Glow & Behold

Glow & Behold

Flashlight Artifacts in Apple’s Unified Logs

This blog is the work of my sister, Holly Charpentier, who did all the flashlight testing and artifact hunting 🔦. She’s the one who scrolled through endless Unified Logs, captured all the brightness level changes, and got way too excited about AVFlashlight entries. Basically, if there were a forensic merit badge for nerdy persistence, she’d earn it twice. Proud to share her work here — certified DFIR nerd and log whisperer!

Flashlight toggles may seem minor at first glance, but they can provide valuable context when reconstructing user behavior or validating key moments in a timeline. Whether you’re checking device usage during a critical timeframe or comparing activity to a statement, flashlight events can serve as corroborative details.

Examples include:

  • Was the phone actively in use at a specific time?
  • Was the flashlight turned on at a location or time relevant to the case?
  • Did device interaction continue after an incident was reported?

Even isolated flashlight activity can indicate user presence and intention when few other events are logged nearby.

The flashlight icon can be accessed in the iPhone’s Control Center.

Clicking on the flashlight icon will toggle the flashlight on and off.

A long press on the flashlight icon will give the user the capability to control the brightness of the flashlight. There are 5 levels of brightness including off.

Like my previous blog, it is important to point out that the first step is extracting the Unified Logs. See Alexis Brignoni’s post on Extraction, Processing, & Querying Apple Unified Logs from an iOS Device here: https://abrignoni.blogspot.com/2025/05/extraction-processing-querying-apple.html

The main artifact that I was on the hunt for this time was anything related to the usage of the flashlight.

Seen below, the event message includes levels related to “AVFlashlight”. There are 5 different entries that represent the 5 different brightness options that are available to the user related to the Flashlight. During the testing, the flashlight brightness was moved up each level. The levels indicated in the logs are:

  • Level 0 = Off
  • Level 0.25 = 1st level of brightness
  • Level 0.5 = 2nd level of brightness
  • Level 0.85 = 3rd level of brightness
  • Level 1 = highest level of brightness
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0.25
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0.5
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0.85
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 1

The brightness was then moved back down each level.

<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 1
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0.85
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0.5
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0.25
<<<< AVFlashlight >>>> -[AVFlashlight setFlashlightLevel:withError:]: called (0x301af3570) level 0

The flashlight was then toggled off and on numerous times.

Each toggle on shows level 0.25 (the level of brightness that the device was left at during the prior testing). Each toggle off has 2 entries for level 0.

Prior to each powering off event there is a [Flashlight Controller] coolDown event.

There are also [Flashlight Controller] Power Off events but none of the same entry type stating Power On.

There is also an artifact related to the way that the Flashlight was accessed.

[Flashlight Controller] turnFlashlightOnForReason: Control Center  
[Flashlight Controller] turnFlashlightOffForReason: Control Center

Putting all of this data surrounding access to the Flashlight together, you can see below how the artifacts come together and tell the story.

Happy Hunting!

Popular posts from this blog

Snapchat Artifacts

Image
iOS Snapchat -user.plist- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user.plist -holds data about the local user such as username and user id. -primary.docobjects database- - fs-full.zip/private/var/mobile/Containers/Data/Application/****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/DocObjects/primary.docobjects -Snapchat contacts can be found in this database -Arroyo.db -fs-full.zip/private/var/mobile/Containers/Data/Application//****Snapchat application ID**** /Documents/user_scoped/9ea0aafe276d670e1a5155f78ee18485aca8b9040982e579eef26be6bb39 ad94/arroyo/arroyo.db          - The message content is stored in the conversation_message table.          - Each conversation has a client_conversation_id.          - The message is located in the message_content column.      ...
Read more

Samsung Android Gallery-Deleted Photos

Image
 Samsung Android Deleted Gallery -Starting in Android 9, the user has the capability to restore deleted media files. -When a user deletes a media file, the media file is not immediately deleted. -It goes into trash and remains in the trash for 30 days. -The filename is changed upon deletion. -During this time the user can choose to permanently delete the file or restore it to its original location. -The deleted file specific to a Samsung device, will be parsed with forensic tools from: data\media\0\Android\data\com.sec.android.gallery3d\files\.Trash -Data about the file can be located in: data\data\com.sec.android.gallery3d\databases\local.db. -Looking in the local.db specifically, the trash table, contains information about the deleted media file. -The following columns contain data about the deleted files:            _absPath – The current path of the deleted file.            _Title – The current title of the deleted f...
Read more

Google Keep Notes

Image
___________Google Keep Notes_______________________________________ While working on a case recently, I came across the Google Keep Notes application installed and utilized on an Android mobile device. Both of the commercial parsing tools that I was using to analyze the data displayed the timestamps of the notes and the title of the notes but no note body was present in the parsed data.   So, I just check marked everything in the case created a Reader/Portable Case, and sent the data out. Because if the tool doesn’t parse it, it doesn’t exist, right? Wrong.   I followed the source file which is a SQLite database named keep.db. Inside of the database is a ton of additional data including the body of those notes!   How Google Keep Notes Work: Google Keep boasts the capability to add notes lists and photos to Google Keep. They have the capability to record a voice memo and Keep will transcribe it so you can find it later. The Google Keep notes are share...
Read more