The highlighted .plist files were exported and opened in XCode on a Mac system. Each of these artifacts did not present any data that was readily identifiable as useful. Is it possible that these artifacts are encoded within the extraction data and could therefore be located? Sure, but for the purposes of this article, those measures were not undertaken. As these artifacts are behind a double security wall (main passcode, then re-entry of the passcode to access Significant Locations on the device), it is logical to conclude that they are not accessible through mobile forensic data extraction (i.e., encrypted).
How Does This Help Your Case?
To recap, we located the Significant Locations on the device and performed a data extraction and it appears that these locations are not part of any readable portion of that data. So how can we best incorporate this data into our investigations to add value? Unfortunately, the best answer is the “old fashioned way”. Access the device, navigate to “Significant Locations” and document each entry through photographs (NOT screen shots). Depending on the level of usage of the device, this can be tedious and time-consuming, but the value of the data cannot be overlooked.
In criminal cases, this data can help put the device in locations where the suspect may have been (or not have been) during the time of the incident. It can also help identify home locations and frequently visited locations, which can increase investigative leads, present additional accomplices, serve to impeach statements already made and more. Naturally, accessing the device is key. It bears noting that the “Significant Locations” data, combined with cellular provider call detail records could help paint a more thorough picture of the device location and/or movements than either one or the other alone.
In civil litigation, this data can be used in much the same way, but more likely to prove or disprove frequent locations, known associates (paramours, accomplices, etc.), and to help confirm or refute deposition or trial testimony. If your case involves insurance fraud and the claimant says that he cannot travel, this data helps refute that statement without the need to obtain cellular carrier records. But again, ideally we would couple this data with cellular location data to paint a more complete picture of the device usage patterns.
A couple of final notes about the existence of this data. First, it can be deleted. Note in the image above the option to “Clear History” is present and if the user selects this, the logging will be reset. It also appears (from checking a separate device with this logging turned on) that the data is stored for approximately 6 months. It is unknown whether or not the data would transfer from an older device to an upgraded device as further testing would need to be conducted. Finally, it is also unknown whether or not this data would be more readily accessible through mobile forensic data extraction on a jail-broken device.
Conclusions
This data is a proverbial gold mine, but it’s one we need to access in ways we generally don’t like to – by manipulating the device and accessing the UI. However, this is still a valid form of analysis and documentation, especially when the access limitations on iOS devices forces us to use tools and techniques other than those that are automated. As with most things in forensics, simply knowing where to look, how the data got there and how to best utilize the data to confirm or refute the other aspects of your case is (about) half the battle. We all know Google, Apple and the cellular carriers are tracking us. Let’s start using that data to help serve justice, no matter what we’re investigating!
Author:Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!
Computer Forensics — Mobile Forensics — Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He is a Cellebrite Certified Operator and Physical Analyst. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.