Posts

Life360

Image
SELECT * FROM life360 WHERE alibi = FALSE; A Forensic Analysis of the Life360 Application in Android Life360 is one of the most widely used family safety and location-sharing applications available on Android. It allows family members to share real-time locations, receive alerts when members arrive at or leave designated places, communicate through in-app messaging, and review historical location information. For digital forensic examiners, it can also become an unexpectedly rich source of evidence. After all, "I wasn't there" becomes a much harder argument when an app has been enthusiastically documenting your day. According to the Google Play Store, Life360 includes features such as: Real-time location sharing Location history Place alerts Crash detection SOS alerts Emergency dispatch services Roadside assistance Identity theft protection Tile tracker integration Life360 offers Free, Silver, Gold, and Platinum subscription plans that unlock ...

Glow & Behold

Image
Glow & Behold Flashlight Artifacts in Apple’s Unified Logs This blog is the work of my sister, Holly Charpentier, who did all the flashlight testing and artifact hunting 🔦. She’s the one who scrolled through endless Unified Logs, captured all the brightness level changes, and got way too excited about AVFlashlight entries. Basically, if there were a forensic merit badge for nerdy persistence, she’d earn it twice. Proud to share her work here — certified DFIR nerd and log whisperer! Flashlight toggles may seem minor at first glance, but they can provide valuable context when reconstructing user behavior or validating key moments in a timeline. Whether you’re checking device usage during a critical timeframe or comparing activity to a statement, flashlight events can serve as corroborative details. Examples include: Was the phone actively in use at a specific time? Was the flashlight turned on at a location or time relevant to the case? Did device interactio...

LogTimeWarp

Image
LogTimeWarp Tracking Date & Time Changes in Apple’s Unified Logs From suspicious user activity to malware behavior or post-event tampering, a sudden change to a device’s system time can be a red flag. It may signal attempts to obscure file timestamps, alter log coherence, or reset application timers. Forensic validation often hinges on accurate time interpretation. When the system time is altered, even legitimate logs may appear misleading. That’s where the Unified Logs come in. Date & time changes can be made by a device user by navigating to Settings > General > Date & Time. By toggling off Set Automatically, the date and time can be changed manually by the user. The first step is extracting the Unified Logs. See Alexis Brignoni’s post on Extraction, Processing, & Querying Apple Unified Logs from an iOS Device here: https://abrignoni.blogspot.com/2025/05/extraction-processing-querying-apple.html Once the Unified Logs are obtained the hu...

Snapchat Artifacts

Image
iOS Snapchat -user.plist- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user.plist -holds data about the local user such as username and user id. -primary.docobjects database- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/DocObjects/primary.docobjects -Snapchat contacts can be found in this database -Arroyo.db -fs-full.zip/private/var/mobile/Containers/Data/Application//****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/arroyo/arroyo.db          - The message content is stored in the conversation_message table.          - Each conversation has a client_conversation_id.          - The message is located in the message_content column.      ...