Here is a quick non-exhaustive list of some highlights I found. any other data points you’d like to draw attention to? Shafik: Yup – exactly where the database said they would be!įorensicmike: Awesome. And we’re barely scratching the surface here.įorensicmike: Just confirming, you actually found these images in DCIM/104APPLE right? Take a look at the ZDATECREATED for a UTC based creation time, and ZADDEDDATE for a ‘added to album time’ – something that would be utterly missing from an analysis within an industry tool.
Shafik: Yes! They were screenshots – but that’s not the only thing you can understand from the querying we’ve done so far. and….victory!įorensicmike: Interesting… all PNG files – probably suggesting these could be screenshots if I recall from FOR585? Now all that’s left is to scroll to the right…keep scrolling…. Take your values of interest and search for them as either RowID or Z_PK: Now we have one final table to bring into the mix… ZGENERICASSET. So we can see there are four items of interest in the Z_23ASSETS table if we filter by Z_23ALBUMS=47 (the Z_PK from ZGENERICALBUM), specifically 4490, 4491, 4492, 4493. So, step 2 is to check Z23_ASSETS (or Z#_ASSETS) for your Z_PK of interest. At this point you should also note the Z_PK - in this case it was 47 - as this is our primary key that we will cross reference in table number 2 – the mystery number table. So in this case we can see there are 4 items anticipated all of which are photos. You can also note the ZCACHEDPHOTOSCOUNT and ZCACHEDVIDEOSCOUNT for a photo/video count – handy! The ZTITLE column is where you’re headed. Shafik: If you know the album you’re interested in as I did in my case, start with ZGENERICALBUM. Keep in mind this is for iOS 12.1 and could be different in future/previous versions.įorensicmike: Okay, so where do we start?
It is also probably the number one reason the forensic tools are staying far away from this otherwise easy target of a database. The mystery number is the oddest and seems to vary from device to device. There are a handful of other interesting ones that I’ll provide a list for at the end but those are the main ones. The primary ones you need to focus on for the purpose of album identification and media correlation are ZGENERICALBUM, the mystery Z_#ASSETS table, and the ZGENERICASSET table. At the time of writing, this database must be manually examined in order to identify the existence of albums which can contain photos or videos.įorensicmike: Shaf… there’s nearly 70 tables in this beast. Photos.sqlite contains everything from album ownership, to internal photo analysis and GPS and much more. Shafik: This SQLite database file contains information about videos and photos stored on an iOS device. Some albums are user created while others are automatically created by iOS such as ‘Screenshots’ or even third party applications.įorensicmike: I don’t know who you could be referring to! So… could you summarize the purpose of Photos.sqlite? This means there is a possibility that for every single instance of a video or photo on the file system there may be membership to one or more albums.
For most if not all major forensic tools, there is no way to tell which camera roll items belong to an album. The guy who did the acquisition, a blogger who shall not be directly named but rhymes with forensicbike, did not check before releasing the device itself. Shafik: I was working on an already acquired iPhone 8 on iOS 12.1.2 where the device owner had placed the images of interest in an album called “Evidence”. Shafik’s meticulous nature and extensive knowledge and experience is unmatched and so is the perfect person to ask about this subject.įorensicmike: What prompted you to investigate Photos.sqlite? Punja – who has been working in the digital forensics field for the last 15 years and counting. To answer this question, I’m bringing out the big guns – colleague and friend Shafik G. Why is this? One possible reason is that the database can be hard to work with due to table names that vary from device to device.
#APPLE SERIAL NUMBER BY FORENSIC ANALYSIS FULL#
Photos.sqlite, the iOS elephant in the room of mobile forensic vendors that is absolutely chock full of interesting information yet is completely ignored.
0 kommentar(er)
