Notifications
Clear all

iPad unlock events

3 Posts
1 Users
0 Likes
1,259 Views
(@chrisw)
Posts: 7
Active Member
Topic starter
 

Do 6th generation iPads capture phone unlock events in any of their log files/database– where the user has entered the PIN or authenticated via touch ID or face ID? And if so, what tools can be used to export and analyse the relevant event logs? I’m not sure how they compare to say Windows evtx files. I believe most of the useful artefacts on iDevices are SQL lite databases, but this is a new area to me.

Out of interest, what tools do you have in your arsenal for both imaging and analysing iPad/iPhone devices? Are there any forensics posters/quick reference guides on all suggested artefacts and paths for the various types of user activity, e.g. file access, file download, program execution, account usage etc. SANS used to have some useful 'cheat sheets' for Windows devices.

 
Posted : 16/11/2022 8:41 am
(@chrisw)
Posts: 7
Active Member
Topic starter
 

Answered my own query but this was what I was looking for:

DFIR Advanced Smartphone Forensics | SANS Posters

 
Posted : 22/11/2022 1:38 pm
(@chrisw)
Posts: 7
Active Member
Topic starter
 

It could potentially be this file:

private/var/mobile/Library/CoreDuet/coreduetd.db

Although that may just be a lock status rather than an unlock event log. 

 
Posted : 22/11/2022 1:41 pm
Share: