This blog was started by Scott Koenig as a place to post and manage some of his digital forensic research.
This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions, or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated.
Additional resources can be found on his GitHub.
Latest from the Blog
iCloud Shared Photo Library: Forensic Artifacts Explained
Hello again, this one took some time to release, but I hope it helps! iCloud Shared Photo Library (SPL) was introduced during WWDC 2022 as a new feature within iOS 16. Since that time, there have been several articles and how-to videos regarding setting up and using iCloud Shared Photo Library, but I am not…
iLEAPP Parsers & Photos.sqlite Queries
After recently updating the Photos.sqlite queries I thought it might be time for me to build these queries into the great open-source iLEAPP project. I thought this might be a good way to document how I have converted the queries into iLEAPP parsers, additionally the types of artifacts being parsed using iLEAPP. The parsers are…
Update to Shared with You Syndication Media & Conversation Correlation
This update addresses a question regarding the correlation between Shared with You assets and conversation identifiers in the Apple iOS Photos.sqlite ZGENERICALBUM table. Through testing and research, previously overlooked data in the ZASSET and ZGENERICALBUM tables has provided a method of linking these assets to phone numbers or emails. This join applies to both the…
Device Set-up – Transferring data to new iPhone & Effects to Photos.sqlite
This post provides an update on Local Photo Library (LPL) Photos.sqlite decoding in response to a DFIR Discord community member question. The update covers artifacts related to data transfer between Apple devices during setup and includes analysis of Photos.sqlite and insights into Apple Quick Start Transferring Data. The researcher also discusses the impact of their…
Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
Hello everyone! During previous research, I’ve mentioned a few times that my test devices were using the Apple Photos application setting Optimize iPhone Storage in lieu of Download and Keep Originals setting. I’ve used this setting in the past because most devices I’ve encountered are using this setting. I’ve always had a curiosity about the…
Part B Filling a device internal storage for Optimize iPhone Storage Research
Part B Filling a device internal storage for Optimize iPhone Storage testing If you are reading this portion of the write-up about iCloud Photos and Optimize iPhone Storage, congratulations you have fell headfirst into the rabbit hole!! This is a good thing! More than likely, you’re asking yourself questions like why in the heck did…
Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
This reference guide was built as a part of some research and testing I performed looking into the Photos.sqlite ZINTERNALRESOURCE table. During the research, I was able to interpret most of the values I encountered, but I was not able to decode everything. Additional research and testing are required. I will continue to update this…
Shared with You Syndication Photo Library – Message Attachments & Linked Assets
The Shared with You is a new feature that has been discussed within Apple Worldwide Developers Conference (WWDC) videos and other developer videos. Generally, the comments made indicate that within iOS and other Apple Operating Systems this feature will allow a user to easily view and interact with links that have been shared by other…
How to find iOS Hidden Assets
Hello again! There has been a lot of discussion and curiosity about the recent news that iOS 16 will have an enhanced Hidden assets feature. According to the press releases, this feature will allow a user to lock hidden assets behind the device Passcode, Touch ID, and/or Face ID. The question I believe most of…
Vehicle and iPhone Speed Comparison
As I stated in the future considerations section of the original research write-up, I contacted a few vehicle forensics experts and asked if they would like to assist me with some research and testing, they responded “Absolutely.” During a training event, the experts and I conducted a small test. Forensic Question During the test, I…
Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data included in the queries. That’s a great question! I also noticed several questions being posted to the listservs and DFIR Discord about the…
Local Photo Library Photos.sqlite Query Variations & WHERE statements
I would like to start off by saying thank you to everyone who has reached out about the Photos.sqlite queries I previously posted. After chatting with some people who have used the queries, it was suggested that I update the queries to include the following: To do this, I used data from multiple devices and…
Photos.sqlite Queries – Original Blog Posting
Hello everyone! Back in August 2020, I wrote a blog “Using Photos.Sqlite to show the relationships between photos and the application they were created with?” which was posted on Heather Mahaliks’ blog, https://smarterforensics.com/. The writeup was eventually sent to DFIR Review (https://dfir.pubpub.org/pub/v19rksyf/release/1) and published on their website. This is a follow-up to the aforementioned blog…
iOS KnowledgeC.db Notifications
Cell phone use is routine. Our cell phones are really an extension of ourselves. We carry them around to not only make calls and messages, but they are also our daily planners, to do lists and entertainment resources. We use them at all times of the day – the alarms in the morning, email, and…
iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table
Have you ever wanted to know how fast a vehicle or person was traveling at a particular time? Have you considered acquiring iPhone data to answer that question? The material in this blog will help provide some tools and methods for answering these questions. We know from previously published research that Apples iOS location data…
iOS Location Services and System Services ON or OFF?
Awhile back, I, started working on some research whether the device speed recorded in an iPhone database could be considered reliable evidence for how fast a device was traveling. I was going to discuss some device settings in the blog, but quickly learned the Location Services and System Services settings should be discussed in a…
iOS Settings Display Auto-Lock & Require Passcode
Forensic Question: A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the question and getting me thinking. I did a little research, like reviewing the SANS FOR585 poster and class notes, but could not find the easy answer.…
Introduction
Hello Everyone, My name is Scott Koenig. I have been working in law enforcement for more than 15 years. In 2016, I decided it would be a good idea to become a digital forensic examiner. Since that time, I have attended several hours of training and earned several levels of certifications, but nothing has taught…
Get new content delivered directly to your inbox.
The Forensic Scooter 
Hi Scott!
I have been watching your YouTube on your Mac4n6 Apollo acquisition.
I’m a student in the U.K. studying digital forensics and wanted to use Sarah’s Apollo within my dissertation.
I just had a few questions due to not having much Python knowledge and struggling to get everything set up!
Thanks!
Connor
LikeLike