Update to Shared with You Syndication Media & Conversation Correlation

This is an update to previously researched and published material about the Apple iOS Shared with You syndication media. The update is based on a question sent to me via DFIR Discord. The examiner advised he located a phone number in the Syndication.photoslibrary Photos.sqlite ZGENERICALBUM table and requested assistance determining how the phone number was related to an album. Additionally, he wanted to show a relationship between the phone number he found and the target asset (media file) being analyzed.

I was a little confused because during my previous research, I did not recall observing data that could be used to show asset to album correlation. Nor did I remember observing phone numbers or emails in the Generic Album table for Shared with You assets. After reviewing some old (iOS 15.1) and newer (iOS 17.2.1) Shared with You Photos.sqlite databases, I was able to locate phone numbers and emails in the ZGENERICALBUM table, as the other examiner described, and the testing and research began.

Forensic Question:   

Is it possible to illustrate a correlation between a Shared with You syndication media asset and a conversation identifier such as a phone number or email within the Syndication.photoslibrary Photos.sqlite ZGENERICALBUM table?

As the result of the updated testing and research, I learned the examiner who reached out was 100% correct! I missed a very important artifact and missed out on an easy method of linking Shared with You assets to a conversation (phone number or email) to which the asset originated.

Testing Devices:

iPhone 14 Pro (A2650) iOS 17.2.1

iPhone X (A1865) iOS 16.7.4

and

Previously acquired Local Photo Library (LPL) and Shared with You Photo Library (SWYPL) Photos.sqlite databases (iOS15.1 – 17.2.1).

Databases and File Paths:

Local Photo Library (LPL):

\private\var\mobile\Media\PhotoData\Photos.sqlite

Shared with You Syndication Photo Library (SWYPL):

\private\var\mobile\Library\Photos\Libraries\Syndication.photoslibrary\database\Photos.sqlite

Testing and Research:

After reviewing the previous LPL and SWYPL Photos.sqlite databases and creating new Shared with You syndication media assets, I observed the data I initially missed, contained within the ZASSET table ZCONVERSATION field and the ZGENERICALBUM  table ZIMPORTSESSIONID field. These two tables are joined via the ZASSET table ZCONVERSATION field value and the ZGENERICALBUM  table Z_PK field value.

NOTE: This join will work for both the Local Photo Library and the Shared with You Syndication Photo Library Photos.sqlite database.

Using this join we can show a correlation between the Shared with You syndication media asset(s) and a conversation group identifier (phone number or email). In the above examples, these assets were automatically made visible on the Apple Photos (com.mobileslideshow) Camera Roll, if the device settings are set to do so. But during this research, I observed lots of asset records within the SWYPL Photos.sqlite that were linked to phone numbers and emails that were not listed in the LPL Photos.sqlite. If you are analyzing media found within the syndication photo library file paths, as referenced in the first blog, you might want to reanalyze the database with the updated queries.

The following screenshots illustrate what the data looks like on the device based and the database data depicted below. In the following screenshot you can see the following items that assisted with generating a Shared with You syndication media files:

• The message thread is a pinned message thread
• The media file attachment has a reaction by the receiver (Scooter Scott)
• Bandits’ iPhone X and Scooter Scotts’ iPhone Xs were at the hockey game together
• Their devices were recording the same location at the same time

Conclusion:

If you are a returned reader, you are aware my blogs can be a bit lengthy. This one is shorter and to the point. There is a lot more that could be written, but I believe this should allow others to replicate what was discovered. I have updated the Shared with You Syndication Photo Library Photos.sqlite queries on my GitHub. Local Photo Library Photos.sqlite queries will be updated in the next week or so. I hope this research and queries might help when analyzing Shared with You Syndication media files.