Shared with You Syndication Photo Library – Message Attachments & Linked Assets

The Shared with You is a new feature that has been discussed within Apple Worldwide Developers Conference (WWDC) videos and other developer videos. Generally, the comments made indicate that within iOS and other Apple Operating Systems this feature will allow a user to easily view and interact with links that have been shared by other users. This feature does not require users to be signed into a device with an Apple ID, nor does it require a user to have an iCloud account.

Based on what I have found, it appears to have been introduced within iOS 15, but was again discussed at WWDC 2022

Apple discusses the Shared with You feature allows Shared assets\links to be presented to a user on a device after Apple OS has processed the shared assets\links and Apple OS determines the user might want to easily view and interact with those shared assets\links. Currently this includes items like:

Shared Music links
Apple TV links
Safari Links
Message media attachments
Podcast Links
News links
And according to documentation it appears there will be more to come…

My initial research, which has been published via a blog here, focuses on the Messages application and the media attachments that are presented to a user on the device as a Shared with You assets. While conducting this research, I learned Apple created a new Shared with You Syndication Photo Library. This library consists of new file system asset storage locations, a new Photos.sqlite database and much, much more! Within this write up, I will reference this photo library as the Shared with You Syndication Photo Library (SWY PL).

Even though this new Shared with You Syndication Photo Library Photos.sqlite database is very similar to the Local Photo Library Photos.sqlite database, there are some slight differences. Based on my research, I’ve created a new set of queries to parse the data from this new Photo Library (PL) database. I have found the Shared with You Syndication Photo Library assets in devices with iOS 15.

Currently, I have only tested and researched this artifact via different iPhone models and different iOS versions. I have not completed any research about this feature within any other Apple operating systems.

This new Shared with You Syndicaion Photo Library Photos.sqlite database can be found at the following location, but only after a full file system acquisition.

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\database\Photos.sqlite

The file system storage locations for the assets listed in the Shared with You Photos.sqlite can be found at the following locations, but again only after a full file system acquisition.

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\masters\

The following file system locations store only Shared with You Syndication Photo Library linked assets. These file paths and assets are a part of the Local Photo Library and in most cases, are visible to the user, on the device. These file system locations can be found in full file system acquisitions, iTunes back-up acquisitions, and possibly other lower level forensic acquisitions:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\originals

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\masters\

What is a Photo Library?

Within this write up there will be a lot of discussion about photo libraries and the difference between the Local Photo Library and the Shared with You Syndication Photo Library and wanted to make sure that I took a minute to explain how Apple uses and describes a Photo Library.

I have previously mentioned the Local Photo Library uses the main Photos.sqlite database to track its assets. The SQLite queries for the Local Photo Library can be found here. The new Shared with You Syndication Photo Library uses a new Photos.sqlite to track its assets, but what is an Apple Photo Library? To answer this question, I would like to direct you to the Apple Developer website resources for PhotoKit.

Apple describes a Photo Library as an “object represents the entire set of assets and collections that the Photos application manages, including assets stored on the local device and those stored in iCloud Photos.” Apple Developer website advises developers to “Use this object for the following tasks:”

“Retrieving or verifying the user’s permission for your app to access Photos content”

“Making changes to assets and collections; for example, editing asset metadata or content, inserting new assets, or rearranging the members of a collection”

“Determining which records change since a previous state of the Photos library”

“Registering for update messages the system sends when the library changes”

Figure#1_AppleDeveloper_PhotoKit
https:\\developer.apple.com\documentation\photokit\

Shared with You Syndication Photo Library features and assets

I first noticed in iOS 15.3.1 there were some new columns in the Local Photo Library Photos.sqlite database ZASSET, ZADDITIONALASSETATTRIBUTES, and the ZMEDIAANALYSISATTRIBUTES tables that mentioned syndication. During past research, I didn’t notice any data being populated into these syndication columns. I also located a few property lists that appeared to contain some settings, but no real indication why these were created or why they were being used.

I recently noticed there have been a few questions on DFIR Discord and within different Google groups about syndication data and assets located in file system locations that mention syndication. I thought if examiners were encountering syndication data during their examinations, it might be worthwhile to take another look at the data in Local Photo Library Photos.sqlite.

In one of the DFIR discord postings, an examiner mentioned they encountered syndication data during their exam and shared some of the file paths which contained questionable media files. The examiner mentioned they believed the data might be related to the Messages application, so this is where I began my research. Thanks Jay and great job, you saved me lots of time!!

Based on research I’ve performed, and the file paths Apple is using to store the new Shared with You assets, the term syndication is being used to describe the new Shared with You Syndication Photo Library and its assets. The research into this new feature will be ongoing because I don’t believe it’s fully implemented and there are a lot of new artifacts related to this feature. I believe this feature will eventually become a very beneficial artifact for digital forensics examiners due to the amount of data and artifacts that have been discovered. I have also discovered a big hurdle many examiners will have to overcome to gain access to the data, which is, most of the valuable data is only accessible via a full file system (FFS) acquisition.

Currently, based on the data I have reviewed, it appears this feature has limited support within iOS 16 beta and is only partially supported in iOS 15, going back as far as iOS 15.1. Please pay special attention in this Apple Developer video at eight (8) minutes and fifty (50) seconds for additional details.

I faced a personal challenge in releasing this write up because I believed what I found could be beneficial to the community, but according to Apples Developer website most of its features and programing support starts with iOS 16.0+, but during the research, I’ve clearly located artifacts from this feature within iOS 15. For this reason, this write up will not be sent for peer review anytime soon and I strongly recommend validating any of this material yourself prior to using it for any type of legal investigation\report.

This write up will be focused around the Shared with You (SWY) artifacts related to the Apple Messages application, the Local Photo Library, and the Shared with You Syndication Photo Library.

Figure#2_AppleDeveloper_Shared_with_You
https:\\developer.apple.com\documentation\sharedwithyou

Note: You might notice a difference between my screenshot in this write up and the website for Shared with You. It is no longer listed in beta. It has officially been released as a part of iOS 16.

Devices and iOS versions used:

Scooter Scott iPhone X (A1865) iOS 14.7 (18G69)

Bandit Scooter iPhone 6s Plus (A1687) iOS 15.3.1 (19D52)

Dexter Scooter iPhone SE (1stGen) (A1662) iOS 15.6 (19G71)

Dexter Scooter iPhone 7 (A1660) iOS 15.1 (19B74)

Bandit Scooter iPhone 6s Plus (A1687) iOS 15.3.1 (19D52)

Bandit Scooter iPhone X (A1865) iOS 16.0.2 (20A380)

John Scooter Wick iPhone 12 Pro (A2341) iOS 16.0 beta (different versions)

John Scooter Wick iPhone 12 Pro (A2341) iOS 16.0 beta 6 (20A5349b)

John Scooter Wick iPhone 12 Pro (A2341) iOS 16.0 beta 8 (20A5358a)

John Scooter Wick iPhone 12 Pro (A2341) iOS 16.0.2 (20A380)

During research and testing, I used non-encrypted iTunes Back-ups and commercial tool Full File System acquisitions. I was able to locate pertinent files within an FFS acquisition that were not present in the other acquisition types. If this data is critical for your analysis, I would strongly encourage you to get a full file system acquisition. The full file system acquisitions used during this research were based on consent, meaning I had the device passwords. I did not conduct any research to determine if the artifacts and files discussed in this write up could be found in a before first unlock (BFU) or after first unlock (AFU) acquisitions.

During testing, all devices had iCloud accounts and were being synced with their associated iCloud Photo storage, when connected to a network. There was testing performed when iCloud Photos was turned off, but that did not affect the Shared with You Photo Syndication Library assets or behavior.

Figure#3_Shared_with_You_Device_OnScreenNotificaitons

Software and Tools used during research

GrayKey Software

Oxygen Forensic Detective v14.6.0.51

Artifact Examiner (ArtEx) 2.4.4.0 and 2.4.5.0

Sanderson’s Forensic Brower for SQLite v3.3.0

Media Info v21.09

iBackupBot v5.6.2

As I’ve previously stated, there is a significant amount of data for this artifact only available via a full file system acquisition. Due to this reason, several tests were performed and were not recorded or captured in real time. I will do my best to outline and demonstrate what occurred during the test and the results.

This write up will be structured so that it can be used as a guide for locating the artifacts related to the Shared with You Syndication Photo Library and its assets.

Section 1 – Shared with You device settings and property lists (plist)

Section 2 – Shared with You Syndication Photo Library databases

Section 3 – Analyzing Shared with You assets visible on device

Section 4 – Analyzing a full file system acquisition for SWY Syndication PL artifacts

Section 5 – sms.db analysis and related Shared with You Syndication Photo Library data

Section 6 – Analysis of the Shared with You Syndication Photo Library

Section 7 – Analysis of the Local Photo Library and related SWY assets

Section 8 – Summary of what we have learned about Shared with You assets and links

Section 9 – Asset Attribution sms.db > Shared with You Syndication PL > Local Photo Library

Section 10 – Turning OFF Shared with You Global Settings

Section 11 – Bonus: If you suspect Shared with You assets or attachments may have been deleted

Section 12 – Asset Counts are different for Synced iPhones and iCloud Photos

Conclusion, Future Considerations and References

An Apple developer video can be found here that discusses Shared with You. I have highlighted some talking points below I believe we, forensic examiners, should be aware of:

Shared with You links surface when shared by “friends” and “family” in Messages

NOTE: During testing, I couldn’t determine how Apple decided if an Apple ID\phone number was a “friend,” nor did Shared with You links appear for every attachment from my “family” members

Shared with You links in group conversations surface when at least one participant is a contact

NOTE: During testing, when a group conversation took place, even when it included Apple IDs\phone numbers from my contacts, every attachment that was shared from those Apple IDs and phone numbers did not appear as a Shared with You linked asset

Based on what I’ve observed, when searching and viewing assets on a device within the Photos Application, assets that have a small message chat bubble in the lower left corner of the asset preview\thumbnail are called Shared with You Syndication Photo Library linked asset. There are some other on device indicators, but those will be covered in different sections of this write up.

Figure#4_SharedWithYou_Shelf_Linked_Assets_Indicators

Figure#5_Local_PL_SWY_linked_Assets_Indicators

Settings exist that allow users to control what content is shared outside of Messages. They can use settings at the following levels to allow\restrict shared content from Messages:

Global settings

Per-Application settings

Per-Conversation settings

During my research and testing, I have found the Shared with You settings are ON by default at all levels. These settings remained ON until I, the device user, made the changes at each level.

The global setting can be accessed via the device by navigating to Settings > Messages, then scrolling down and finding the Shared with You On\Off indicator setting. I have not been able to find a specific plist that clearly defines these settings, but I have found some other information that might assist in the device settings analysis.

Figure#6_SWY_Global_Setting_via_Settings-Messages

Shared with You – Global Settings

In this section, I will discuss the property lists (plist) associated with the Shared with You settings. There are four (4) properties lists (plist) you should locate and analyze when reviewing this data:

Back-up Acquisitions

\private\var\mobile\Library\Preferences\com.apple.assetsd.plist

\private\var\mobile\Media\PhotoData\private\com.apple.assetsd\appPrivateData.plist

Full File System Acquisitions

\System\Library\LaunchDaemons\com.apple.assetsd.plist

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\private\com.apple.assetsd\appPrivateData.plist

I attempted to search for the plist(s) that store Shared with You settings and setting changes, but I have only been able to locate the above plists which have a direct correlation to SWY. Even though I located these plists during the research, I encountered conflicting results. There was a clear change to the following plist once the global setting was changed from ON to OFF the very first time, but I had conflicting results when changes were made after the first time.

appPrivateData.plist

\private\var\mobile\Media\PhotoData\private\com.apple.assetsd\appPrivateData.plist

Initially, all the Shared with You settings were ON by default and after the data was acquired, the appPrivateData.plist was populated with lots of data, see figure #7. After I made a change for the first time by turning OFF the global setting and reacquiring the device, this plist was now empty, see figure #8. I believed, after the device data was acquired, this would be a good indication if the global SWY setting was On or Off at the time of acquisition, but after testing this on several different devices, different versions of iOS, and repeated changes to the global settings, the initial results were not consistent\reliable.

Currently, I have not been able to locate the correct plist that stores the settings, but research is ongoing.

Figure_#7_appPrivateData.plist_viewed_first_time_before_turning_Global_SWY_setting_OFF

Figure#8_appPrivateData.plist_viewed_first_time_after_turning_Global_SWY_setting_OFF

Shared with You – Per-Application Settings

As stated previously, the per-application settings are ON by default. In figure #9 below, we can see the per-application settings which can be accessed on the device via Settings > Messages > Shared with You.

I attempted to look through each application to find a plist or files that may contain the values for these settings, but I wasn’t able to find anything that clearly defines these setting changes.

Figure#9_SWY_Per_Application_Settings_via_Settings_ Messages_Shared_with_You

Shared with You – Per-Conversation Settings

In figure #10, we can see the per-conversation setting, which can be accessed on the device by locating the conversation thread within messages and clicking on the contact\group of contacts at the top of the thread. This setting is not located with the contact card, only in the message thread. This setting can be found in the sms.db > chat table > syndication type column. I did not find a plist that clearly defines these settings.

sms.db Chat table Syndication column Type

I wanted to cover this column data with some addition details because these settings are also related to the device settings. The sms.db > chat table > syndication type column data will provide you with the ability to determine if the Shared with You setting is ON or OFF for this chat thread. Figure #11 is a video demonstrating each chat thread setting on the device and how that appears within the sms.db database chat table. In the video, you will notice three (3) values can be seen. Those three values and their decoded interpretation are listed below:

chat syndication type

Value\Integer 0 (zero) – indicates the Show in Shared with You chat thread has never been changed and is the default setting of ON or the other device\iOS version related to this chat thread does not support Shared with You

Value\Integer 1 (one) – indicates the Show in Shared with You chat thread setting has been changed and is turned ON

Value\Integer 2 (two) – indicates the Show in Shared with You chat thread setting has been changed and is turned OFF

Figure#11_iOS_Syndication_Settings_in_Messages_Threads

Shared with You Pinning

The Apple developer video mentioned pinning links provides implicit permission to surface content in Shared with You. They also mention pinning should provide a pop-up setting to allow automatic share or not allow. I was not presented with this option during testing, which is one of the reasons I believe this feature is still in early implementation within both iOS 15 and iOS 16.

Figure#13.1_Pinned_Contact_Message_Thread

Figure#13.2_Pinned_Contact_Message_Thread

When are Shared with You links created?

The Apple Developer video highlights “when automatic sharing is on, it allows for heuristics-based automatic sharing.” This was an interesting comment, because based on my research, I have not observed consistent reliable results when assets are being shared via Apple Messages application and then having Shared with You links getting created. Some of the assets shared via messages will have SWY links and others do not.

After several tests that included interactions with assets, conversations, sending attachments back and forth with family members, and trying to force the creation of Shared with You links, I have not been able to determine why an asset\attachment in the messages application gets a Shared with You link created. In some cases, it was instantaneous and with others it took extended amount of time for them to be displayed. Additionally, I have several photos and videos within message threads, which I have not saved to my Local Photo Library, but only a few of the attachments have created Shared with You links.

Currently, I haven’t been able to conclusively answer why shared asset (A) has a Shared with You link, and shared asset (B) does not, but during my testing I have observed shared assets are more likely to become a Shared with You Linked asset if the following has occurred:

The participants of the chat are saved as contacts.
The participants of the chat are at the same location when the message attachments are sent. Example: If two participants at a concert and they are sharing media.
The assets have been interacted with and/or viewed from within messages.
I will continue to add to this list as I learn more actions that appear to produce Shared with You linked assets.

I want to remind you that some of the artifacts related to this feature will require a Full File System (FFS) acquisition to perform a full analysis. There are two property lists (plist) that I will review that may provide you with data that indicates if the Shared with You global setting is ON or OFF and that could provide some insight into when Shared with You links might be created.

\System\Library\LaunchDaemons\com.apple.assetsd.plist

This plist can be found in full file system acquisitions but will not be found in back-up acquisitions.

The following is a sample of what I observed during testing and some of the keys\nodes you might want to analyze:

This key has multiple sub-keys\nodes which provides information about how the Share with You feature processes the device data. Here are some of the sub-keys and values that can be analyzed and sample data of what I observed during testing:

LaunchEvents
- com.apple.xpc.activity
  - com.apple.assetsd.curatedlibraryprocessing
    - Priority
      - Maintenance
    - GracePeriod
      - 3600
    - RequireScreenSleep
      - True
- True – indicates that the screen\device must be in sleep prior to processing
- False – not observed during testing
  - Repeating
    - True
- True – indicates that the process will repeat
- False – not observed during testing
  - Interval
    - 10800
- Integer indicating the number of seconds that must lapse before the process will run. During the research, the interval observed was 10800 seconds, which is three (3) hours

NOTE: When attempting to decode the interval integer, I also tried milliseconds, but the calculations did not appear to be accurate

Figure#14_ com.apple.assetsd.curatedlibraryprocessing_Screenshot

The second plist I will discuss here is the:

\private\var\mobile\Library\Preferences\com.apple.assetsd.plist

This plist can be found in iTunes back-up acquisitions and the other acquisitions listed above.

This plist contains the following keys\nodes that might be of interest:

PLIncompleteMaintenanceTaskPaths.curatedlibraryprocessing
PLcompleteMaintenanceTaskPaths.periodicmaintenance

During testing, I found these plist keys\nodes results were inconsistent. In some instances, if global Shared with You setting was turned ON, then this key would contain two file paths:

\var\mobile\Media
\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary

In other instances, if the global Shared with You setting was OFF then neither of these file paths would be listed under these keys.

I only observed the data within these keys\nodes change once during testing. Meaning when I turned SWY off for the first time and reanalyzed these keys, the file paths were no longer listed, but every time after that first instance, it did not matter if the global SWY setting was ON or OFF, these keys would contain the above listed file paths. Testing is ongoing and we might get a better understanding of this key and setting after a jailbreak for iOS 15 is released.

Figure#16_com.apple.assetsd.plist_GlobalSettings_ON

When the SWY global settings is turned OFF you might not see those file paths listed as sub-keys\nodes, see figure #17

Figure#17_com.apple.assetsd.plist_GlobalSettings_OFF

Shared with You Shelf

Apple states items within the Shared with You “Shelf” are self-ordering. The first assets listed on the shelf, which starts with the top left item, if it exists, will be Siri suggestions. Apple states Siri suggestions are based on “signals” from the system, followed by pinned items and the remainder of the items in the list are ordered chronologically.

The Siri suggestion signals include things like:
User viewed or interacted with content
Content was pinned
Presentation of context

Apple added that “Security and Privacy was a primary consideration and focus when designing Shared with You” and that views are drawn out of a process on our behalf.

Figures 18 and 20 are examples of the Shared with You shelf preview within the For You section of the on-device Photos Application. If a user clicks the See All listed on the right of Shared with You, the user will be prompted with the Shared with You Shelf, as depicted in figure 19 and 21.

Within for following examples you will notice “Rich preview” which is the area seen with the thumbnail, title, and subtitle. This rich preview will be seen with Shared with You links within Apple TV and Apple Music.

We also can the “Attribution view,” which we can see who shared the item by the contact avatar(s) displayed. For example, in the Photos application, we can see a thumbnail and, in some instances, if the asset was saved it was documented with a check mark. We can also see the attribution of who shared the asset with me. If the same item is shared by multiple people, multiple contact avatars will be displayed. Notice in the iOS 16 examples there is an indicator if the asset was saved by a device user to the Local Photo Library. This feature was also found in later versions of iOS 15, but not the earlier versions.

Shared with You – On-Device Data

Let’s start reviewing some of the data you might encounter on the device during a manual review. In figure #22 you will notice there are several ways to see some of the Shared with You data. The following methods are a few ways that I have tried to access Shared with You assets on the device:

Photos Application (com.apple.mobileslideshow) > For You > Shared with You > See All > Shared with You shelf

Photos Application > Search > search term “messages”

NOTE: Some of the other search terms used included, “iMessage” and “Share,” which did not filter the assets to view the Shared with You assets.

Photos Application > Photo Library > Click on a Shared with You asset in Photo Library\Camera Roll > Swipe Up or click “i” icon, depending on the iOS version, to see asset metadata

Figure #22 is one example of these areas. I will discuss them in more detail later in this section:

Figure#22_SWY_On-Devcie_Data_Locating_SWY_Assets

Photos Application > For You > Shared with You shelf

In figure #22 video, which was in the early stages of testing, there are only a few assets located in the Shared with You shelf. The following are a few examples of different devices and iOS versions to demonstrate assets being displayed on the SWY shelf. Some of the items are Shared with You linked assets (chat bubble) and others are Shared with You assets that have been manually saved to the local photo library (no chat bubble).

Figure#24_SWY_Shelf_#2_iPhone_SE_iOS_15.6

Accessing metadata for SWY assets

Navigate:

Photos App > click on a Shared with You asset in Photo Library > click “i” icon to access metadata

In the next video, figure #26, I will highlight a few assets and their metadata as viewed by a user on the device. We can see there is on-device indication of who shared the assets\who shared the Shared with You link. The information about who shared the asset link, is referred by Apple as contact attribution. In figure #26 we can see there are SWY links that were shared by Scooters iPhone X with iOS 14.7.1. We can see that the user will be able to view this data via the on-device metadata information.

Figure#26_SWY_On-Devcie_Data_Locating_SWY_Assets

Photos Application Setting

The last setting, I would like to discuss is within the Photos Application (com.apple.mobileslideshow). This setting allows a user to show or hide assets that are Shared with You links. This setting can be accessed when viewing the Photo Library and clicking on the horizontal kabob in the upper right corner of the device screen. Within this setting menu there are two options related to the Shared with You feature, “Your Photos Only” and “Yours & Shared.” During testing, all devices had the Yours & Shared option selected by default. Figure #27 is a video depicting an example of turning these settings On and Off. I have also included a screenshot of the setting below.

Figure#27_SWY_PhotoApp_show-hide_SWY_Linked_Assets

When switching between this setting within the Photos Application, as seen in figure #28, will not delete any assets from the Shared with You Photo Library. Changing this setting will only hide the assets from the users view. The assets will still be listed in the Shared with You Syndication Photo Library Photos.sqlite and can be found in the *\Syndication.photoslibrary\* file system locations.

Figure#28_SWY_PhotoApp_show-hide_SWY_Linked_Assets

During these next sections, the primary device we will be analyzing is Dexter’s iPhone SE with iOS 15.6. This will allow us to see how this Shared with You feature, and associated data is being stored on a device. There might be screenshots and examples from other devices and different iOS versions to provide you with as much information as possible.

Photos Application Setting **UPDATE 10/2/2022**

After the public release of iOS 16, the Photos Application show Shared with You assets in camera roll setting was moved for both iOS 15 and iOS 16. It is no longer in the root of the kabob settings menu. It’s located in the “Filters” settings sub-menu, as you can see in Figure #28.1.

By placing this setting deeper into the settings menu, it appears Apple really wants users to see Shared with You linked assets within their Local Photo Library camera roll.

I attempted to locate a plist or other file that might tell us how this setting was set at the time of acquisition but was again unsuccessful.

Figure#28.1_NEW_SWY_PhotoApp_show-hide_SWY_Linked_Assets

Section 2 – Shared with You Syndication Photo Library databases

Apple Messages sms.db database

\private\var\mobile\Library\SMS\sms.db

Given these artifacts and assets are being derived from the Messages Application, I began analyzing the sms.db database to identify any relevant data. I would like preface this by stating, I have not done a deep dive analysis of this database. Most commercial tools and open-source tools do a fantastic job decoding and parsing this data. Additionally, I believe there are other community members, like Chris Vance and Ian Whiffin who have researched iOS messages to include the sms.db. Chris Vance and others might be able to provide a more detailed analysis of the information contained in this database than what I will cover in this write up. I am going to focus on the attachments that have been sent and received and are a part of the Shared with You feature.

Here are some queries I made for sms.db which provides an output you can use to analyze the database for artifacts related to Shared with You.

GitHub sms.db SWY Syndication PL SQLite Queries

Local Photo Library Photos.sqlite database

Many of us are aware that the Local Photo Library Photos.sqlite database is an immense database storing a lot of asset information not normally decoded and parsed by most commercial tools. This Local Photo Library Photos.sqlite database can be found within iPhone data acquisitions at the following file path and does not require a Full File System acquisition to gain access:

Local Photo Library Photos.sqlite

\private\var\mobile\Media\PhotoData\Photos.sqlite

GitHub Local Photo Library Photos.sqlite Queries

Shared with You Syndication Photo Library Photos.sqlite database

With the implementation of Shared with You feature, Apple has created a new Shared with You Syndication Photo Library which includes a new Photos.sqlite database. The new Photos.sqlite database can be found at the following location. When writing this blog, a Full File System acquisition was needed to gain access to this new database and all its assets:

Shared with You (SWY) Syndication Photo Library Photos.sqlite

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\database\Photos.sqlite

GitHub Shared with You Syndication Photo Library Photos.sqlite Queries

NOTE: I have also located this library within MacOS, but no research was performed within MacOS.

As of 9\3\2022, after review and comparison of the new SWY Syndication Photo Library Photos.sqlite, there doesn’t appear to be any new columns of data that does not already exist in the Local Photo Library Photos.sqlite database. My previously released Photos.sqlite queries will work on the new SWY Photos.sqlite, but I have also created new queries specifically for Shared with You Syndication Photo Library assets.

When reviewing the SWY Syndication Photo Library Photos.sqlite, I noticed many of the tables were empty and did not contain data that was present in the Local Photo Library Photos.sqlite. One example of those tables was the ZCLOUDMASTER table. This table did not contain any data. Shared with You assets are not being synced with iCloud Photos account unless the user manually saved the asset(s) to the Local Photo Library. During the next section, I will review how we can use these databases to show the asset relationships between the different databases and Photo Libraries.

Section 3 – Analyzing Shared with You assets visible on device

Asset Analysis and Database Relationship – Dexter’s iPhone SE iOS 15.6

During these next few sections, I will use the following file to show how we can navigate through the data and files saved within a full file system acquisition to show how the file ended up on the device:

File Name F7962E5E-9546-43C6-BC91-B859276C3EA1.mov
Original File Name IMG_0136.mov
Attachment guid \ syndication identifier at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87

At 6:20 PM on 8\17\2022, figure #29 is a screenshot of what the Shared with You shelf looked like. The asset we are going to analyze is the first asset on the shelf. This asset is a video that was captured with Scooter Scott’s iPhone X (iOS 14.7) then shared via Apple messenger to, then Dexter’s iPhone 7. Later, Dexter updated his device to an iPhone SE with iOS 15.6, which is the device we will be examining.

Figure#29_iPSE_15.6_SWY_Shelf_on_8-17-2022

Observing the top left asset on the shelf, which we learned earlier, is going to be Siri suggested assets or the oldest Shared with You asset in chronological order. If we click on that asset from this view, we can see it reveals metadata about the asset. We can scroll up on the screen and be presented with additional information like created location if it exists.

We can see the first asset\oldest asset listed on the shelf, was shared by the saved contact name “Scooter Scott iPX.”

The original created\captured date indicated here is Monday, April 18, 2022, at 7:38 PM. This is the correct and accurate capture timestamp for when the asset was captured.

We can see a partial original file name displayed as IMG_0136. But is this a movie, live photo, or still photo. We might be able to draw some conclusions based on the codec listed as HEVC. But if we were going to search the data acquisition for this asset what file extension would we want to use, or is the partial original file name enough?

Not pictured in this screenshot, is the captured location information. If we swipe up on the screen we would be presented with an accurate captured location for this asset, the T-Mobile Arena in Las Vegas, Nevada.

Notice the blue reply arrow to the right of the shared contact name. If a user presses this reply arrow, the messaging application will be brought into focus, directly into the chat thread for which this asset was shared.

We can also see at the bottom of the screen, an option to “Save Shared Video.” I believe it’s important to point out that at this point during testing, this asset was not saved to the device via user interaction. We will soon see that this asset was in fact already saved to this device in a different location other than the typical messages attachments location (*\mobile\Library\SMS\Attachments\).

Section 4 – Analyzing a full file system acquisition for SWY Syndication PL artifacts

On 8\18\2022, I made the first Full File System (FFS) acquisition of Dexter’s iPhone SE. In this section, we will use ArtEx to analyze the asset (IMG_0136) which, based on what we have learned so far, should be attached to a message or messages within the Apple Messages application.

In figure #31, we can see asset data from multiple artifacts within one view. In the top left, we can see the On-Device message within the chat thread. In the top right, we can see how ArtEx is displaying some of the message data about what is being displayed on the device. On the bottom, we can see ArtEx timeline view of the message data from sms.db and some of the attachment data as the result of an asset being saved to the Local Photo Library (Photos.sqlite).

The asset that was saved to the Local Photo Library was not saved by user interaction. The operating system saved this asset to the Local Photo Library. The data being populated in the Local Photo Library Photos.sqlite is coming from the from the Shared with You Syndication Photo Library.

NOTE: The Shared with You Syndication Photo Library Photos.sqlite, is not being displayed here because at the current time and to the best of my knowledge, the SWY PL Photos.sqlite data is not being parsed by any commercial or opensource tool. I wanted to display the data you might come across during your examinations so you could use this data to trace the asset back to the Shared with You asset.

Figure#31_IMG_0136_ondevice_sms.db_LPLPhotos.sqlite_data

Figure#32_IMG_0136_ondevice_data – Top Left

In the top left, we can see what the message looks like on the device. We can see the message was received on 4\23\2022 at 10:03:27 hrs (UTC-7). We can see the save option is still available indicating the user did not save the attachment to the device\Local Photo Library.

Figure#33_IMG_0136 sms.db data – Top Right

In the top right area, we can see the conversation view within ArtEx indicating the file path location of for the attachment (IMG_0136.mov).

There have been few questions about examiners conducting analysis and noticing the lowercase file extension vs the typical MOV or capital extension. This is an example of when an asset might have a lowercase file extension.

We can see ArtEx is providing us with the file path for the message attachment:

private\var\mobile\Library\SMS\Attachments\fb\11\at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87\IMG_0136.mov

We can also observe part of the file path is “at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87.” This is the attachment GUID, which can be listed within different databases with different names, for example the data will be listed in the:

sms.db as Attachment GUID

and

Local PL Photos.sqlite as Syndication Identifier

Within the sms.db this data can be found in the attachment table > guid column. Based on my testing and research, the following is a break-down of this attachment guid:

at – indicates the item\asset is from within Apple Messages application or was an attachment to a message

_<#>_ – indicates a counter for how many assets are/were attached to a single message. If a single message contains multiple assets this indicator will increase incrementally for each attachment in the message. Example: you could have _0_, _1_, _2_, _3_ and so on, preceding the message guid for every attachment in that single message, in this instance the attachment is the first attachment for the message because it has _0_ as its value.

<Message GUID> – is the Message GUID from sms.db > message table > guid column. In this instance, the message guid is 98DDD5A0-FE38-450A-B596-A6282EAD1E87.

Figure#34_IMG_0136_LPL Photos.sqlite data – Bottom

In the bottom area, we can see two entries from ArtEx timeline view that shows the message data including the sms.db ROWID that we can use to analyze and gather more information about the message.

We can also see some metadata about the video being parsed from the Local Photo Library Photos.sqlite database. ArtEx provides us with the primary key from ZASSET table Z_PK column that we will want to analyze and collect additional data from the database about this asset.

Notice the file name, original file name, and the imported by data are indicating the video originated from com.apple.MobileSMS application.

Notice the directory entry (F) is being parsed from the Local Photo Library Photos.sqlite database. This is an indication the asset is a Shared with You asset and a part of the Shared with You Photo Library. I will discuss this in more detail later in the write up.

Reminder: This asset was not saved to the Local Photo Library by a device user and this Photos.sqlite data is being populated based on Apple’s Shared with You asset analysis.

Figure#34_IMG_0136_LPLPhotos.sqlite_data

Figure#35_IMG_0136_All three sources of data

Figure #35 we can see all three sources of data again so we can closely analyze some of the relevant data about the asset.

Figure#35_IMG_0136_ondevice_sms.db_LPLPhotos.sqlite_data

Section 5 – sms.db analysis and related Shared with You Syndication Photo Library data

We are still analyzing the same asset but now we will look at the sms.db database for additional information.

File Name F7962E5E-9546-43C6-BC91-B859276C3EA1.mov
Original File Name IMG_0136.mov
Attachment guid \ syndication identifier at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87

Let’s review the databases for this asset to see what kinds of additional data we can find. Figure #36.2 is video of the sms.db query output I made for Shared with You assets. In the query output, we can see the following:

message date received – is the date the message was received on the device. If the asset is added to either the Local Photo Library (main Photos.sqlite) or the Shared with You Photo Library (SWY Photos.sqlite), this timestamp will match the zAsset-add date of the corresponding database.

message guid – guid for the individual message. A single message could contain multiple attachments.

message text \ object notice – indicates the message text and may contain an object indicator allowing us to see if an attachment(s) were included with the message.

attachment created date – is a timestamp the original asset was created on the originating device or originating application. This will match the zAsset-Created Date from either Photos.sqlite.

message date delivered – this is a timestamp the message was delivered on the device.

chat syndication date – provides you with the last timestamp when the chat was last synced with Shared with You Photo Syndication Library. If you are reviewing a specific message and you are missing a chat syndication date, this is not an indicator the message attachment has not been displayed on the device as a Shared with You linked asset. During testing, I had several assets appear on the device as a SWY linked asset and the chat syndication date did not contain a value.

attachment filename – contains the file path for the attachment, the attachment guid, and the attachment transfer name.

attachment guid – is the message guid associated with the attachment and an integer indicating if the message has multiple attachments. This integer will start with zero (0) and increase incrementally by one integer for every attachment in the message (example (_0_), (_1_), (_2_), and so on). This attachment guid can be used to find these attachments listed in the new Shared with You Syndication Photo Library Photos.sqlite and the Local Photo Library Photos.sqlite.

chat syndication type – I wanted to cover this column data with some addition details because these settings are also related to the device settings. The sms.db > chat table > syndication type column data will provide you with the ability to determine if the Shared with You setting is ON or OFF for this chat thread. If you missed it, figure #11 is a video demonstrating each chat thread setting on the device and how that appears within the sms.db database chat table. In the video, you will notice three (3) values can be seen. Those three values and their decoded interpretation are listed below:

Value\Integer 0 – indicates the Show in Shared with You chat thread has never been changed and is the default setting of ON or the other device\iOS version related to this chat thread does not support Shared with You.

Value\Integer 1 – indicates the Show in Shared with You chat thread setting has been changed and is turned ON.

Value\Integer 2 – indicates the Show in Shared with You chat thread setting has been changed and is turned OFF.

attachment sr ck sync state – indicates if the attachment has been synced with Shared with You Photo Library, research is ongoing, and decoding requires validation.

attachment ck sync state – currently, I am unable to determine any decoding for this value, research is ongoing for this data validation still in progress.

handle id – the identifier for who shared the attachment.

message cache has attachments – indicates if the message has an attachment(s).

attachment is outgoing – indicates if the attachment was a part of an outgoing message.

attachment hide attachment – indicates if the attachment is a shared link.

Figure#36.2_sms.db_query_output_attachment_guid

sms.db attachment file system location

Figure #37 is a video made while navigating the acquired data. In this video we will review the file system location where message attachments are stored.

File Name F7962E5E-9546-43C6-BC91-B859276C3EA1.mov
Original File Name IMG_0136.mov
Attachment guid \ syndication identifier at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87

For this asset, we are going to navigate to the file system location indicated in the previous section:

private\var\mobile\Library\SMS\Attachments\<folder>\<folder>\at_<incremental integer>_<message-guid>\<OriginalFileName.extension>

private\var\mobile\Library\SMS\Attachments\fb\11\at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87\IMG_0136.mov

Figure#37_video_artex_FS_navigation

Section 6 – Analysis of the Shared with You Syndication Photo Library

Shared with You Syndication Photo Library Photos.sqlite

We are going to use that attachment guid to locate the information about this asset in the new Shared with You Photo Library Photos.sqlite. Figure #39 is a video of me navigating the Shared with You Syndication Photo Library Photos.sqlite query output to analyze the database for Shared with You assets.

This SWY PL Photos.sqlite database is only accessible via a Full File System acquisition:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\database\Photos.sqlite

In the query output we can see the following:

Add Date – is the timestamp for the asset when it was added to the database\Shared with You Photo Library. This query will use this Add Date timestamp to order the query output

Date Created Source – this data is new in later versions of iOS 15 and iOS 16. The research for this column is ongoing and will be updated as new data is discovered

Date Created – is the assets’ original created\captured timestamp via the original created device\created application. This metadata appears to be sent with the asset\attachment regardless of the Include All Photo Data setting is turned ON or OFF

EXIF Timestamp String (in Device local time) – indicates the EXIF timestamp recorded in the database in device local time at the time of capture\creation (see figure #38)

Modification Date – As stated in previous blogs and research, it’s difficult to narrow down the exact reason a modification date changes or updates. I have found several different user and system actions can change and update the modification date of an asset

Visibility State – I’ve discovered during the testing of this database that the values located in this column should be interpreted\decoded differently than what has been decoded in the Local Photo Library Photos.sqlite database. We can see the assets listed in this SWY PL Photos.sqlite have a value of “0” and the assets listed in this database are located within the originals folder at:

private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals\

Directory\Path – within the SWY PL Photos.sqlite the directory values will be an alphanumeric value (0 -9 or A – F). This alphanumeric charter represents the folder name for which the asset will be stored. This folder will contain assets whose filename starts with the same alphanumeric charter. If the assets file name starts with a “5” then it will be stored in the folder that’s titled “5.”

NOTE: If the asset is visible within the Local Photo Library\camera roll, the asset being stored within the SWY Photo Library will also appear in the Local Photo Library Photos.sqlite database.

Saved Asset Type – the values within this column must be interpreted differently than what is being interpreted in the Local Photo Library Photos.sqlite database: **Update 10/2/2022**

Value\Integer 3 – is the integer used to identify the asset is or was an attachment within Apple Messages application and is a Shared with You Syndication PL asset. If the Saved Asset Type is a three (3), this also indicates the asset has NOT been presented to the user on the device as a SWY linked asset within the Shared with You shelf or camera roll. ~~If the asset is saved by a user to the Local Photo Library from a chat thread, the saved asset type value will remain a three (3).~~ It appears with the release of public iOS 16 this was corrected and is no longer includes assets that have been manually saved. If the asset was manually saved to the Local Photo Library, it will have a value of 12 as listed below.

Value\Integer 12 – is the integer used to identify the asset(s) that are\were presented to the user as Shared with You Syndication Photo Library linked asset. If the appropriate device settings are turned ON, these assets will be visible within the Local Photo Library\camera roll and the Shared with You shelf. If after these assets were presented to the user, a user saved the asset to the Local PL or deleted the asset from being viewed, the SWY PL Photos.sqlite will still indicate a value of 12. Thus, indicating the asset at one time was viewable on the device as a Shared with You Syndication Photo Library linked asset. If the assets have NOT been manually saved to the Local Photo Library or have not been deleted from being viewed as a SWY linked asset, they will be stored in the following file path: \private\var\mobile\Media\PhotoData\UBF\scopes\syndication\*

Filename – provides the asset file name we can use to locate the assets within the Local Photo Library and Local PL Photos.sqlite. Additionally, this would be the file name you would want to search for when using a forensic tool to search of the asset within the device acquisition

Original Filename – this is the assets original file name from the original created device, or the original application used to create the asset

Kind Sub Type – provides us with an indication if the asset we are analyzing is a still photo, live-photo, or a video. If the asset is listed as a live photo, this is an indication you may find two assets (heic asset and a mov asset) saved in the corresponding syndication original folder

Asset Syndication State – Based on what I have observed during testing, I have decoded the following values to provide some great insight into what happened to the asset. This is still very new and will need some additional testing and validation. Please let me know if you find any conflicts or successful validation with this decoding, this has different decoding compared to the Local Photo Library Photos.sqlite:

Value\Integer 0 – indicates the Shared with You Syndication Photo Library asset was Received

Value\Integer 1 – indicates the Shared with You Syndication Photo Library asset was Sent

Value\Integer 2 – indicates the Shared with You Syndication Photo Library asset was manually saved by a device user and now has a duplicate saved in the Local Photo Library – *\Media\DCIM\<*>APPLE file system location

Value\Integer 8 – indicates the Shared with You Syndication Photo Library asset was automatically visible on the device via a SWY linked asset (had chat bubble) and a device user deleted the asset from being viewed on the device via the SWY link. Asset will be removed from the following locations: \private\var\mobile\Media\PhotoData\UBF\scopes\syndication\*

Value\Integer 10 – indicates the Shared with You Syndication Photo Library asset was manually saved by a device user to the Local Photo Library (*\Media\DCIM\<*>APPLE) but later deleted by a user from the Local Photo Library

NOTE: Regardless of the assets Syndication State, the Asset can still be located within the Shared with You Syndication Photo Library file system storage locations, if the asset is still an attachment to a message within Apple Messages.

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\*

Syndication Identifier – this syndication identifier matches the attachment guid from the sms.db database. In the video you will notice how I highlight the two values from each database (SWY PL Photos.sqlite and the sms.db) for one asset and how they match

Additional Asset Attributes Syndication History – At this time during testing the only value I encountered was “0.” Research is ongoing

Media Analysis Asset Attributes Syndication Processing Version – I am still working on getting this fully decoded and this will be updated as soon as I have that decoding. At the time of testing, the only values I observed were 0 and 65551.

Media Analysis Asset Attributes Syndication Processing Value – At this point in testing, I have encountered the following values, but I am still working towards decoding them. Additional testing and research are needed.

Value\Integer 0 – Appears to be NA

Value\Integer 1 – Still Testing and decoding

Value\Integer 2 – Still Testing and decoding

Value\Integer 4 – Still Testing and decoding

Value\Integer 16 – Still Testing and decoding

Value\Integer 1024 – Still Testing and decoding

Value\Integer 2048 – Still Testing and decoding

Value\Integer 4096 – Still Testing and decoding

Analysis State Modification Date – will indicate the latest timestamp the asset was analyzed. The view, play, and share counts will not change from pending to viewed\played until the asset is analyzed and the analysis state modification timestamp has been updated

View – Play – Share Count(s) – the Shared with You Syndication Photo Library assets and the Local Photo Library assets are processed in a similar manner to show an asset was viewed, played, or shared. Based on testing, only the Shared with You Photo Library assets with a Saved Asset Type (12) will track if the asset was viewed, played, and shared. The other assets listed in the Shared with You Photos.sqlite will not track if the asset is viewed, played, or shared. As stated above, Shared with You Photo Library Assets that have a Saved Asset Type of, 12, will have the chat bubble in the lower left corner of the thumbnail.

NOTE: At this time, I have not been able to determine what causes a pending view, play or share count to be recorded. Further testing is required and will be updated when further data can be decoded

NOTE: I have not included the data from Moments tables in the Shared with You Photo Library Photos.sqlite basic query. These assets will have data in these and other tables that have been omitted from the basic query. Please use the full query to review the data for the areas not queried as a part of the basic query.

Figure#39.1_SWY_PL_Photossqlite_query_output_IMG_0136

Figure#39.2_SWY_Syndication_PL_Photos.sqlite_SycStateValuesTest

Shared with You Syndication Photo Library file system storage locations

File Name F7962E5E-9546-43C6-BC91-B859276C3EA1.mov
Original File Name IMG_0136.mov
Attachment guid \ syndication identifier at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87

The Shared with You Syndication Photo Library stores its associated assets within the following file system locations. Remember that the following file system locations are only accessible if you have access to the full file system.

Originals:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals

This file system location will contain several additional folders. These folders are titled with alphanumeric characters. During my research, I encountered the following alphanumeric characters, 0 -9 and A – F. These alphanumeric characters correlate to the first character of the Shared with You asset file name.

In the example provided above, the Shared with You asset file name is F7962E5E-9546-43C6-BC91-B859276C3EA1.mov, we can deduce the asset will be stored at the following file path:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals\F\

If the asset is a Live Photo, you should see both a heic asset and a _3.mov asset.

Derivatives:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\

This file system will contain several additional folders. These folders will have the same alphanumeric characters as previously discussed.

These folders do not contain original assets, but jpeg assets. They appear to be used as thumbnails or cached files for the original assets, but I am unsure for where these thumbnails or cached files are used.

These assets will have the same file name as the originals but will have the following added to the end of the file name “_1_102_o.jpeg.”

Derivatives\Masters:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\masters\

There is an additional folder in this location titled “masters.” This folder also contains folders with alphanumeric characters as previously discussed. These folders will again contain assets with the same file name as the originals, but these will have the following added to the end of the file name “_4_5005_c.jpeg.”

It’s important to note, if the asset is visible within the Local Photo Library\camera roll, the asset being stored within the SWY Syndication Photo Library will also appear in the Local Photo Library Photos.sqlite.

NOTE: Use caution when using forensic tools that have deduplication settings. Depending on the tool you are using, if an original Shared with You asset is being stored in two different file system locations (Local Photo Library and the SWY Photo Library, one of the assets could be hidden or removed from the case. If you are analyzing these types of assets, I would suggest turning off deduplication so that you can find all available related assets.

Figure#40.1_SWY_PL_assets_Storage_Location

SWY Syndication PL assets visible on device in Local PL SWY file system storage locations

In figure #40.3 we will review the additional file system locations that store Shared with You assets. These locations are a part of the Local Photo Library and are tracked via the Local PL Photos.sqlite database. I will discuss the related data being stored in the Local Photo Library Photos.sqlite database in the next section.

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\*

Originals:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\originals\

In the example provided above, the Shared with You asset file name is F7962E5E-9546-43C6-BC91-B859276C3EA1.mov, we can deduce that the asset will be stored at the following file path:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\originals\F\

If the asset is a Live Photo, you should see both a heic asset and a _3.mov asset.

Derivatives:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\

This file system will contain several additional folders. These folders will have the same alphanumeric characters as previously discussed.

These assets will have the same file name as the originals but will have the following added to the end of the file name “_1_102_o.jpeg.”

Derivatives\Masters:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\masters\

Figure#40.3_SWY_assets_Visible_on_devcie_in_LPL_FS_Locations

Section 7 – Analysis of the Local Photo Library and related SWY assets

Local Photo Library Photos.sqlite database

Using the information, we have collected so far, we will analyze the Local Photo Library Photos.sqlite database to determine if any of these Shared with You assets are discoverable within the Local Photo Library. I will be using my iOS 15 Local PL Photos.sqlite query to review the data. As a result of this research, I have also created a smaller basic query that should highlight some of the more frequently questioned Photos.sqlite data, which includes Shared with You related asset data.

As a reminder here is the file we are analyzing:

File Name F7962E5E-9546-43C6-BC91-B859276C3EA1.mov
Original File Name IMG_0136.mov
Attachment guid \ syndication identifier at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87

Figure#41.1_SWY_assets_Visible_on_devcie_in_LPL_Photos.sqlite

This database is located at the following location and can be found in most forensic acquisitions:

\private\var\mobile\Media\PhotoData\Photos.sqlite

At the beginning of figure #45 you will notice I am using the iOS 15 Local PL Photos.sqlite query. If you have used these queries in the past, you will notice assets can be listed several times due to the data that is stored for the asset in different tables.

The following is a list of columns you might want to analyze:

Additional Asset Attributes (zAddAssetAttr) Imported by – the data stored in this column will provide you with some insight into how the asset was imported into the Local Photo Library. With the creation of the new Shared with You Syndication Photo Library, I discovered a new value indicating the asset was imported from the Shared with You Syndication Photo Library:

Value\Integer 12 – is the integer used to identify assets that have been imported from the Shared with You Syndication Photo Library. The assets listed in the Local Photo Library Photos.sqlite that have a value of 12 can be found at the following file path. This file path and its assets will be accessible with a back-up acquisition:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\*

NOTE: The assets found within the *\UBF\ file paths are not the original assets. The original Shared with You assets are accessible via a FFS acquisition within the following file path:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\*

Asset UUID – By filtering\searching for the assets that have an Additional Asset Attributes Imported By value of 12, we can then review assets UUID (zAsset-UUID), which is also the assets file name saved locally on the device.

NOTE: While reviewing figure #45, I would like to draw your attention that even though iCloud Photos is turned ON for this device and an Apple ID is being used on the device, this asset was not synced with iCloud Photos. This asset will not have a cloud master asset created and you will not see cloud master data populated in the Local Photo Library Photos.sqlite database for this asset. These assets will not be synced or located in iCloud Photos.

Asset Bundle Scope – there is a new value for the asset bundle scope column. This new value has been decoded to indicate the asset is a Shared with You linked asset and is being stored in the Shared with You file system locations. A shared with you linked asset are only those that have a small chat bubble in the lower left corner of the thumbnail\preview when viewing them on the device. An additional note has been added to this decoded value, because at the time of testing, iCloud Photos was turned on. In previous testing, it’s possible for a value in this column to have a different decoding depending if iCloud Photos is On or Off at the time of acquisition.

Value\Integer 3 – indicates iCloud Photos is ON and the asset is a Shared with You linked asset. The asset(s) can be found in the following local device file path:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\*

Only the Shared with You linked assets that are visible to the user via Shared with You Shelf and camera roll will be listed within the Local Photo Library Photos.sqlite database and be stored in the above location.

And at the following file path if you have access to the full file system:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\*

Figure#41.2_SWY_PL_Linked_Assets_with_AssetBundleScope_3

Asset Visibility State – this column will indicate if the asset is visible in the Photo Library. In this case the Photos.sqlite database we are analyzing belongs to the Local Photo Library and indicates the asset(s) are visible in the Photo Library, which we have observed in prior videos and examples. This asset is displayed within the Shared with You shelf and the local photo library camera roll.

Asset Directory \ File Path – as discussed previously, this column will indicate where the asset is saved on the device. There are two sets of file path locations you will want to check based on the database data:

Shared with You Syndication Photo Library FFS asset storage location:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals\F\

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\F\

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\masters\F\

SWY assets being stored in Local Photo Library asset storage location via back-up acquisition:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\originals\F\

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\F\

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\masters\F\

The file paths listed above for the asset we are currently examining. As stated above, you will want to analyze the file path folder that corresponds to the first alphanumeric charter of the file name.

Figure#42_LPL_Photos.sqlite_AssetFileName_and_AssetDirectory

Asset Saved Asset Type – after testing, a new saved asset type was discovered. This new asset type will indicate if the asset is a Shared with You linked asset and, if the appropriate settings are ON, these assets are currently displayed on the device to the user within the SWY shelf or Local Photo Library camera roll.

Value\Integer 12 = indicates the asset is a Shared with You (SWY) linked asset. These assets are being displayed on the device to the user via Shared with You shelf and within the Local Photo Library. These assets will have duplicate assets saved in the Shared with You Syndication Photo Library.

If these assets are listed in the Local Photo Library Photos.sqlite they can be found at the following file path location:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\*

They will also have assets saved within the following location if you have access to a FFS acquisition:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\*

During this research and testing, I only encountered Shared with You linked assets from the Apple Messages application. Further testing is required to verify if it’s possible for other applications to have a saved asset type – 12.

Figure#43_SWY_PL_Linked_Assets_SavedAssetType12

Figure#44_SWY_PL_Linked_Assets_SavedAssetType12

Asset File Name – as discussed previously, the local on device asset name will be the zAsset table UUID column data and a file extension.

Additional Asset Attributes Original Filename – we can see the original file name, which in this case, is the original file name that was shared from Scooter Scott via messages application (com.apple.MobileSMS).

Cloud Master (CldMast) Original Filename – notice this asset does not have a cloud master file name because this Local Photo Library asset and SWY PL asset was not and will not be synced with the iCloud Photos account. This could change with later updates to iOS.

Asset Date Created – this is a timestamp (UTC) when the asset was created via the original source. This data remained with the asset after it was sent via messages application.

NOTE: Metadata adjustment was not tested during this research.

Additional Asset Attributes – EXIF Timestamp – this is a timestamp recorded in local device time at the time the asset was captured\created. This data remained with the asset after it was sent via messages application.

Asset Add Date – this is the timestamp (UTC) the asset was added to the Photo Library and corresponding Photos.sqlite database. In this instance, it is when the asset was added to the Local Photo Library which is the same time the message was received on the device that contained this attachment.

Asset Analysis State Modification Date – is the timestamp the asset was last processed by the OS to record changes. One of the most noteworthy changes is when pending views and plays will be added to the viewed or played columns.

Additional Asset Attributes Pending View, Play, Share Counts – Is the number of times the asset was viewed, played, and shared, but has not been committed to the counts columns. These assets can be viewed on the device in multiple places like the Local Photo Library camera roll, Shared with You shelf, and within the message thread. Because I don’t have an iOS 15 jailbroken device, observing these small changes due to the asset being viewed and played is difficult. Additional testing and research are needed to determine how and when view, play, and shared count is added to these columns.

Additional Asset Attributes Viewed, Played, Shared Counts – Is the number of times the asset was viewed, played, and shared.

Asset Syndication State – Within the Local Photo Library Photos.sqlite the only value I observed during testing was zero (0). The SWY PL Photos.sqlite had multiple values listed with in the database. Based on my testing, I believe this column is not applicable for the assets stored in the Local Photo Library, thus will have a decoded value of 0-Local-PL_Assets_Syndicaion_State_NA-0.

Additional Asset Attributes Syndication Identifier – is the message guid associated with the attachment and an integer indicating if the message has multiple attachments. This integer will start with zero (0) and increase incrementally by one integer for every attachment in the message (example (_0_), (_1_), (_2_), and so on). This syndication identifier can be used to find the matching attachment guid within the sms.db database.

In figure #45, you will notice that I use both the Local PL and the SWY PL Photos.sqlite databases to compare and find matching values.

Additional Asset Attributes Syndication History – At this time during testing, the only value I encountered was “0.” Research is ongoing

Value\Integer 0 – Appears to be NA
Value\Integer 1 – Still Testing and decoding
Value\Integer 2 – Still Testing and decoding
Value\Integer 4 – Still Testing and decoding
Value\Integer 16 – Still Testing and decoding
Value\Integer 1024 – Still Testing and decoding
Value\Integer 2048 – Still Testing and decoding
Value\Integer 4096 – Still Testing and decoding

Figure#45_Local_PL_Photossqlite_Query_Review

Section 8 – Summary of what we have learned about Shared with You assets and links

We’ve conducted a manual examination of a device and identified assets with a Shared with You link indicator. This indicator can be viewed by the device user via a small chat bubble in the lower left corner of the thumbnail which, if the appropriate settings are turned ON, can be viewed from within the “For You” section on the “Shared with You” shelf and within Local Photo Library camera roll.

Figure#46_SWY_Linked_Assets_OnDevice_indicators_SWY-Shelf

Figure#47_SWY_Linked_Assets_OnDevice_indicators_LPL_Settings-Defult

Figure#48_SWY_Linked_Assets_OnDevice_indicators_LPL-CamearRoll

The visible on-device Shared with You linked assets are tracked via the Local Photo Library Photos.sqlite database and can be tracked back to the Shared with You Photo Library Photos.sqlite database and the sms.db database.

Figure#49_LPL_Photos.sqlite_zAsset-SavedAssetType12_VisibleOnDevice

The Shared with You linked assets that are visible on the device will be tracked via the Local Photo Library Photos.sqlite database and can be found within the following file system locations, which are available via back-up and full file system data acquisition(s):

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\originals\

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\masters\

Figure#50_LPL_Photos.sqlite_SWY_Assets_VisibleOnDevice_FS_Location

Shared with You assets listed below, will be tracked via the Shared with You Photo Syndication Library Photos.sqlite database. You will need access to the full file system to analyze these assets:

Shared with You assets that are not visible on the device
Original Shared with You assets that have been manually saved to the Local Photo Library

These Shared with You assets are being stored within the following file system locations and are only available via Full File System access:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals\

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\masters\

Figure#51_SWY_Syndication_PL__Assets_FS_Location

Section 9 – Asset Attribution sms.db > Shared with You Syndication PL > Local Photo Library

Based on the information we have learned so far, we should be able to use the following databases to track an asset:

Sms.db database
Shared with You Syndication Photo Library Photos.sqlite database
Local Photo Library Photos.sqlite database

Using these databases, we can follow the asset from being a message attachment, to being an asset listed in the Shared with You Syndication Photo Library linked asset Photos.sqlite, to an asset being displayed on the device in the Local Photo Library as a Shared with You linked asset.

Using the sms.db we are able to use the database data to locate assets that are attached to a message. We can view the attachment guid for the message attachment and we can see there is an attachment file path listed in the attachment filename column.

We can also use this data from the sms.db to locate the attachment file in the file system

Private\var\mobile\Library\SMS\Attachments\*

Figure#52_sms.db_AttachmentGUID=Photos.sqlite_Syndication-Identifier

We then analyze the Shared with You Syndication Photo Library Photos.sqlite and locate the Syndication Identifier which matches our target attachment guid. Using this data, we can then review the original file name for that asset. This original filename was the file name of the message attachment. Then using the Photos.sqlite query output we can find the file name of the asset stored on the device in the Shared with You Syndication Photo Library.

As discussed earlier, we can see in figure #53, the Saved Asset Type indicates a value of 12. This indicates the asset has been displayed on the device without the user saving this asset to the Local Photo Library but having a value of 12 also means that the asset has automatically saved to the Local Photo Library by Apples Shared with You asset analysis.

Figure#53_SWY_PL_Photos.sqlite-Syndication-Identifier_to_Orig-Filename_to_Filename

Continuing our analysis of the asset and knowing that the asset was automatically saved to the Local Photo Library via Apples asset analysis, we will analyze the Local Photo Library Photos.sqlite database to show where this file is stored.

In figure #54, we can see the Syndication Identifier matches the SWY PL Syndication Identifier and the sms.db attachment guid.

The LPL Photos.sqlite original file name, matches the SWY PL original file name.

The LPL Photos.sqlite file name, matches the SWY PL file name.

Using the Local Photo Library Photos.sqlite, we can see the ZASSET table UUID data matches the assets file name, just without the extension.

Not captured within figure #54, but the ZASSET table ZDATECREATED timestamp is when the original asset (IMG_0136) was captured on the iPhone X. In this specific instance, the Add Date timestamp matches when the message attachment was received on the device and the asset was added to the Shared with You PL Photos.sqlite and the Local PL Photos.sqlite.

Figure#54_LPL_Photo.sqlite_Traced_From_sms.db_and_SWY_PL_Photos.sqlite

GitHub SQLite Queries

Section 10 – Turning OFF Shared with You Global Settings

During my testing, when I turned off the Global Shared with You setting located at Settings > Messages > Shared with You, there were indications that several files were deleted. This was viewed within the System Log which can be monitored using MacOS Console or a third-party tool like iBackupBot. In figure #55, we can see two assets that have been displayed on the device via with Shared with You Syndication Photo Library links were deleted. I was unsure of which assets were being deleted, was it the assets being stored with in the Local Photo Library or the assets being stored in the Shared with You Syndication Photo Library?

Figure#55_SWY_Global_Turned-OFF_System_Logs

You might have to zoom in on figure #55 to see the log entries, but within the highlighted areas we can see the following information:

Sep 10 08:11:02 Dexter-Scooter-iPhone-SE-156 assetsd(PhotoLibraryServices)[228] <Notice>: Delete reason: Syndication for Photos was turned OFF

Sep 10 08:11:02 Dexter-Scooter-iPhone-SE-156 assetsd(PhotoLibraryServices)[228] <Notice>: Deleting F\F7962E5E-9546-43C6-BC91-B859276C3EA1.mov [0xa7a5f77b02cc9512 <x-coredata:\\35281F76-4659-45BD-8898-2C118C5431AB\Asset\p219> F7962E5E-9546-43C6-BC91-B859276C3EA1] (created on Mon Apr 18 19:38:57 2022)

The first entry highlighted indicates Shared with You was turned OFF. The second entry indicates the specific asset that was deleted.

Figure #56 is a video of the Global Shared with You device setting being turned OFF, then the data was acquired. We can see based on the analysis that the assets that were deleted were those Shared with You assets being stored in the Local Photo Library at the following paths:

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\originals\

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\

\private\var\mobile\Media\PhotoData\UBF\scopes\syndication\resources\derivatives\masters\

The assets being stored in the Shared with You Syndication Photo Library, were not affected. They were all still stored at the following locations:

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\originals\

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\scopes\syndication\resources\derivatives\masters\

Figure#56_SWY_GlobalSetting_OFF-ON_DeletedAssets

Section 11 – Bonus: If you suspect Shared with You assets or attachments may have been deleted

If you suspect a user may have deleted a Shared with You asset or an attachment from within messages application chat thread, as discussed in many blogs and other research postings, we can analyze the Shared with You Syndication Photo Library Photos.sqlite to find missing primary keys\row ids. This will provide you with an indication that assets might be missing from your analysis. As stated previously, you will need a FFS acquisition to analyze this database and file system locations.

Once you determine that you have missing primary keys\row ids, I would encourage you to review the following location:

\private\var\mobile\Library\Caches\com.apple.MobileSMS\Previews\Search\*

During this testing, I was able to locate deleted Shared with You assets and other attachments at the above location. The assets found at this location had file names like the one listed below:

PhotosSearchSection-at_0_98DDD5A0-FE38-450A-B596-A6282EAD1E87.png

In July 2020, a few forensic examiners, Heather Mahalik, Geraldine Blay, Ryan Socks, and others had a conversation within the IACIS listserv where the following was stated about Photos Search Section assets:

“Okay, I just dumped my device again. The photos below that you see and that you have are the result of me being in my SMS messages and selecting the Name of my Contact at the top of the chat and then selecting the “i”. The photos that were available are shown in the Previews.”

Given what other community members have researched and stated, we can see that the assets stored in this location, *\Caches\com.apple.MobileSMS\Previews\Search\*, will store assets related to message attachments.

As you might have noticed, this file name contains the attachment guid that we have previously seen within in the sms.db, SWY PL Photos.sqlite, and the Local PL Photos.sqlite databases. So, using the same techniques discussed earlier, you might be able to associate this attachment to a message if the some of the other data exists.

At this point, I have not conducted any of my own research into this area or these assets, but I have located assets in the above file system location, that resemble or are duplicates of deleted Shared with You assets\message attachments that I was not able to find anywhere else.

Section 12 – Asset Counts are different for Synced iPhones and iCloud Photos

I was asked a question unrelated to the Shared with You Syndication Photo Library about assets being synced between two different iPhones using the same Apple ID. The answer to that question can be found here, but while researching that question, I discovered some interesting information about Shared with You (SWY) Syndication Photo Library linked assets.

A question might arise if you are conducting an analysis of an iPhone data acquisition and data that you’ve received from an iCloud warrant return, if while analyzing the data you might notice a discrepancy in the number of assets being stored on the device vs the number of assets that have been synced with iCloud Photos. My initial thought would be the user might’ve turned off iCloud Photos sync and that’s why the device has more assets than what is being stored in iCloud Photos, but I would be incorrect. So, the question I would ask myself:

“Why does the device indicate it has X number of Photos and Videos being stored, but iCloud Photos is indicating that Y number of Photos and Videos that have been synced?”

In previous blogs and examples, I’ve demonstrated if a device is connected to a network and the device is being synced, it takes only seconds for asset changes to be synced between the device and iCloud Photos, so why is there a difference in the number of assets?

NOTE: These are test devices and I have not received iCloud warrant returns for either device. My research and statements are based on what I observed during the live analysis of the iCloud Photos web platform.

An additional question that this write up might answer is:

“Why are two iPhones that are being synced using the same Apple ID, have a different number of assets being stored in the Local Photo Library?”

By including this in the write up, I hope to provide you with at least one example of why this might occur.

In this example, I have two devices that are using the same Apple ID, dexterscooter3347@gmail.com. These devices are being synced using iCloud Photos and Messages. Both devices are using the Optimize iPhone Storage setting.

iPhone 7 A1660 with iOS 15.1 (19B74)

iPhone SE A1662 with iOS 15.6 (19G71)

In figure #57, you will notice both devises on the screen. The iPhone 7 is on the left and the iPhone SE is on the right.

The iPhone 7 has 159 Photos and 50 Videos being displayed in the Local Photo Library (All Photos) camera roll.

The iPhone SE has 157 Photos and 54 Videos being displayed in the Local Photo Library (All Photos) camera roll.

iCloud Photos has 156 Photos and 49 Videos being displayed in the iCloud Photo Library.

How can all three device libraries be different, if they are supposed to be syncing?

The answer in this case is Shared with You (SWY) Syndication Photo Library linked assets!

The iPhone 7 has 3 Shard with You (SWY) linked Photos and 1 SWY linked Video.

The iPhone SE has 1 SWY linked Photo and 5 SWY linked videos.

Figure#57_SWY_2iPhones_Same_AppleID

Conclusion, Future Considerations and References

Conclusion

I hope this information will assist you with understanding what a Shared with You Syndication Photo Library, the related assets and where they can be found.

With the release of iOS 16, Apple has made the Shared with You feature available to third-party application developers to integrate the Shared with You feature into their apps. I believe this is an indicator that we, forensic examiners, will be seeing artifacts from other apps being stored within the Shared with You Syndication Photo Library file system locations and the Photos.sqlite.

I have not been able to test this with third-party apps, but it’s still early. Please let me know if you start to see Shared with You assets from third-party applications.

This is a very new Apple feature and I’m sure some follow up research and validation will be needed, but after researching the library and how the assets are stored, I felt compelled to release what I found. The entire time I was researching, I couldn’t stop from thinking about how examiners\investigators might be able to use this information to determine if a user deleted assets that were once displayed on the device and might still be within Apple Messages Application as an attachment.

I am very interested to see what this data will look like once other third-party application developers begin implementing this feature and if those assets will be stored in these same locations.

I conducted some additional research about third-party application usage of Shared with You and I have learned that as of 9/13/2022 third-party application Shared with You feature is OFF by default. The device user will have to enable it manually on the device to use this feature. The Apple apps that use Shared with You is still ON by default.

Future Considerations

There is still a lot of research that is required since iOS 16 was just released to the public. I am looking forward to having the ability to get a full file system from iOS 16 and the iOS 15 jailbreak release.

Another area that I would like to test would be how this data is stored within MacOS and how this photo library would effect syncing of assets across multiple devices.

References:

Shared with You Documentation

WWDC 2022 Integrate your custom collaboration app with Messages

WWDC 2022 Add Shared with You to your app

PhotoKit Documentation

PHAsset

Import photos from another library in Photos on Mac

XPC Activity