When conducting a digital investigation, application artifacts like chats and browsers are usually the first in line to be explored. However, with iOS devices, system files have great potential, too. Apple devices record and store various user settings and activities, and some of these records may help build a picture of events and reveal crucial evidence.
In this article, we will look into a few notable iOS system artifacts, such as:
- CellularUsage.db
- Accounts3.sqlite
- ADDataStore.sqlitedb
- Photos.sqlite
- DataUsage.sqlite
- KnowledgeC.db
We will explain how to acquire and analyze these artifacts with Belkasoft X and provide tips on using them in criminal and cybersecurity investigations.
CellularUsage.db
The CellularUsage.db file contains phone numbers and SIM card IDs associated with the device. It often retains details of SIM cards that are no longer tied to the device, which can help identify additional numbers of the device owner and when they were used.
When analyzing iOS artifacts in Belkasoft X, you can find this database profile on the Structure tab under System files → CellularUsage.db → Device info.
File System location:
- Full file system: \private\var\wireless\Library\Databases\
- iTunes / iCloud backup: \WirelessDomain\Library\Databases\
Tip: More details of this kind can be part of the Cellular configuration profile.
Read the rest of this story with a free account.
Already have an account? Sign in
