iOS Location Mapping with APOLLO - I Know Where You Were Today, Yesterday, Last Month, and Years Ago!

August 21, 2019 in analysis, iOS, scripts

I added preliminary KMZ (zipped KML) support to APOLLO. If any APOLLO module’s SQL query has “Location” in its Activity field, it will extract the location coordinates in the column “Coordinates” as long as they are in Latitude, Longitude format (ie: 38, -77). These are more a less an upgrade/replacement from my previous iOS location scripts. (FYI: Those will not likely be updated further.)

You can find more details on the different modules and outputs here. The APOLLO output will also show counts of how many location data points were extracted from each module. An example from my own data contained 41,262 points! Due to the amount of data points and how applications like Google Earth might handle them I’ve decided to split them by module to be loaded separately. It’s not ideal, but my goal is not to crash Google Earth. (FWIW, I’m still working on other solutions, if you have experience in this area - drop me a line.) The most troublesome module (by a large magnitude) is routined_cache_zrtcllocationmo since it keeps track of extremely granular locations for about the last week. Mine had ~38,000 coordinates!

Let’s take a look at some examples! This data was collected on 07/18/2019 on iOS 12.1.1 to give you an idea on timeframe.

This one is from is from the routined_cloud_visit_inbound_start module. The earliest coordinate is from a few months prior from my trip to Amsterdam to teach FOR518 - Mac and iOS Forensic Analysis and Incident Response.

These are some of my “Significant Locations”, you can click on any coordinate and gather more detail. This is the same output that is captured in the APOLLO database or CSV file.

The next example is from routined_local_learned_location_of_interest_entry. Here you can see some of my travels since 2017! These contain the “Learned Locations of Interest”. You will probably see a bit more historical location data. Looks like I need to visit the middle of the US more!

Last but not least is the massive amount of data points from the routined_cache_zrtcllocatiomo module. This will show nearly exact, granular location for about the last week before collection. Here is my trip to Portland, OR for DFRWS! Not many guesses as to how I got to downtown Portland from the airport is there! (This is the module that produces many, many datapoints. It took patience with Google Earth to even get this screenshot, this is your warning.)

I hope this adds a bit of visual context to some of the APOLLO output, let me know if you have different ideas on how to represent some of this data! Pictures can certainly tell a story where it might otherwise get lost in the noise.

iOS 12 APOLLO Updates

May 15, 2019 in iOS, analysis, scripts

Many modules were updated to specially support iOS 12 including those below. Many were already available on iOS 12 (Powerlog, Passes, SMS, etc) without a jailbreak. As always, let me know if I missed something! Remember the ‘yolo’ option can always be used to attempt to get those entries if official support in the module has not been added.

KnowledgeC.db with new iOS streams!
- Siri Usage
- App “Usage” – Still researching on how this one is different that App in Focus. Perhaps background usage?
- ‘Do Not Disturb’ Mode

Routined - Looks like Apple changed the database schema to change/remove much of the location reverse geolocation protobuf BLOBs that were in the Cache.sqlite, Local.sqlite, Cloud.sqlite databases. Queries have been updated to account for this.

Still working on a few other queries like Screen Time as well as a few more programatic updates.

Script Update - Mac MRU Parser v1.5 - Added Volume Analysis Support and Other Stuff!

December 11, 2017 in analysis, scripts, update, osx, iOS

Get the script here!

Added volume analysis support for the following plists. These are not really MRUs but it could be damn useful to gather this info.

Sidebar List plist [10.12-] - /Users/<username>/Library/Preferences/com.apple.sidebarlists.plist
Favorite Volumes SFL2 - [10.13+] /Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2
Finder Plist - /Users/<username>/Library/Preferences/com.apple.finder.plist
- I was parsing FXRecentFolders Key, I've added FXDesktopVolumePositions Key
- FXDesktopVolumePositions has a volume creation timestamp embedded into the "file" name for the volume (highlight in yellow below). This has been extracted and converted to human readable time (highlight in orange below).

Thanks to @4n68r for pointing out broke stuff (and for using the script!)

The ICNS Icon export function was also fixed.
Fixed support for some *.sfl2 files that were cranky and had no names.
Documentation/Spelling

Update to MacMRU Parser - Now with Microsoft Office Support!

August 15, 2016 in analysis, osx, scripts

I've updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.

This update includes support for 'Most Recently Used' artifacts for Microsoft Office for Mac 2011 and 2016. I've also added a bit more error checking, so please let me know if you come across a plist that doesn't work or does not contain certain expected keys. It happens, I've run across a few myself - I can't explain why now, but I hope to look into it further.

While researching for this update I noticed something interesting. Microsoft Office used a binary plist format for the 2011 version of the software, but "downgraded" to an XML-based plist format in the 2016 version. Most of the time I see plists headed in the XML->Binary direction.

Got a MacMRU file that I don't parse? Please let me know!

I hope you find this script useful!

Script Update: Dump iOS Frequent Locations – Now with KML & CSV Output!

January 24, 2016 in iOS, scripts, update

Update Details

I have added some output options to the script – CSV and KML.

See a related post here - "Parsing iOS Frequent Locations"

The script can now be called with a ‘-output’ argument with the following options:

k – KML Output only
c – CSV Output only
e – Everything (KML and CSV)

Note: The verbose script output is still available from standard output.

Usage

python dump_freq_locs.py –output e <StateModel#.plist>

Updated script (v1.1) is available in GitHub

Output Examples

Example of the CSV output in Excel

Example of the KML output in Google Earth

Example of the KML output in Google ‘My Maps’