Sunday, May 20, 2018
May 20, 2018
Apple iPhone “Significant Locations”
I recently attended a conference of civil litigators in Virginia. During the cocktail hour and after a very interactive CLE presentation on “Leveraging Data in Insurance Fraud Investigations”, I was talking with a few attendees about the different types of data available to them in their investigation and litigation of insurance fraud claims. Admittedly, I was taken aback when one of the attorneys mentioned to me the “Significant Locations” that are logged on iPhones and showed me the locations on his. This is probably because I have most (or all) location services turned off on my personal device, so I’d never given it much thought. However, the conversation brought up the question, are these artifacts available through forensic data extraction and analysis? And if so or if not, how do we access them? What value might they serve in both criminal and civil investigations?
For the extraction, testing and exhibits illustrated here, we used an iPhone 5s running iOS v. 11.2.6. Cellebrite Physical Analyzer v. 7.5 was used for the extraction and analysis. As mentioned later, location services must be turned ON with the device in order for this information to be logged, as detailed in the UFED Device Extraction Info below:
Where & What Are “Significant Locations”
The first step is to identify where and what “Significant Locations” are. The artifact is available to view on the device at Settings>Privacy>Location Services>System Services>Significant Locations (see below).
If location services are turned OFF, the significant locations data will not be logged and therefore unavailable. Interestingly, to access Significant Locations on the device, the passcode or Touch ID must be entered, as shown below:
As we should all know by now, we need to obtain the passcode in some way (consent, court order, Gray Key, etc.) in order to facilitate data extraction in iOS 11 regardless, so while this may seem like an obstacle, it’s just another reason to obtain the passcode.
Upon accessing Significant Locations, a disclaimer is present, which reads the following:
The final sentence that the Significant Locations are encrypted already gives us a clue about whether or not UFED will be able to parse this data, but more on that a little later.
What’s Inside Significant Locations?
Once accessed, the Significant Locations are presented as a list, shown here:
Some interesting things of note about these particular locations: This device doesn’t travel much. The 13 locations logged in Henrico (Richmond/Midlothian), VA are related to the home location(s) of the device, which is already good information to have in the course of an investigation. The device visits Williamsburg, which is the reason for the listings for that location. All of the remaining locations are related to a trip from April, 2018 to and from Richmond, VA to Cincinnati, OH. The device stopped in Beaver, WV and Beckley, WV. Covington, KY is across the Ohio River from Cincinnati, where a dinner stop was made. A stop in Fishersville, VA was made to get gas on the way back from Cincinnati. Essentially, we have a road map of the trip to and from Cincinnati.
Further inspection of the locations where there are multiple listings reveals even more detail about where the device has been, as shown here in the Richmond, VA area:
And even more as shown here in the Cincinnati, OH area:
What’s most interesting about these artifacts is that no time was the device connected to any wireless networks in either location, save one in the Mt. Adams section of Cincinnati. Yet in some instances, the business name and/or street address is listed in the log.
UFED Extraction & Access to “Significant Locations”
An Advanced Logical (option 1) encrypted extraction was conducted in Cellebrite UFED Physical Analyzer v. 7.5 to see if this data would be available through mobile forensic data extraction. When the names of the locations were searched globally in the case, no results were presented. When the term “Significant” was searched globally in the case, the following artifacts were located at var/root/library/caches/locationd:
The highlighted .plist files were exported and opened in XCode on a Mac system. Each of these artifacts did not present any data that was readily identifiable as useful. Is it possible that these artifacts are encoded within the extraction data and could therefore be located? Sure, but for the purposes of this article, those measures were not undertaken. As these artifacts are behind a double security wall (main passcode, then re-entry of the passcode to access Significant Locations on the device), it is logical to conclude that they are not accessible through mobile forensic data extraction (i.e., encrypted).
How Does This Help Your Case?
To recap, we located the Significant Locations on the device and performed a data extraction and it appears that these locations are not part of any readable portion of that data. So how can we best incorporate this data into our investigations to add value? Unfortunately, the best answer is the “old fashioned way”. Access the device, navigate to “Significant Locations” and document each entry through photographs (NOT screen shots). Depending on the level of usage of the device, this can be tedious and time-consuming, but the value of the data cannot be overlooked.
In criminal cases, this data can help put the device in locations where the suspect may have been (or not have been) during the time of the incident. It can also help identify home locations and frequently visited locations, which can increase investigative leads, present additional accomplices, serve to impeach statements already made and more. Naturally, accessing the device is key. It bears noting that the “Significant Locations” data, combined with cellular provider call detail records could help paint a more thorough picture of the device location and/or movements than either one or the other alone.
In civil litigation, this data can be used in much the same way, but more likely to prove or disprove frequent locations, known associates (paramours, accomplices, etc.), and to help confirm or refute deposition or trial testimony. If your case involves insurance fraud and the claimant says that he cannot travel, this data helps refute that statement without the need to obtain cellular carrier records. But again, ideally we would couple this data with cellular location data to paint a more complete picture of the device usage patterns.
A couple of final notes about the existence of this data. First, it can be deleted. Note in the image above the option to “Clear History” is present and if the user selects this, the logging will be reset. It also appears (from checking a separate device with this logging turned on) that the data is stored for approximately 6 months. It is unknown whether or not the data would transfer from an older device to an upgraded device as further testing would need to be conducted. Finally, it is also unknown whether or not this data would be more readily accessible through mobile forensic data extraction on a jail-broken device.
This data is a proverbial gold mine, but it’s one we need to access in ways we generally don’t like to – by manipulating the device and accessing the UI. However, this is still a valid form of analysis and documentation, especially when the access limitations on iOS devices forces us to use tools and techniques other than those that are automated. As with most things in forensics, simply knowing where to look, how the data got there and how to best utilize the data to confirm or refute the other aspects of your case is (about) half the battle. We all know Google, Apple and the cellular carriers are tracking us. Let’s start using that data to help serve justice, no matter what we’re investigating!
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!