“Screen time” is something we all wrestle with in our daily lives. Questions I often field include, “How frequently do you look at screens?” “Is our constant use of digital devices hindering our ability to communicate face to face as social beings?” And my favorite, “How much screen time do you allow your children to have, Heather?”

The answer to the last question isn’t one my children like because I limit their screen time. To make your jobs easier, I’d also like to minimize the time you spend examining iOS devices by using the Screen Time setting as a shortcut to gather valuable information quickly.

Why Use Screen Time?

Screen Time keeps track of all application usage on iOS devices. It helps us to understand where we spend most of our time and on which applications. We can set controls, reminders, and literally restrict access to applications, people, and content at certain periods by adding additional passwords to gain access.

Screen Time as displayed on the iPhone

These iOS devices keep track not only of what you did today, but what you have been doing historically as well. Why is this helpful to forensic examiners?

Because we now have a way to look at a device and determine which applications were used at specific times. We can see if the user entered a passcode to get into the device. Now we can determine when someone was logged into an iOS device and what specific application they were using.

If you use a tool like Cellebrite Physical Analyzer (PA), you can also determine how long they were using that specific application. Application data is huge in digital forensic investigations and this little tidbit of evidence is powerful when it’s parsed correctly.

Locating the Artifacts

Before we look at how the data is parsed from Screen Time, it’s important that you understand the file that tracks this useful information. The path for the file that tracks Screen Time is /private/var/mobile/Library/Application Support/com.apple.remotemanagementd/RMAdminStore-Local.sqlite.  Make sure any tool you use is also parsing the RMAdminStore-Local.sqlite-wal as well. PA makes this easy because it reveals the source information.

Source information from Cellebrite Physical Analyzer

When you open the database, which I recommend you do to validate the parsing, you will see that there are two primary tables of interest.  The first, ZUSSAGEITEMDITEM contains the application information.

SQLite View in Cellebrite Physical Analyzer

The second table of interest is the ZUSAGEBLOCK. This table has all the dates and times we need to get a clear understanding of what the user was doing at specific dates and times regarding application usage.

SQLite View in Cellebrite Physical Analyzer

Understanding the source file and where the information is stored is key in having control to validate and verify source information. PA makes it easy by providing the source with one click.

Easy on Your Eyes

PA combines all relevant information from multiple sources and tables to make the view clear. Screen Time keeps track of all application usage. This is where human behavior comes into play and will impact the results.

If the phone is idle for long periods of time, you don’t want to see results that make it appear as if the application was in use when it wasn’t. Cellebrite has determined the process for how application usage is tracked.

PA decodes the “start time” and “end time” of the application, so you can see the actual amount of time the application was in use. PA goes beyond simply showing the start time and total time, which eliminates all the mathematical guess work for you if you don’t know the windows of time.

To view the parsed Screen Time data in PA, navigate to the Application Usage data model.

Cellebrite Physical Analyzer Screen Time

From there, you can sort, filter, keyword search, create a timeline, and more—just on Screen Time artifacts. In this example, I filtered the Source file information and made sure that my columns of interest were shown. By doing so, we can see the following:

  • Identifier: The application that Screen Time is tracking.
  • Active Time: The amount of time the application was in use during the window.
  • Start Time: The start time of application usage (beginning of the window).
  • End Time: The end time of the application usage (when the window closed).

Conclusion

Cellebrite Physical Analyzer is a great tool for parsing mobile data. While no tool is perfect, it’s great when one is as thorough as PA by providing you with the ability to verify while staying inside the tool.

From my experience, some tools just plot the database content without making it readable for the user. At Cellebrite, we not only care that you have a tool that works effectively and efficiently, but a tool that enables you to focus on what matters most so you don’t waste time.

Resources

[1] https://cellebrite.com/en/topics/investigative-techniques/a-look-into-apples-screen-time-feature-and-what-insights-it-lends-to-forensics/

Share this post