYZ application? aka traces of application execution on mobile devices |
Auto-lock and Require Passcode | iOS Settings Display Auto-Lock & Require Passcode - Scott Koenig |
Battle.net | Finding Blizzard Battle.net messages in iOS |
BrowserState.db | BrowserState.db last_visited_time? |
Bumble | What's the Buzz - Bumble on iOS - Stark4n6 |
Cache.db | Looting iOS App's Cache.db - Drew Kirkpatrick |
Carplay | iOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay - D20 Forensics |
checkm8 | checkm8: Advancements in iOS 16 Forensic Extraction |
Chipolo | iOS - Chipolo App Research and Encrypted Realm Databases |
Clubhouse | Investigating Clubhouse |
Continuity/Cellular Relay | Relays in the Apple Ecosystem. Passing the Baton - The Binary Hick |
Couch to 5K Runner App | Couch to 5K Runner: A Mobile Forensics Investigation |
Deleted Messages | Lagging for the Win: Querying for Negative Evidence in the sms.db - Belkasoft |
Deleted SMS/iMessage | An Alternate Location for Deleted SMS/iMessage Data in Apple Devices - James McGee |
DFU: iPhone 8, 8 Plus, and iPhone X | Entering DFU: iPhone 8, 8 Plus, and iPhone X - Elcomsoft |
Discord | Finding Discord chats in iOS |
Discord | Update on Discord forensic artifacts for iOS & Windows |
Discord | It's alive! - Attachment links in Discord |
Discord | Discord Forensics |
Discord | Connecting Discord Attachments to Threads & SDWebImage Library |
DJI Fly | iOS - App Research: DJI Fly |
Dropbox | Profiling user activity in Dropbox for iOS |
Dual SIM Phones | Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs - Binary Hick |
Evernote | Evernote for iOS |
Facebook Messenger | Investigating iOS Facebook Messenger - Forensafe |
Gboard | Gboard has some interesting data.. |
GeoFence | Reminder Locations (GeoFences) |
Google Duo | Google Duo - Android & iOS Forensic Analysis |
Google Fit | Google Fit Extraction: Location, Health and Fitness Data |
Grubhub App | Forensic Investigation of the Grubhub iOS App - Christopher Kyriacou |
Hidden Assets | How to find iOS Hidden Assets - The Forensic Scooter |
Houseparty | iOS Houseparty app: More Realm |
Houseparty | Get your red Solo cup: It's time for a little Houseparty |
iCloud | Investigating iCloud |
iMessage Location Sharing | Sharing Locations in iOS Messages |
iMessage Reactions | Message Reactions |
iOS | Taking The First Step - iOS Security & Forensics -P1 |
iOS | Upgrade From NULL—Detecting iOS Wipe Artifacts |
iOS | Oh no! I have a wiped iPhone, now what? |
iOS | Apple’s Find My & iCloud’s Throne of Lies |
iOS | iOS Backup vs iCloud How can you compare? |
iOS | Today, Widgets, & Ignored Apps in iOS |
iOS | iOS System Artifacts: Revealing Hidden Clues |
iOS - Sysdiagnose | sysdiag-who? |
iOS - VMP4 File Format | iOS Forensics: VMP4 File format |
iOS 11 - HEIC | Monkey takes a .heic |
iOS 11 and 12 Notifications | iOS 11 & 12 Notifications Triage Parser |
iOS 12 | Creating a File System Image of iOS12 (12.1/16B92) |
iOS 13 | iOS 13 - Summary For Those of You Who Enjoy the CliffsNotes |
iOS 13 | …Won't You Back That Thing Up: A Glimpse of iOS 13 Artifacts |
iOS 13 | iOS 13 – Swipe to Type |
iOS 14 | iOS 14 - First Thoughts and Analysis |
iOS 14 | Rotten to the Core? Nah, iOS14 is Mostly Sweet |
iOS 14 - App Clips | iOS 14 - Tracking App Clips in iOS 14 |
iOS 14 - iMessage | iOS 14 - Message Mentions and Threading |
iOS 14 - Maps | iOS14 Maps History BLOB Script |
iOS 14 - Notes | Notes in iOS 14 |
iOS 14 - Private Wi-Fi Addresses | Apple Private Wi-Fi Addresses |
iOS 15 | iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information |
iOS 15 | iOS 15 Image Forensics Analysis and Tools Comparison - Native Apps |
iOS 15 | iOS 15 Image Now Available. Finally. - Binary Hick |
iOS 15 | iOS 15 Image Forensics Analysis and Tools Comparison - Communication and Social Networking Apps |
iOS 15 | iOS 15 Image Forensics Analysis and Tools Comparison - Browsers, Mail Clients, and Productivity Apps |
iOS 16 - iMessage Updates | iOS16 iMessages - DoubleBlak |
iOS 17 | iOS 17 Forensics: Another Year, Another Byte of the Apple |
iOS 17 | iOS 17 Forensic Impacts |
iOS 17 | iOS 17.3 Developer Preview: Stolen Device Protection |
iOS Acquisition | The Art of iPhone Acquisition |
iOS Acquisition | iOS Forensic Toolkit: Troubleshooting Low-Level Extraction Agent |
iOS Acquisition | iCloud Advanced Data Protection: Implications for Forensic Extraction |
iOS Acquisition | Full Guide for Data Extraction from iTunes Backup |
iOS Acquisition | Data Extraction Cheatsheet |
iOS Acquisition | Using and Troubleshooting the checkm8 Exploit |
iOS Acquisition | In Search of Extraction Techniques for Pair-Locked iOS Devices |
iOS Acquisition | When Extraction Meets Analysis: Cellebrite Physical Analyzer |
iOS Acquisition | Bootloader-Level Extraction for Apple Hardware |
iOS Acquisition | Mobile Forensic Images and Acquisition Priorities |
iOS ADDataStore.sqlitedb | On the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful! |
iOS AirDrop | AirDrop Forensics |
iOS APOLLO | On the Eleventh Day of APOLLO, My True Love Gave to Me – An Intriguing Story – Putting it All Together: A Day in the Life of My iPhone using APOLLO |
iOS Application Groups | iOS Application Groups & Shared data |
iOS Application Usage | On the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice |
iOS Artifact Reference | iOS Forensics References - Mattia Epifani |
iOS Backups | Forensic Analysis of iTunes Backups |
iOS Backups | iPhone Backups: Top 5 Default Passwords |
iOS Backups | All You Wanted To Know About iOS Backups |
iOS Bluetooth | How to Use iOS Bluetooth Connections to Solve Crimes Faster |
iOS Bluetooth | How to Use iOS Bluetooth Connections to Solve Crimes Faster |
iOS Bundle IDs | iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins |
iOS Calendar | Investigating iOS Calendar |
iOS Calls | Investigating iOS Calls |
iOS Camera Roll | Parsing iOS Camera Roll using Python |
iOS Communications and Data Usage | On the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage |
iOS Databases | Primary Key / Date Stamp Fallacy |
iOS Device Connections | On the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections |
iOS Device Migration | iOS - Tracking Device Migration |
iOS Device Status Analysis | On the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis |
iOS Device with Broken Buttons into DFU Mode | How to Put an iOS Device with Broken Buttons in DFU Mode |
iOS Facial Recognition | Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney) |
iOS Files | iOS - The Files App |
iOS Files | iOS - Files App Part Deux: Quick Images and A Chart! |
iOS Forensic Toolkit | iOS Forensic Toolkit: Exploring the Linux Edition |
iOS Forensic Toolkit | A Comprehensive Guide to Essential Tools for Elcomsoft iOS Forensic Toolkit |
iOS Forensic Toolkit | iOS Forensic Toolkit: Mounting HFS Images in Windows |
iOS Health Data | On the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data |
iOS Images | iOS 13 and 14 Images - The Binary Hick |
iOS Installation Logs | iOS Mobile Installation Logs Parser |
iOS Installed and Uninstalled Apps | Identifying installed and uninstalled apps in iOS |
iOS Installed and Uninstalled Apps | Update on identifying installed and uninstalled apps in iOS |
iOS InteractionC.DB | Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules |
iOS Interface | On the Ninth Day of APOLLO, My True Love Gave to Me – A Beautiful Portrait – Analysis of the iOS Interface |
iOS Jailbreak using unc0ver | Jailbreaking iPhone XR with unc0ver - Hexordia |
iOS Jailbreaking and Full File System Acquisition | Step by Step Guide to iOS Jailbreaking and Physical Acquisition |
iOS Jailbreaking and Full File System Acquisition | iOS Device Acquisition with checkra1n Jailbreak |
iOS Jailbreaking and Full File System Acquisition | Checkm8, Checkra1n and the new "golden age" for iOS Forensics |
iOS Jailbreaking and Full File System Acquisition | Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock" |
iOS Jailbreaking and Full File System Acquisition | Checkra1n Era - Ep 3 - Automating extraction "Before First Unlock" (aka "Give me a stupid bash script!") |
iOS Jailbreaking and Full File System Acquisition | Checkra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?") |
iOS Jailbreaking and Full File System Acquisition | Checkra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?") |
iOS Jailbreaking and Full File System Acquisition | Checkra1n Era - Ep 5 - Automating extraction and processing (aka "Merry Xmas!") |
iOS Jailbreaking and Full File System Acquisition | iOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n |
iOS Jailbreaking and Full File System Acquisition | Checkm8 and Checkra1n – Full Filesystem extractions for iOS devices |
iOS Jailbreaking and Full File System Acquisition | The True Meaning of iOS Recovery, DFU and SOS Modes for Mobile Forensics |
iOS Jailbreaking and Full File System Acquisition | Full File System Acquisition of iPhone 11 and Xr/Xs with iOS 13 |
iOS Jailbreaking and Full File System Acquisition | iPhone Acquisition Without a Jailbreak (iOS 11 and 12) |
iOS Jailbreaking and Full File System Acquisition | Everything you ever wanted to ask about Checkm8 and Checkra1n |
iOS Jailbreaking and Full File System Acquisition | [Case Study] Mobile Forensics: Several Ways of Exploration for iOS Jailbreaking and iPhone Forensics |
iOS Jailbreaking and Full File System Acquisition | CheckRa1n |
iOS Jailbreaking and Full File System Acquisition | Checkra1n Era - Ep 6 - Quick triaging (aka from the iPhone to APOLLO, iLEAPP and sysdiagnose in 6 minutes) |
iOS Jailbreaking and Full File System Acquisition | iOS Forensic: full disk acquisition using checkra1n jailbreak |
iOS Keychain | Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored |
iOS KnowledgeC | KnowledgeC: Now Playing entries |
iOS KnowledgeC | KnowledgeC (and Friends) |
iOS KnowledgeC | Knowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage |
iOS KnowledgeC | Knowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db |
iOS KnowledgeC | Providing Context to iOS App Usage with knowledgeC.db and APOLLO |
iOS KnowledgeC | KnowledgeC.db - The iOS Database that knows more about you than you. |
iOS Location Mapping | iOS Location Mapping with APOLLO – Part 2: Cellular and Wi-Fi Data (locationd) |
iOS Location Mapping | iOS Location Mapping with APOLLO - I Know Where You Were Today, Yesterday, Last Month, and Years Ago! |
iOS Location Mapping | On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis |
iOS Location Mapping | Locations, Locations, Locations |
iOS Location Services & System Services | iOS Location Services and System Services ON or OFF? |
iOS Mail | iOS Mail |
iOS Malware | A lightweight method to detect potential iOS malware |
iOS Media Analysis | On the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving |
iOS Network and Application Usage | Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases |
iOS Photos | Photo.sh - Analysing The Locked iPhone - Apple Photos Shared Albums |
iOS Photos | Sharing is Caring – An Overview of Shared Albums in iOS |
iOS Photos | iPhone Pictures |
iOS Photos.sqlite | iOS Photos.sqlite Forensics |
iOS Photos.sqlite | Does Photos.sqlite have relations with CameraMessagesApp? By Scott Koenig |
iOS Photos.sqlite | Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with? |
iOS PLists | PList Decoding |
iOS PLists | iOS Bplist Inception |
iOS PowerLog | Aggregating iOS PowerLog data using C# – Part 1 |
iOS Protobuf Data | Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics |
iOS Screen Time | Data Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts |
iOS Shortcuts | iOS Shortcuts - HK_Dig4nsics |
iOS SMS | Investigating iOS SMS |
iOS Snapshots | iOS Snapshots Triage Parser & working with KTX files |
iOS Snapshots | A "Quick Look" into iOS Snapshots |
iOS Snapshots | KTX to PNG in Python for iOS snapshots |
iOS Software | IPSW Downloads |
iOS SysDiagnose | How to extract sysdiagnose logs for forensic purposes on iOS |
iOS Timestamps | Understanding iOS Time Stamps |
iOS Unified Logs | iOS Unified Logs - Making a call |
iOS Unified Logs | iOS Unified Logs - The use of the Dictaphone |
iOS Unified Logs | iOS Unified Logs - WiFi and AirPlane Mode |
iOS Update History | Restore Log - Tracking iOS Update History |
iOS Voice Triggers | Investigating iOS Voice Triggers |
iOS15 Metadata Adjustments | iOS Media Adjustment |
IPA Files | What's brewing with IPAs - Working with IPA files for Forensic Examiners - Hexordia |
iPhone PINs | Analyzing iPhone PINs - Elcomsoft |
iTunes Backups | The Most Unusual Things about iPhone Backups |
iTunes Backups | The Pitfalls of Relying on iTunes Backups for Investigations |
Jailbreak (iOS 15) | checkm8 to SSH - Blake Regan |
Jailbroken Full File System | Creating a Full File System image from a jailbroken iOS device - Hexordia |
Kik Messenger | Ain't that a Kik in the Head: Kik Messenger iOS Analysis - Kevin Pagano & Alexis Brignoni |
KnowledgeC Notifications - ZOBJECTS & ZSTRUCTUREMETADATA | iOS KnowledgeC.db Notifications |
KnowledgeC.db | iOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1 - D20 Forensics |
KnowledgeC.db Notifications | iOS KnowledgeC.db Notifications - Scott Koenig |
Life360 | Analyzing Life360 on iOS |
Location & Device Data | Path of a Murderer: Location & Device Data - Revo4n6 |
Location and System Services | iOS Location Services and System Services are they ON or OFF - Scott Koenig & Ian Whiffin |
Locked Data | Obtaining Serial Number, MAC, MEID and IMEI of a locked iPhone - Elcomsoft |
MySudo | iOS App Forensics — A Closer Look at The MySudo Privacy App |
Nike Run | iOS Nike Run app - Geolocation & self join queries |
OpenVPN | Forensic Analysis of OpenVPN on iOS |
Photos.sqlite | Photos.sqlite Query Documentation & Notable Artifacts - The Forensic Scooter |
Photos.sqlite | How Did That Photo Get On That iPhone |
Photos.sqlite - ZINTERNALRESOURCE | Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?, Filling a device internal storage for Optimize iPhone Storage Research, and lastly, Photos.sqlite ZINTERNALRESOURCE Table Reference Guide - The Forensic Scooter |
Photos.sqlite Queries | Using Photos.sqlite to show relationships between photos and the application they were created with - The Forensic Scooter and Update #2 - Photos.Sqlite Queries and Update 3 |
Photos.sqlite Queries | PhotoData – Photos.sqlite and Syndication Photo Library – Photos.sqlite Query Updates |
Private Photo Vault | Photo Vault app still pwnable in 2019? An adventure in iOS RE |
Protobufs | Parsing unknown protobufs with python |
ProtonMail | ProtonMail on iOS |
Safari | Favicons |
Safari | iOS / macOS - Tracking Downloads from Safari Without Downloads |
Safari | iOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari - D20 Forensics |
Samsung Smart Switch | Android - Samsung Smart Switch // iOS Transfer Artifacts |
Shared with You Syndication Photo Library | Shared with You Syndication Photo Library – Message Attachments & Linked Assets - The Forensic Scooter |
Signal | Investigating Signal with ArtiFast Signal |
Siri | iOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..." - D20 Forensics |
Slack | Finding Slack app messages in iOS |
Snapchat | Snapchat PList |
Snapchat | Snapchat - A False Sense Of Security? |
Snapchat | Investigating iOS SnapChat |
Splitwise | Splitwise on iOS |
Sysdiagnose (iOS 16) | Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective - Mattia Epifani |
Telegram | Investigating iOS Telegram |
Telegram | Telegram Forensics: Getting Started |
TikTok | Finding TikTok messages in iOS |
TikTok | TikTok Smartphone Evidence |
TikTok | Case Study: Forensic Analysis of TikTok on iOS - Dr. Graeme Horsman & Linda Shou |
TikTok | Investigating iOS TikTok |
Tile | iOS - The Tile Strikes Back |
Tile | iOS - Tile App Part 2: Custom Artifact Boogaloo |
Time Inconsistencies after Dead Battery | The Case of the Phantom Device Usage |
Unsent Messages | iOS 16 - "Paul unsent a message." ... OR DID HE?! - D20 Forensics |
User Notification Events | Peeking at User Notification Events in iOS 15 - 4n6 Ninja |
User Notifications in iOS15 | Peeking at User Notification Events in iOS 15 - 4n6 Ninja |
Venmo | Venmo. The App for Virtual Ballers. |
Venmo | Investigating iOS Venmo |
WhatsApp | How to decrypt WhatsApp end-to-end media files |
WhatsApp | iOS WhatsApp Forensics with Belkasoft X |
WhatsApp | iOS Unified Logs - Typing and sending a message in WhatsApp |
WhatsApp | Forensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android |
Wickr | Wickr. Alright. We’ll Call It A Draw. |
ZSPEED - iPhone Device Speed | iPhone Device Speeds via Cache.sqlite - ZRTCLLOCATIONMO table and Vehicle and iPhone Speed Comparison - The Forensic Scooter |