The iPhone has tens of thousands of files, thousands of folders, and hundreds of databases. Sure, you can use Cellebrite or Magnet or other software to perform forensic analysis of the iPhone, but I have two problems with that. First, iPhone forensic software is quite expensive. Some companies are paying hundreds of thousands of dollars a year to maintain these software packages. The second problem is that none of these software packages obtains all the artifacts you may need. The phones' operating systems are constantly being upgraded, and files and databases are added, modified and deleted in each version. They simply can't keep up. But that's not really the problem I have. I like to deal with source information. Anything that gets in between the source and the result causes suspicion as data can get missed, manipulated, smoothed, averaged, etc. I have seen it over and over again in the 30+ years I have been analyzing cellular data with hundreds of software packages.

First, a full file extraction must be done on the phone taking care to copy all of the data. The only way to do this is to have access to the full file system which either requires a jailbroken iPhone or a rooted Android phone. The only other ways to do it are to use an exploit to bypass the security features or access the memory slots with direct commands. Magnet and Cellebrite use these techniques to obtain the full file system.

Once I have the full file system, I don't need Magnet or Cellebrite. All the necessary data for forensic analysis is in the files. You just have to know where to look. I wanted to find all the database files that contained latitude and longitude values, so I started by doing some web research to see what others have done. I made a list of the files that others had found containing location information and started looking at the files one by one. This got to be time consuming and the reason why people use pre-canned software packages.

Call me a sceptic or call it based on experience, but I don't trust pre -canned software because they always miss things. So, with a little help from AI, I created a script that searches the entire file system for search terms that I define. If I input latitude and longitude, then it searched the full file system and returns back the database file, table name, columns that match the search terms and indicates if those columns have numeric data in them. In less than a few minutes you know exactly which files and tables to analyze for location information. Even if you use Cellebrite or Magnet or some other software you should still confirm your results by looking at the source data.

Take a look at this short video that goes into this process in detail.

https://youtu.be/nGDcRz897xQ