Hi guys,
I have an Apple iPhone 5 that has been involved in a road traffic incident.
I have performed a logical and FSD dump of the phone and checked the usual calls and messages etc around the time of the incident with no signs of usage.
I have also had a look for the file duetLST.logduet but no look, I will proberly only have access to that if the device was to be jailbroken.
I have also looked at the MAC times of files etc but still nothing really that stands out.
I have had a look at the database in regards to data usage and manually looked at the crash data & apple reports on the phone but still no luck.
Before I conclude my examination findings can anyone else recommend any alternate files too look at?
Hi Jay_bo
I am currently undertaking some research identifying key files of interest during the investigation of a road traffic collision. As part of my research I have compared three types of extractions; Cellebrite logical, Cellebrite file system and a Cellebrite file system undertaken on a jail broken handset.
There appears to be very little information of use in either of the first two extraction types. Some applications such as Facebook and Facebook Messenger store last run times within the session PLists. SMS.DB will also provide you with the message status whether it was read and if so a MAC Absolute timestamp showing the time it was read. However this only helpful if you have a rough idea of what application may have been used.
From my experience I have found that the majority of useful information is only available when jail breaking the handset, the DuetLST.duetlog was fairly useful however I found a file named CurrentPowerlog.powerlog stored within the directory /AFC Serviceprivate/var/mobile/Library/Logs/CurrentPowerlog.powerlog which will be of great interest to you, however as I say you must jail break the handset to access these files.
This file stores a mass amount of information including the opening and closing of applications, battery status, assertions and network information. Each entry is given a tag, for example the opening or closing of an application is given the “Application” tag.
02/24/15 170115 [Application] id=com.facebook.Facebook; pid=266.00; mode=Foreground Running; reason=<unknown>; UIBackgroundModes=voip,audio,location,fetch,remote-notification; display_name=Facebook; executable=Facebook; version=24.0;
The log also stores passive activity such as simply waking the handset from sleep mode, shown in the below entry
02/24/15 172230 [SpringBoard-states] screen_state=unblanked; lock_state=locked;
02/24/15 172230 [Display] active=yes; brightness=41.2%; user_brightness=<unknown>; lux=166; als=enabled; mie=off; slider=27014; mNits=112571; uAmps=4481;
Jail breaking the handset and looking at this log may be of great value to your investigation and allow you to create a timeline of activities around the time of the collision.
The file itself stores a wealth of information and I would be happy to further discuss my findings with you.
I hope this helps and apologies for your length of the post.
SGI93.
Hi Jay_bo
I am currently undertaking some research identifying key files of interest during the investigation of a road traffic collision. As part of my research I have compared three types of extractions; Cellebrite logical, Cellebrite file system and a Cellebrite file system undertaken on a jail broken handset.There appears to be very little information of use in either of the first two extraction types. Some applications such as Facebook and Facebook Messenger store last run times within the session PLists. SMS.DB will also provide you with the message status whether it was read and if so a MAC Absolute timestamp showing the time it was read. However this only helpful if you have a rough idea of what application may have been used.
From my experience I have found that the majority of useful information is only available when jail breaking the handset, the DuetLST.duetlog was fairly useful however I found a file named CurrentPowerlog.powerlog stored within the directory /AFC Serviceprivate/var/mobile/Library/Logs/CurrentPowerlog.powerlog which will be of great interest to you, however as I say you must jail break the handset to access these files.
This file stores a mass amount of information including the opening and closing of applications, battery status, assertions and network information. Each entry is given a tag, for example the opening or closing of an application is given the “Application” tag.
02/24/15 170115 [Application] id=com.facebook.Facebook; pid=266.00; mode=Foreground Running; reason=<unknown>; UIBackgroundModes=voip,audio,location,fetch,remote-notification; display_name=Facebook; executable=Facebook; version=24.0;
The log also stores passive activity such as simply waking the handset from sleep mode, shown in the below entry
02/24/15 172230 [SpringBoard-states] screen_state=unblanked; lock_state=locked;
02/24/15 172230 [Display] active=yes; brightness=41.2%; user_brightness=<unknown>; lux=166; als=enabled; mie=off; slider=27014; mNits=112571; uAmps=4481;Jail breaking the handset and looking at this log may be of great value to your investigation and allow you to create a timeline of activities around the time of the collision.
The file itself stores a wealth of information and I would be happy to further discuss my findings with you.
I hope this helps and apologies for your length of the post.
SGI93.
Thanks for that a very interesting read.
I did wonder if jailbreaking the Apple iPhone would gain access to these files, just a question of the admissibility of the evidence in court.
However I have found a number of files of interest just through a FSD dump, two of which are 'DataUsage.sqlite and recent.sqlite'.
Now I haven't had time to do a bit of research around these files but the 'DataUsage' but my brief analysis and understanding was that it seems to contain information about what apps were running using data. i.e You could see that the Maps app was notified as process at a certain time.
The recent.sqlite seems to be partially decoded by Cellebrite to the fact that it states what contacts were recently contacted. However viewing the file can tell you further information such as what contact it was ie, through apple SMS, apple email app etc.
I would be very interested to hear your further findings.
It recovers significantly more files when jail broken, I’m not 100% sure if I have came across the DataUsage file so I will have to take a look at that one, thank you for that. The admissibility of evidence when jail breaking a handset is an interest topic.
A friend suggested a Python script which appears interesting however I have little experience with using Python and opted for jail breaking the handset. I haven’t used them because of this but you may have experience and find them useful.
https://
As part of my project I have also done the equivalent investigation on a Samsung Galaxy S4 and found the events Android Buffer Log to be of use, extracting these is very simple and can be achieved using Logcat commands in Android Debug Bridge.
They are similar to the CurrentPowerlog.power however these buffer logs are volatile and over time the data is purged. Working within a UK Hi Tech Crime Unit has allowed me to realise that it is very likely the device is turned off upon seizure to prevent remote wiping or modifications etc, ultimately meaning these logs are parsed and potentially pertinent evidence is lost.
I did forget to mention that these CurrentPowerlog.powerlog files on the iPhone are archived within a folder named PLArchive at the end of each day, I haven’t finished my investigation of this folder so don’t have any further information on that at the moment.
My research is part of my final year project as I am studying a BSc Honours in Digital Forensics however once it is finalised and submitted in April I am more than happy to provide anyone on the forum my documentation.
However if you do have any further questions do not hesitate to contact me.
SGI93