Is Apple IOS health data encrypted
According to this story, investigators in Germany were able to recover the "health data" from an Apple iPhone to prove that the suspect had climbed stairs, which in turn disproved his statements that he had not. The investigators replicated this at the scene using another phone.
I was under the impression that the Health Data was encrypted and my question is has anyone else been able to extract this data using Cellebrite or any other tool?
Google Translate version -https://translate.google.com.au/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.welt.de%2Fvermischtes%2Farticle172287105%2FMordprozess-Hussein-K-Die-Version-vom-Handeln-im-Affekt-ist-mit-dem-heutigen-Tag-obsolet.html&edit-text=
Most of the health and geolocation data for iOS need full file system access which typically means jailbreak but you could go the low tech way and just look at the phone and read the health data off of it. Screenshots have been used many times before.
The article hints that *somehow* the Munich firm specialized in this stuff managed to "crack" the phone and get access to it.
If this is the case, then seemingly the data was simply read, not encrypted, on the device.
Thanks Jamie, I will revisit Sarah's stuff.
I think the reference to cracking the phone was in reference to the pin code, which the suspect refused to give up. The article mentions that it took a few months, which leads me to believe that the pin code was cracked by Cellebrite CAIS or similar.
Here's Sara Edward's presentation sheet that she uses so you can navigate to the healthdb stuff
The steps, meters, flights climbed are pretty dead on. You might have to link the healthdb.sqlite and healthdb_secure.sqlite databases together, and multiple tables, to get the information you're looking for. The "samples" and "quantity_samples" tables inside healthdb_secure.sqlite are the two youre probably looking for, but others will have to be linked to give more context.
As far as if it's encrypted, using a method 1 on cellebrite with their standard encrypted backup let me view these databases with no issues.
Health data only exists in *encrypted* iTunes backups, but once you have the password from backup, there is no problem to decrypt and analyse the data. Full file system access (with GrayKey or via jailbreaking) is not required. Just note that Health data is not included into backups with no password set.
All the data is stored in healthdb.sqlite and healthdb_secure.sqlite databases; there is also something in healthdb_secure.hfd file, but it is encrypted.
Alternatively, you can download Health data from the iCloud; at this time, Elcomsoft Phone Breaker is the only product that can do that