I am conducting an analysis of an Apple iPhone with Cellebrite PA 7.34 via a UFDR file (trying to obtain UFED Dump). The phone was extracted via GrayKey. I am analyzing the Device Locations primarily to attempt and locate where the device was at any given point in time (case involves numerous break-ins). When conducting my analysis, I am mainly focusing on "Native" locations. The iOS locations specifically state that they are UTC-4 or UTC-5 that would be the local timezone. When reviewing Native, they do not detail the timezone. When reviewing them coordinated with the iOS locations, at first, it looked as though it made sense that they were in UTC -0. So I converted them to local time. When analyzing the Native locations (time converted or not) I came across numerous locations that are miles apart with the same exact time stamp. Looking closer into the differences in locations, it appears the data is coming from, primarily, two databases: (1) cache_encryptedB.db and (2) cache.sqlite. Looking at the locations within Cellebrite the encrypted database locations state "GpsFix" and the sqlite locations just state "Location" with a number and Origin blank.
I should say, the locations in the cache.sqlite database appears to match locations relevant to the case, but I am obviously looking for more insight into the differences in the locations pulled from a GrayKey extraction of an iPhone.
Any insight is welcome! Thank you.
Analyze the same GK dump with different tools and match the results. I strongly recommend Cellebrite PA, Magnet Axiom, Oxygen Forensic Detective and Belkasoft Evidence Center for the same GK dump. Give us a feedback if the results differed!
@passcodeunlock thanks! Unfortunately I need to obtain the dump file to run with Axiom as it doesn't read the UFED Reader file.
Yes, you will need the original dump.
You could export the file system to a zip and analyse that part in axiom if it’s only gps you are interested in.
@fissa: please don't instruct people to do useless things! If the precise GPS info would been there in the .ufdr then the OP wouldn't ask his question, no ?!
Because it does not actually get a physical copy, the images that Cellebrite produces are referred to as "logical images." (through the use of their software)
Therefore, an intunes backup in the cloud, for example, is getting a good bit of everything on the phone, with the exception of the space that has been unallocated or deleted, as well as the data that an app has chosen not to back up.