±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 5 Overall: 33319
New Yesterday: 8 Visitors: 239

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Iphone consilidated.db information

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Iphone consilidated.db information

Post Posted: Fri Nov 26, 2010 11:27 am

Hi, long time reader, first time poster.

We are currently investigating an iphone used during a crime, and we have extracted the geopositions located within consilidated.db for analysis. During this we noticed that multiple points have the same unix datestamp. We are unsure what to make of this. Its kind of impossible to be on several locations at once, and the points are sometimes all over town.
It seems that all points during one day is saved with the same timestamp?

Can anyone shed some light as to why multiple points are saved with the same timestamp and what this data really is? When does the phone save this information?

thank you in advance  

kexan
Newbie
 
 
  

Re: Iphone consilidated.db information

Post Posted: Fri Nov 26, 2010 11:52 am

Hi Kexan

Are they definately unix timestamps and not mac absolute times?.


Regards Tony  

tonydearing
Newbie
 
 
  

Re: Iphone consilidated.db information

Post Posted: Fri Nov 26, 2010 12:51 pm

I agree with Tony, the timestamps within consolidated.db are MAC Absolute times and not UNIX.

if you transpose the timestamp into an application such as DCode then this will verify this but I am fairly positive that we're correct.

This is purely an educated guess, but looking at the data the timestamp stays the same across a very narrow change of co-ordinates. When a change in co-ordinates is more significant, then the timestamp appears to change. Could it be the timestamp referring to the time that the device connected to a specific mast? Just a thought. Smile  

Redcelica67
Senior Member
 
 
  

Re: Iphone consilidated.db information

Post Posted: Fri Nov 26, 2010 1:52 pm

Thank you for the fast replies!

Wierd, the company who makes the forensic tools actually told me it was unix time.

But the real question remains, if over 30 positions all have the same timestamp, regardless of format, why is that? Also the positions are all over a large town, and all positions (even those with another timestamp) is around this town.  

kexan
Newbie
 
 
  

Re: Iphone consilidated.db information

Post Posted: Fri Nov 26, 2010 5:54 pm

...I would maybe suggest someone with cell site analysis experience may be able to answer this......  

Redcelica67
Senior Member
 
 
  

Re: Iphone consilidated.db information

Post Posted: Fri Nov 26, 2010 11:28 pm

I have seen this aswell with the Wifi networks and cell info... this is my reasoning/ idea as to how and why this is the way it is.

Sqlite3 is used as the data structure for the databases, the same database used in Google Chrome. I noticed in Google Chrome that entries are not always written at the same time viewed...this could instead be a timestamps of a database write time that it was entered into the database. The timestamps is also a Mac Absolute time which has the starting offset of the year 2000 I believe. I have a tool that can deconstruct these entries(I think you emailed me, will email back more info later as I was working on a Google Earth plugin for the exporting of co-ordinates)

So my assumption is the timestamps are the times that the entry was saved to the database sorta a batch marker based on the time it was stored to the iphone... this makes sense for performance with sqlite3.

Hope it helps
Ryan Manley
Wise Forensics LLC
ryan.manley @ wiseforensics.com  

xaberx
Senior Member
 
 
  

Re: Iphone consilidated.db information

Post Posted: Sat Nov 27, 2010 6:30 am

Ryan,
We're on the same wavelength and I think you're aboslutely correct here..... Smile  

Redcelica67
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next