Iphone consilidated...
 
Notifications
Clear all

Iphone consilidated.db information  

  RSS
kexan
(@kexan)
New Member

Hi, long time reader, first time poster.

We are currently investigating an iphone used during a crime, and we have extracted the geopositions located within consilidated.db for analysis. During this we noticed that multiple points have the same unix datestamp. We are unsure what to make of this. Its kind of impossible to be on several locations at once, and the points are sometimes all over town.
It seems that all points during one day is saved with the same timestamp?

Can anyone shed some light as to why multiple points are saved with the same timestamp and what this data really is? When does the phone save this information?

thank you in advance

Quote
Posted : 26/11/2010 5:27 pm
tonydearing
(@tonydearing)
New Member

Hi Kexan

Are they definately unix timestamps and not mac absolute times?.

Regards Tony

ReplyQuote
Posted : 26/11/2010 5:52 pm
Redcelica67
(@redcelica67)
Active Member

I agree with Tony, the timestamps within consolidated.db are MAC Absolute times and not UNIX.

if you transpose the timestamp into an application such as DCode then this will verify this but I am fairly positive that we're correct.

This is purely an educated guess, but looking at the data the timestamp stays the same across a very narrow change of co-ordinates. When a change in co-ordinates is more significant, then the timestamp appears to change. Could it be the timestamp referring to the time that the device connected to a specific mast? Just a thought. )

ReplyQuote
Posted : 26/11/2010 6:51 pm
kexan
(@kexan)
New Member

Thank you for the fast replies!

Wierd, the company who makes the forensic tools actually told me it was unix time.

But the real question remains, if over 30 positions all have the same timestamp, regardless of format, why is that? Also the positions are all over a large town, and all positions (even those with another timestamp) is around this town.

ReplyQuote
Posted : 26/11/2010 7:52 pm
Redcelica67
(@redcelica67)
Active Member

…I would maybe suggest someone with cell site analysis experience may be able to answer this……

ReplyQuote
Posted : 26/11/2010 11:54 pm
xaberx
(@xaberx)
Active Member

I have seen this aswell with the Wifi networks and cell info… this is my reasoning/ idea as to how and why this is the way it is.

Sqlite3 is used as the data structure for the databases, the same database used in Google Chrome. I noticed in Google Chrome that entries are not always written at the same time viewed…this could instead be a timestamps of a database write time that it was entered into the database. The timestamps is also a Mac Absolute time which has the starting offset of the year 2000 I believe. I have a tool that can deconstruct these entries(I think you emailed me, will email back more info later as I was working on a Google Earth plugin for the exporting of co-ordinates)

So my assumption is the timestamps are the times that the entry was saved to the database sorta a batch marker based on the time it was stored to the iphone… this makes sense for performance with sqlite3.

Hope it helps
Ryan Manley
Wise Forensics LLC
[email protected]

ReplyQuote
Posted : 27/11/2010 5:28 am
Redcelica67
(@redcelica67)
Active Member

Ryan,
We're on the same wavelength and I think you're aboslutely correct here….. )

ReplyQuote
Posted : 27/11/2010 12:30 pm
kexan
(@kexan)
New Member

thx for the info guys! We´re currently comparing it to celltower info to specify the time.

ReplyQuote
Posted : 30/11/2010 6:41 pm
rh78
 rh78
(@rh78)
New Member

I have also been wondering what the relevance of the timestamp is. I recently found over 60,000 locations made up of both cell and wi-fi locations. I noticed that the timestamps were batched and wondered if they are the time that they are stored.

I don't seem to be able to get a straight answer about this.

Does anyone have a definate answer about them?

Thanks,

ReplyQuote
Posted : 24/01/2011 12:34 pm
CaptainF
(@captainf)
Member

I would be very, very cautious around trying to use these positions as evidence until further research has been carried out around how the contents of consolidated.db translates into real life usage.

I keep using my experience as an example but I think it is the easiest way of getting my point across about the need for thorough research into the contents of this file.

I restored my iPad to baseline iOS and had not locations in consolidated.db. I turned location services OFF and placed the iPad in Airplane Mode. I connected the iPad to a new wireless access point not indexed by Google/Skyhook etc databases. By Simply joining this access point my iPad downloaded a significant amount of locations into consolidated.db.

Included in the consolidated.db file were wifi access points from all over the city in which I work and cell towers from over 22KM away.

I had never left my office with the device or been within credible range of the access points or cell towers.

Test it for yourself and you will see what I mean, this testing was carried out using iOS 4.3.1 on iPad 1.

ReplyQuote
Posted : 27/04/2011 12:38 am
Share: