AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Artifact or ProcessResource
ABTraceTogether Analysis of the ABTraceTogether app (iOS)
AirTagsAirTags within iOS File Systems - Appalachian4n6
AirTags[Air]Tag You're It! - D20 Forensics
Anonymous Chat Rooms (Dating App)Finding messages in Anonymous Chat Rooms, Dating app - Chuan-lun (Johnson) Chou
AppInstalls, AppLaunch, & AppIntentsiOS 16 Breaking Down the Biomes Part 2 - AppInstalls, AppLaunch, & AppIntents - D20 Forensics
AppIntentAnalyzing iOS Biome AppIntent Files - Blue Crew Forensics
Apple CarPlayRidin’ With Apple CarPlay
Apple HealthAudio and App Usage in Apple Health - Stark4n6
Apple Mail Apple Mail - A Forensic Insight
Apple MapsWhat Apple Maps Activity Can be Found Using a Logical Extraction - Lord Templar1
Apple NotesRevisiting Apple Notes (1): Improved Note Parsing
Apple NotesRevisiting Apple Notes (2): Easy Embedded Objects
Apple NotesRevisiting Apple Notes (3): Embedded Tables
Apple NotesRevisiting Apple Notes (4): Gallery Objects
Apple NotesRevisiting Apple Notes (5): Encrypted Notes
Apple NotesRevisiting Apple Notes (6): The Protobuf
Apple NotesRevisiting Apple Notes (7): Cloudkit Data
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 3] – Playing in the Sandbox, Enumerating Files and Directories
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 2] – sudo make me a sandwich
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 1] – Converting Log Archive Files on 10.15 (Catalina)
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring USBMSC devices with --style
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 5] – Login Inception!? Yes! – Local Logins!
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 4] – It’s Login Week!
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you're binging Netflix! Now Playing on your Apple Devices!
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module
Apple Unified LogsAnalysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge
Apple Unified Logs Analysis of Apple Unified Logs [Entry 12] – Quick & Easy Unified Log Collection from iOS Devices for Testing
Apple WatchApple Watch Forensics 02: Analysis
Apple Watch DataEnriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database - James McGee
Apple Watch/Apple TVApple TV and Apple Watch Forensics 01: Acquisition
Application ExecutionHas the user ever used the XYZ application? aka traces of application execution on mobile devices
Auto-lock and Require PasscodeiOS Settings Display Auto-Lock & Require Passcode - Scott Koenig
Battle.netFinding Blizzard Battle.net messages in iOS
BrowserState.dbBrowserState.db last_visited_time?
BumbleWhat's the Buzz - Bumble on iOS - Stark4n6
Cache.dbLooting iOS App's Cache.db - Drew Kirkpatrick
CarplayiOS 16 - Breaking Down the Biomes (Part 3) - Keeping up with CarPlay - D20 Forensics
Chipolo iOS - Chipolo App Research and Encrypted Realm Databases
ClubhouseInvestigating Clubhouse
Continuity/Cellular RelayRelays in the Apple Ecosystem. Passing the Baton - The Binary Hick
Couch to 5K Runner AppCouch to 5K Runner: A Mobile Forensics Investigation
Deleted MessagesLagging for the Win: Querying for Negative Evidence in the sms.db - Belkasoft
Deleted SMS/iMessageAn Alternate Location for Deleted SMS/iMessage Data in Apple Devices - James McGee
DFU: iPhone 8, 8 Plus, and iPhone XEntering DFU: iPhone 8, 8 Plus, and iPhone X - Elcomsoft
DiscordFinding Discord chats in iOS
Discord Update on Discord forensic artifacts for iOS & Windows
Discord It's alive! - Attachment links in Discord
DiscordDiscord Forensics
DiscordConnecting Discord Attachments to Threads & SDWebImage Library
DJI FlyiOS - App Research: DJI Fly
DropboxProfiling user activity in Dropbox for iOS
Dual SIM PhonesMo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs - Binary Hick
EvernoteEvernote for iOS
Facebook MessengerInvestigating iOS Facebook Messenger - Forensafe
Gboard Gboard has some interesting data..
GeoFenceReminder Locations (GeoFences)
Google Duo Google Duo - Android & iOS Forensic Analysis
Google FitGoogle Fit Extraction: Location, Health and Fitness Data
Grubhub AppForensic Investigation of the Grubhub iOS App - Christopher Kyriacou
Hidden AssetsHow to find iOS Hidden Assets - The Forensic Scooter
Houseparty iOS Houseparty app: More Realm
Houseparty Get your red Solo cup: It's time for a little Houseparty
iCloudInvestigating iCloud
iMessage Location SharingSharing Locations in iOS Messages
iMessage ReactionsMessage Reactions
iOSTaking The First Step - iOS Security & Forensics -P1
iOSUpgrade From NULL—Detecting iOS Wipe Artifacts
iOSOh no! I have a wiped iPhone, now what?
iOSApple’s Find My & iCloud’s Throne of Lies
iOSiOS Backup vs iCloud How can you compare?
iOSToday, Widgets, & Ignored Apps in iOS
iOSiOS System Artifacts: Revealing Hidden Clues
iOS - Sysdiagnosesysdiag-who?
iOS - VMP4 File Format iOS Forensics: VMP4 File format
iOS 11 - HEICMonkey takes a .heic
iOS 11 and 12 NotificationsiOS 11 & 12 Notifications Triage Parser
iOS 12Creating a File System Image of iOS12 (12.1/16B92)
iOS 13iOS 13 - Summary For Those of You Who Enjoy the CliffsNotes
iOS 13…Won't You Back That Thing Up: A Glimpse of iOS 13 Artifacts
iOS 13iOS 13 – Swipe to Type
iOS 14 iOS 14 - First Thoughts and Analysis
iOS 14Rotten to the Core? Nah, iOS14 is Mostly Sweet
iOS 14 - App Clips iOS 14 - Tracking App Clips in iOS 14
iOS 14 - iMessage iOS 14 - Message Mentions and Threading
iOS 14 - Maps iOS14 Maps History BLOB Script
iOS 14 - NotesNotes in iOS 14
iOS 14 - Private Wi-Fi AddressesApple Private Wi-Fi Addresses
iOS 15iOS 15 Image Forensics Analysis and Tools Comparison - Processing details and general device information
iOS 15iOS 15 Image Forensics Analysis and Tools Comparison - Native Apps
iOS 15iOS 15 Image Now Available. Finally. - Binary Hick
iOS 15iOS 15 Image Forensics Analysis and Tools Comparison - Communication and Social Networking Apps
iOS 15iOS 15 Image Forensics Analysis and Tools Comparison - Browsers, Mail Clients, and Productivity Apps
iOS 16 - iMessage UpdatesiOS16 iMessages - DoubleBlak
iOS 17iOS 17 Forensics: Another Year, Another Byte of the Apple
iOS 17iOS 17 Forensic Impacts
iOS 17iOS 17.3 Developer Preview: Stolen Device Protection
iOS AcquisitionThe Art of iPhone Acquisition
iOS AcquisitioniOS Forensic Toolkit: Troubleshooting Low-Level Extraction Agent
iOS AcquisitioniCloud Advanced Data Protection: Implications for Forensic Extraction
iOS AcquisitionFull Guide for Data Extraction from iTunes Backup
iOS AcquisitionData Extraction Cheatsheet
iOS AcquisitionUsing and Troubleshooting the checkm8 Exploit
iOS AcquisitionIn Search of Extraction Techniques for Pair-Locked iOS Devices
iOS AcquisitionWhen Extraction Meets Analysis: Cellebrite Physical Analyzer
iOS AcquisitionBootloader-Level Extraction for Apple Hardware
iOS ADDataStore.sqlitedbOn the Fifth Day of APOLLO, My True Love Gave to Me – A Stocking Full of Random Junk, Some of Which Might be Useful!
iOS AirDropAirDrop Forensics
iOS APOLLOOn the Eleventh Day of APOLLO, My True Love Gave to Me – An Intriguing Story – Putting it All Together: A Day in the Life of My iPhone using APOLLO
iOS Application Groups iOS Application Groups & Shared data
iOS Application UsageOn the Third Day of APOLLO, My True Love Gave to Me – Application Usage to Determine Who Has Been Naughty or Nice
iOS Artifact Reference iOS Forensics References - Mattia Epifani
iOS BackupsForensic Analysis of iTunes Backups
iOS BackupsiPhone Backups: Top 5 Default Passwords
iOS BluetoothHow to Use iOS Bluetooth Connections to Solve Crimes Faster
iOS BluetoothHow to Use iOS Bluetooth Connections to Solve Crimes Faster
iOS Bundle IDs iOS - Tracking Bundle IDs for Containers, Shared Containers, and Plugins
iOS CallsInvestigating iOS Calls
iOS Camera Roll Parsing iOS Camera Roll using Python
iOS Communications and Data UsageOn the Seventh Day of APOLLO, My True Love Gave to Me – A Good Conversation – Analysis of Communications and Data Usage
iOS DatabasesPrimary Key / Date Stamp Fallacy
iOS Device ConnectionsOn the Eighth Day of APOLLO, My True Love Gave to Me – A Glorious Lightshow – Analysis of Device Connections
iOS Device MigrationiOS - Tracking Device Migration
iOS Device Status AnalysisOn the Sixth Day of APOLLO, My True Love Gave to Me – Blinky Things with Buttons – Device Status Analysis
iOS Device with Broken Buttons into DFU ModeHow to Put an iOS Device with Broken Buttons in DFU Mode
iOS Facial RecognitionFollow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney)
iOS Files iOS - The Files App
iOS Files iOS - Files App Part Deux: Quick Images and A Chart!
iOS Forensic ToolkitiOS Forensic Toolkit: Exploring the Linux Edition
iOS Forensic ToolkitA Comprehensive Guide to Essential Tools for Elcomsoft iOS Forensic Toolkit
iOS Forensic ToolkitiOS Forensic Toolkit: Mounting HFS Images in Windows
iOS Health DataOn the Second Day of APOLLO, My True Love Gave to Me - Holiday Treats and a Trip to the Gym - A Look at iOS Health Data
iOS ImagesiOS 13 and 14 Images - The Binary Hick
iOS Installation LogsiOS Mobile Installation Logs Parser
iOS Installed and Uninstalled AppsIdentifying installed and uninstalled apps in iOS
iOS Installed and Uninstalled AppsUpdate on identifying installed and uninstalled apps in iOS
iOS InteractionC.DB Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules
iOS InterfaceOn the Ninth Day of APOLLO, My True Love Gave to Me – A Beautiful Portrait – Analysis of the iOS Interface
iOS Jailbreak using unc0verJailbreaking iPhone XR with unc0ver - Hexordia
iOS Jailbreaking and Full File System AcquisitionStep by Step Guide to iOS Jailbreaking and Physical Acquisition
iOS Jailbreaking and Full File System AcquisitioniOS Device Acquisition with checkra1n Jailbreak
iOS Jailbreaking and Full File System AcquisitionCheckm8, Checkra1n and the new "golden age" for iOS Forensics
iOS Jailbreaking and Full File System AcquisitionCheckra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"
iOS Jailbreaking and Full File System AcquisitionCheckra1n Era - Ep 3 - Automating extraction "Before First Unlock" (aka "Give me a stupid bash script!")
iOS Jailbreaking and Full File System AcquisitionCheckra1n Era - Ep 2 - Extracting data "Before First Unlock" (aka "I found a locked iPhone! And now?")
iOS Jailbreaking and Full File System AcquisitionCheckra1n Era - Ep 1 - Before First Unlock (aka "I lost my iPhone! And now?")
iOS Jailbreaking and Full File System AcquisitionCheckra1n Era - Ep 5 - Automating extraction and processing (aka "Merry Xmas!")
iOS Jailbreaking and Full File System AcquisitioniOS Forensics: BFU (Before First Unlock) acquisition, using checkra1n
iOS Jailbreaking and Full File System AcquisitionCheckm8 and Checkra1n – Full Filesystem extractions for iOS devices
iOS Jailbreaking and Full File System AcquisitionThe True Meaning of iOS Recovery, DFU and SOS Modes for Mobile Forensics
iOS Jailbreaking and Full File System AcquisitionFull File System Acquisition of iPhone 11 and Xr/Xs with iOS 13
iOS Jailbreaking and Full File System AcquisitioniPhone Acquisition Without a Jailbreak (iOS 11 and 12)
iOS Jailbreaking and Full File System AcquisitionEverything you ever wanted to ask about Checkm8 and Checkra1n
iOS Jailbreaking and Full File System Acquisition[Case Study] Mobile Forensics: Several Ways of Exploration for iOS Jailbreaking and iPhone Forensics
iOS Jailbreaking and Full File System AcquisitionCheckRa1n
iOS Jailbreaking and Full File System Acquisition Checkra1n Era - Ep 6 - Quick triaging (aka from the iPhone to APOLLO, iLEAPP and sysdiagnose in 6 minutes)
iOS Jailbreaking and Full File System AcquisitioniOS Forensic: full disk acquisition using checkra1n jailbreak
iOS KeychainExtracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored
iOS KnowledgeCKnowledgeC: Now Playing entries
iOS KnowledgeCKnowledgeC (and Friends)
iOS KnowledgeCKnowledge is Power! Using the macOS/iOS knowledgeC.db Database to Determine Precise User and Application Usage
iOS KnowledgeCKnowledge is Power II – A Day in the Life of My iPhone using knowledgeC.db
iOS KnowledgeCProviding Context to iOS App Usage with knowledgeC.db and APOLLO
iOS KnowledgeCKnowledgeC.db - The iOS Database that knows more about you than you.
iOS Location MappingiOS Location Mapping with APOLLO – Part 2: Cellular and Wi-Fi Data (locationd)
iOS Location MappingiOS Location Mapping with APOLLO - I Know Where You Were Today, Yesterday, Last Month, and Years Ago!
iOS Location MappingOn the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
iOS Location MappingLocations, Locations, Locations
iOS Location Services & System ServicesiOS Location Services and System Services ON or OFF?
iOS MailiOS Mail
iOS MalwareA lightweight method to detect potential iOS malware
iOS Media AnalysisOn the Fourth Day of APOLLO, My True Love Gave to Me – Media Analysis to Prove You Listened to “All I Want for Christmas is You” Over and Over Since Before Thanksgiving
iOS Network and Application UsageNetwork and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases
iOS PhotosPhoto.sh - Analysing The Locked iPhone - Apple Photos Shared Albums
iOS Photos Sharing is Caring – An Overview of Shared Albums in iOS
iOS PhotosiPhone Pictures
iOS Photos.sqliteiOS Photos.sqlite Forensics
iOS Photos.sqliteDoes Photos.sqlite have relations with CameraMessagesApp? By Scott Koenig
iOS Photos.sqliteUsing Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?
iOS PListsPList Decoding
iOS PListsiOS Bplist Inception
iOS PowerLogAggregating iOS PowerLog data using C# – Part 1
iOS Protobuf DataJust Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics
iOS Screen TimeData Quality and Quantity – How to Get the Best of Both Worlds, Part 2 – Examining Screen Time Artifacts
iOS ShortcutsiOS Shortcuts - HK_Dig4nsics
iOS SnapshotsiOS Snapshots Triage Parser & working with KTX files
iOS SnapshotsA "Quick Look" into iOS Snapshots
iOS Snapshots KTX to PNG in Python for iOS snapshots
iOS SoftwareIPSW Downloads
iOS SysDiagnoseHow to extract sysdiagnose logs for forensic purposes on iOS
iOS TimestampsUnderstanding iOS Time Stamps
iOS Unified LogsiOS Unified Logs - Making a call
iOS Unified LogsiOS Unified Logs - The use of the Dictaphone
iOS Unified LogsiOS Unified Logs - WiFi and AirPlane Mode
iOS Update HistoryRestore Log - Tracking iOS Update History
iOS Voice TriggersInvestigating iOS Voice Triggers
iOS15 Metadata AdjustmentsiOS Media Adjustment
IPA FilesWhat's brewing with IPAs - Working with IPA files for Forensic Examiners - Hexordia
iPhone PINsAnalyzing iPhone PINs - Elcomsoft
iTunes BackupsThe Most Unusual Things about iPhone Backups
iTunes BackupsThe Pitfalls of Relying on iTunes Backups for Investigations
Jailbreak (iOS 15)checkm8 to SSH - Blake Regan
Jailbroken Full File SystemCreating a Full File System image from a jailbroken iOS device - Hexordia
Kik MessengerAin't that a Kik in the Head: Kik Messenger iOS Analysis - Kevin Pagano & Alexis Brignoni
KnowledgeC Notifications - ZOBJECTS & ZSTRUCTUREMETADATAiOS KnowledgeC.db Notifications
KnowledgeC.dbiOS 16 - Now You 'C' It, Now You Don't -- Breaking Down The Biomes Part 1 - D20 Forensics
KnowledgeC.db NotificationsiOS KnowledgeC.db Notifications - Scott Koenig
Life360Analyzing Life360 on iOS
Location & Device DataPath of a Murderer: Location & Device Data - Revo4n6
Location and System ServicesiOS Location Services and System Services are they ON or OFF - Scott Koenig & Ian Whiffin
Locked DataObtaining Serial Number, MAC, MEID and IMEI of a locked iPhone - Elcomsoft
MySudo iOS App Forensics — A Closer Look at The MySudo Privacy App
Nike RuniOS Nike Run app - Geolocation & self join queries
OpenVPNForensic Analysis of OpenVPN on iOS
Photos.sqlitePhotos.sqlite Query Documentation & Notable Artifacts - The Forensic Scooter
Photos.sqlite - ZINTERNALRESOURCEDo you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?, Filling a device internal storage for Optimize iPhone Storage Research, and lastly, Photos.sqlite ZINTERNALRESOURCE Table Reference Guide - The Forensic Scooter
Photos.Sqlite Queries Using Photos.sqlite to show relationships between photos and the application they were created with - The Forensic Scooter and Update #2 - Photos.Sqlite Queries and Update 3
Private Photo VaultPhoto Vault app still pwnable in 2019? An adventure in iOS RE
ProtobufsParsing unknown protobufs with python
ProtonMailProtonMail on iOS
SafariFavicons
SafariiOS / macOS - Tracking Downloads from Safari Without Downloads
SafariiOS 16 - Breaking Down the Biomes (Part 4) - Surfin' with Safari - D20 Forensics
Samsung Smart Switch Android - Samsung Smart Switch // iOS Transfer Artifacts
Shared with You Syndication Photo LibraryShared with You Syndication Photo Library – Message Attachments & Linked Assets - The Forensic Scooter
SignalInvestigating Signal with ArtiFast Signal
SiriiOS 16 - Breaking Down the Biomes Part 5 -- "Hey Siri, find me some more data..." - D20 Forensics
SlackFinding Slack app messages in iOS
SnapchatSnapchat PList
SnapchatSnapchat - A False Sense Of Security?
SnapchatInvestigating iOS SnapChat
Sysdiagnose (iOS 16)Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective - Mattia Epifani
TelegramInvestigating iOS Telegram
TelegramTelegram Forensics: Getting Started
TikTokFinding TikTok messages in iOS
TikTokTikTok Smartphone Evidence
TikTokCase Study: Forensic Analysis of TikTok on iOS - Dr. Graeme Horsman & Linda Shou
TikTokInvestigating iOS TikTok
Tile iOS - The Tile Strikes Back
Tile iOS - Tile App Part 2: Custom Artifact Boogaloo
Time Inconsistencies after Dead BatteryThe Case of the Phantom Device Usage
Unsent MessagesiOS 16 - "Paul unsent a message." ... OR DID HE?! - D20 Forensics
User Notification EventsPeeking at User Notification Events in iOS 15 - 4n6 Ninja
User Notifications in iOS15Peeking at User Notification Events in iOS 15 - 4n6 Ninja
VenmoVenmo. The App for Virtual Ballers.
VenmoInvestigating iOS Venmo
WhatsAppHow to decrypt WhatsApp end-to-end media files
WhatsAppiOS WhatsApp Forensics with Belkasoft X
WhatsAppiOS Unified Logs - Typing and sending a message in WhatsApp
WhatsAppForensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android
WickrWickr. Alright. We’ll Call It A Draw.
ZSPEED - iPhone Device SpeediPhone Device Speeds via Cache.sqlite - ZRTCLLOCATIONMO table and Vehicle and iPhone Speed Comparison - The Forensic Scooter