The world becomes aware..

I returned from my holiday to discover people commenting on the post regarding the consolidated database. Suffice to say I’m quite happy for the attention.  It turns out a tool has been developed which processes the data found in the database and places them as points on a map.

Friends and students familiar with my dissertation have believed that this is a direct copy of the tool I developed for my final year project, and I just wanted to state that although the tool is similar, they do different jobs.  Yes my tool does analyse the consolidated database, but the aim of my tool is to track individual locations and piece together an individuals movements.  This may be used in a forensic analysis to determine if the iPhone user was in a specific location at a specific time, where the data may be incriminating or prove the individual innocent.

Alasdair Allan and Pete Warden have developed a tool that specifically targets the consolidated database and outputs the data found in it onto a map.  This data includes locations of cell towers and wifi access points.  It it really impressive, and performs the task they made it for fantastically, using a very easy-to-use and beautiful user interface. Check it out here.

I would like to thank them for mentioning me in their FAQ!

Because they have alerted the world to this database, Apple have announced they will be changing iPhone functionality to reduce the amount of geolocations stored in this database.  I do not know if this means they will be eradicating the file completely, or simply reducing the timeframe the locations are stored for.  Naturally this affects the effectiveness of my dissertation tool.  However, if they are simply just removing the data after a certain timeframe (e.g. deleting records after a week), then there may be potential for recovery (intended for my summer research).

I still intend on writing a small paper over summer describing what all the values in consolidated database mean. It is intended for forensic analysts to use as reference during an investigation, in order to determine which values can determine accurately where the device has been, and not confuse the location of a cell tower with a coordinate the phone has been.


War against the iPhone’s consolidated.db

Individuals familiar with iPhone forensic analysis will be quite familiar.  As far as my research has taken me, I am able to gather previous locations of the iPhone from the database, all contained in the ‘CellLocationLocal’ table.  But the database has more tables…interesting…

So I’ve been looking at the ‘WifiLocation’ and ‘CellLocation’ table, and discovered a few interesting things.  Some of the results gave me locations in countries such as Turkey, which I haven’t actually ever been to.  It’s common knowledge with this database that the time stamps are generated as some kind of batch method in these tables, because the time stamp value can be the same for multiple  geolocations.  I find this very very interesting.

To further matters, tables such as ‘CellLocationBoxes_node’ appear to store some kind of data as a hex string.  Further research is needed!

My theory is, for the moment, that these values are not locations of the phone, but instead locations looked at by the device, via the Google maps app or other applications.  Looks like I’ve got my second piece of research for my summer break!  I’ll post my findings and see if I can finally get to the bottom of all the data stored in this database.

SQLite Record Recovery

So, while working on my dissertation I discovered something I thought was of interest.  It turns out I performed a good portion of my project thinking such things as deleted messages can’t be recovered because of the iPhone’s encryption chip leaving any raw data unreadable.  I was not aware that sqlite databases do not actually remove the data from themselves, but instead must in some manner just delete the reference to the record somewhere.

Somebody has created a tool to recover this data, but is only available to beta testers.  It can be found here.  I’m quite fancying doing some research about this over summer and seeing if I can create my own tool. Wish me luck!

If anyone wants to get involved or at least throw me some info on this please comment or email