top of page
Search
rich4285

Visual timeline of phone activity

Every time I look at the data from a phone extraction there is something new, sometimes many things are new. The more we learn about the files, folders and databases that are stored in the phone the more we are able to piece together exactly what the phone was doing. We can also make some assumptions with a high degree of probability whether the user was actively using the phone or not. Granted there are still some gray areas here but in the example I am about to show we have a pretty good idea of what the user is doing on his phone.


I'm not going to go into the details as this is an ongoing case but it involves a 2-hour period of time. I was tasked to figure out the phone activity and present this in a visual format for the jury.


The prosecution in this case performed a full extract on the phone. This consisted of an exact copy of all the files and folders that were on the phone.


DB Browser was used to open the knowledgeC.db. This file can be found at \private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db. Selecting the ZOBJECT table displays a table that looks like the following figure.



I exported this table to Excel and converted the Apple Unix time to local date and time. I hid unneeded columns and added a column for my notes in order to make it more readable to the layperson. A section of it looks like the following figure.




From here we can use the Excel charting features to add a Gantt Chart. The following figure shows a portion of the 2-hour time frame. The phone activity items are shown on the left along the y-axis. The bars on the chart indicate the length of time that activity was active with the starting and ending times. Time is the x-axis with values shown along the top.


We can also get message data from the database sms.db found at /private/var/mobile/Library/SMS/sms.db. By synchronizing the time we can read the body of the messages and the participants. I did not display these on the chart for privacy purposes but in the exhibit proposed to the court the actual message is shown along the left side next to the "SMS App" item it correlates with.


The chart can also be filtered to add or remove items in order to present different looks. For example, if one was only interested in when the device was locked and unlocked we could just show that in order to simplify the chart and only provide the information of interest. In this case we needed to show all the phone activity.


The data we are analyzing is quite voluminous and complex but by using this method we can show a visual representation which can be understood by a layperson.


Some items we know require user intervention such as device unlock or message sent. Some are not so clear like clearing a notification or message received. Determining user interactivity requires more in-depth analysis of the activity items and the requirements of the case.

7 views0 comments

Comments


bottom of page