Blog

Photos.sqlite Query Documentation & Notable Artifacts

As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data included in the queries. That’s a great question! I also noticed several questions being posted to the listservs and DFIR Discord about theContinue reading “Photos.sqlite Query Documentation & Notable Artifacts”

Photos.Sqlite Queries

Hello everyone! Back in August 2020, I wrote a blog “Using Photos.Sqlite to show the relationships between photos and the application they were created with?” which was posted on Heather Mahaliks’ blog, https://smarterforensics.com/. The writeup was eventually sent to DFIR Review (https://dfir.pubpub.org/pub/v19rksyf/release/1) and published on their website. This is a follow-up to the aforementioned blogContinue reading “Photos.Sqlite Queries”

iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table

Have you ever wanted to know how fast a vehicle or person was traveling at a particular time? Have you considered acquiring iPhone data to answer that question? The material in this blog will help to provide some tools and methods for answering these questions. We know from previously published research that Apples iOS CoreContinue reading “iPhone Device Speeds via Cache.sqlite > ZRTCLLOCATIONMO table”

iOS Location Services and System Services ON or OFF?

Awhile back, I, started working on some research whether the device speed recorded in an iPhone database could be considered reliable evidence for how fast a device was traveling. I was going to discuss some device settings in the blog, but quickly learned the Location Services and System Services settings should be discussed in aContinue reading “iOS Location Services and System Services ON or OFF?”

iOS Settings Display Auto-Lock & Require Passcode

Forensic Question: A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the question and getting me thinking. I did a little research, like reviewing the SANS FOR585 poster and class notes, but could not find the easy answer.Continue reading “iOS Settings Display Auto-Lock & Require Passcode”

Introduction

Hello Everyone, My name is Scott Koenig. I have been working in law enforcement for more than 15 years. In 2016, I decided it would be a good idea to become a digital forensic examiner. Since that time, I have attended several hours of training and earned several levels of certifications, but nothing has taughtContinue reading “Introduction”


Follow My Blog

Get new content delivered directly to your inbox.