The blog discusses iCloud Shared Photo Library (SPL), introduced in iOS 16, highlighting its forensic implications. It covers how to determine SPL activity using Local Photo Library data and identifies key property lists and databases. Additionally, it offers insights into media sharing dynamics among participants and suggests tools for analysis.
Category Archives: Photos.Sqlite
iLEAPP Parsers & Photos.sqlite Queries
The text discusses updates to the iLEAPP project, focusing on the integration of Photos.sqlite queries into iLEAPP parsers for iOS versions 15 to 18. It details various parsers designed to extract and analyze photo-related artifacts, including data about basic asset records, albums, shared content, and adjustments made by users. These parsers are essential for forensic analysis of iOS photo data.
Update to Shared with You Syndication Media & Conversation Correlation
This update addresses a question regarding the correlation between Shared with You assets and conversation identifiers in the Apple iOS Photos.sqlite ZGENERICALBUM table. Through testing and research, previously overlooked data in the ZASSET and ZGENERICALBUM tables has provided a method of linking these assets to phone numbers or emails. This join applies to both the Local Photo Library and the Shared with You Syndication Photo Library. More details and updated queries are available on GitHub for further analysis.
Device Set-up – Transferring data to new iPhone & Effects to Photos.sqlite
This post provides an update on Local Photo Library (LPL) Photos.sqlite decoding in response to a DFIR Discord community member question. The update covers artifacts related to data transfer between Apple devices during setup and includes analysis of Photos.sqlite and insights into Apple Quick Start Transferring Data. The researcher also discusses the impact of their findings and the need for further testing.
Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
Hello everyone! During previous research, I’ve mentioned a few times that my test devices were using the Apple Photos application setting Optimize iPhone Storage in lieu of Download and Keep Originals setting. I’ve used this setting in the past because most devices I’ve encountered are using this setting. I’ve always had a curiosity about theContinue reading “Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?”
Part B Filling a device internal storage for Optimize iPhone Storage Research
Part B Filling a device internal storage for Optimize iPhone Storage testing If you are reading this portion of the write-up about iCloud Photos and Optimize iPhone Storage, congratulations you have fell headfirst into the rabbit hole!! This is a good thing! More than likely, you’re asking yourself questions like why in the heck didContinue reading “Part B Filling a device internal storage for Optimize iPhone Storage Research”
Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
This reference guide was built as a part of some research and testing I performed looking into the Photos.sqlite ZINTERNALRESOURCE table. During the research, I was able to interpret most of the values I encountered, but I was not able to decode everything. Additional research and testing are required. I will continue to update thisContinue reading “Photos.sqlite ZINTERNALRESOURCE Table Reference Guide”
Shared with You Syndication Photo Library – Message Attachments & Linked Assets
The Shared with You is a new feature that has been discussed within Apple Worldwide Developers Conference (WWDC) videos and other developer videos. Generally, the comments made indicate that within iOS and other Apple Operating Systems this feature will allow a user to easily view and interact with links that have been shared by otherContinue reading “Shared with You Syndication Photo Library – Message Attachments & Linked Assets”
How to find iOS Hidden Assets
Hello again! There has been a lot of discussion and curiosity about the recent news that iOS 16 will have an enhanced Hidden assets feature. According to the press releases, this feature will allow a user to lock hidden assets behind the device Passcode, Touch ID, and/or Face ID. The question I believe most ofContinue reading “How to find iOS Hidden Assets”
Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts
As many of you are aware, I recently updated my Photos.sqlite queries. Since releasing the different query iterations, I have received several questions about how I was able to decode the data included in the queries. That’s a great question! I also noticed several questions being posted to the listservs and DFIR Discord about theContinue reading “Local Photo Library Photos.sqlite Query Documentation & Notable Artifacts”
The Forensic Scooter 