Cellphone iPhone X iOS 12.3.1
Cellebrite UFED Physical Analyzer 6.3.5.27 (updating soon)
Why I am a digital forensic specialist, experience less than a year, that works for an accident reconstructionist. In this instance, we have a fatal car accident and a phone was recovered from one of the drivers. I am tasked with providing date, time, and application information of phone usage, if any, leading up to the accident.
I have a logical extraction, with passcode, of an iPhone X and I am seeing there are a multitude of deleted websites in Safari. I see it references com.apple.mobilesafari>Library>Safari>History.db but when i open this database there is nothing in there. I do see lots of information in the Hex View. If possible, how can I use the Hex information and translate it into human readable results.
I am also attempting to find activity, was safari being used browsing pages, any other app open being used for ex. youtube, of the phone during a time frame.
I spent most of my day yesterday converting OSX Epoch Nano time into human readable date/time information. I export the tagged results of sms.db and Callhistory.storedata into a .csv. Using Excel the 18 digit number is now, easily, converted into a date and time even this time zone offset. Hopefully this helps someone. Here is my formula
Excel formula for converting OSX EPOCH NANO time to readable date with timezone offset
=Cell/(nanosecond*seconds*minutes*hours)+DATE(iOS Epoch)+(UTC offset -5)
=Q8/(1000000000*60*60*24)+DATE(2001,1,1)+(-5/24)
iOS is weird in that they use multiple time formats almost willy nilly. Mac Absolute time for 'date_read' but OSX Epoch Nano for 'date'. I also see that this is interchangeable in 'date_read' sometimes Mac Absolute and sometimes Epoch Nano time.
I am very new to the digital forensic field. My training schedule for the next 18 months is intense and hopefully I will soon be able to offer answers and probably more questions to this community.
Thank You,
ForensicChicken
To get the required granular usage for timings surrounding a fatal RTC you really need a file system extraction to obtain access to the KnowledgeC database which will then help you establish if the handset was in use at the time of the RTC. Sarah Edwards has published extensive coverage of this on her website. Hopefully you will be able to access a file system extraction as this will really assist in helping to prove your case, hope this helps and good luck in your new career.
What process did you go through to obtain a logical? Method 1 or 2? Updating to 7.24 would be a good start.
You can manually dive through app usage databases and correlate application usage to dates/times.
Thank you for the replies. I am highly enjoying my new career and hope to excel. I am fortunate enough to have a boss that sees the need for extensive training and preparation for what lies ahead.
I used Advanced Logical extraction, method 1. This method does not do a file system extraction.
You can manually dive through app usage databases and correlate application usage to dates/times.
Can you give me the folder path for these databases?
Thank you again.
ForensicChicken