In this forensic investigation lab, we analyze data extracted from a jailbroken iOS device to uncover valuable insights into the user's activity, habits, and interactions with various applications. Jailbroken devices present unique forensic opportunities since they grant deeper access to system files and stored data that are typically restricted on a standard iOS installation. By examining SQLite databases, system logs, application metadata, and user-generated content, we can reconstruct a digital timeline and extract key artifacts relevant to the investigation. The analysis begins by exploring power consumption logs to determine battery charge patterns and device usage statistics. From there, we delve into browser history, uncovering the user’s online activity through the Safari History.db database. We then shift our focus to app usage, extracting information from installed applications, podcast subscriptions, and mobile network connections to understand how the device was used and what content was accessed. Additionally, we analyze saved game states from an emulator, document metadata, and stored notes to further profile the user’s interests and behavioral patterns.
Through the use of forensic tools like DB Browser for SQLite and iLEAPP, we parse structured data from system and application databases, translating raw information into meaningful conclusions. By examining event logs, reminders, and calendar entries, we gain a deeper understanding of how the device was used over time. This lab also highlights the importance of converting timestamps, decoding stored data formats, and identifying user habits based on digital artifacts.
The walkthrough will guide you step-by-