Attributing an activity and location to a person of interest within a timeline can be incredibly valuable to an investigation. For this to be done properly, native and non-native apps, as well as the iPhone database should be accessed to extract location data.

Now, with Cellebrite Physical Analyzer support for the iOS Apple Watch Health app (including other synced fitness apps like NikePlus), extracted location data can reveal even more precise information, right down to a user’s vital signs and how they may have changed in relation to activities performed.

When this deeper data is overlaid with information gathered from Apple’s Workout app, timestamped start locations can be attributed to activities. Activity confirmation data is essential for establishing accurate timelines of activities for a suspect, lead, or victim wearing an Apple watch.

It is important to emphasize the investigative value of this data as the Health app is a native app activated by default after setting up the Apple Watch and syncing it to an iPhone. Moreover, even if the Apple user has not completed the application setup, the Health app records the number of steps a wearer takes, and the measurement of the distance taken.

A case in Germany highlights the value that the Health app data can bring to an investigation as the data helped identify a murderer. After gaining access to a suspect’s iPhone, German authorities correlated the data from the Health app activity, categorized as “climbing stairs,” with the time the victim’s body was dragged down a river embankment.

Read more about how wearables are being used to solve homicides, missing person and illicit drug cases here.

Apple Watch Trends

As you can see below in Figure 1, the popularity of the Apple Watch continues to grow and outpace both the Fitbit and Samsung Watch contenders. On the heels of the latest Apple Watch Series 5 launch, interest spiked in September. A new baseline of “Apple Watch” search activity secured the Apple Watch as the market leader. With quickening adoption rates comes wider dissemination into public life leading to an increase of valuable data from the Health app and other synced third-party apps.

Figure 1. (source)

Apple Watch: Health App

Apple promises a more personal Health app as it consolidates data from the iPhone, Apple Watch, and third-party apps. Future versions will be able to calculate long-term trends and display a range of health metrics. For example, an unusual heart rate, whether too low or too high, will trigger alerts to the user.

Designed as a central personal health analytics control center, the Health app empowers users to review their daily and monthly activity history. Additional metrics and data record blood glucose levels, weight, heart rate, and even information about menstrual cycles.

Challenges of Deep Personal Data

For the duration of an activity, the Health app incrementally saves information to a database that updates every few seconds with samples of data until the activity stops. Each data sample has a start time and location, as well as activity-type category. At this point, the challenge becomes obvious as a multitude of data samples are recorded over weeks, months, or longer periods of time.

 

Health App: Data Aggregation

Below in Figure 2, you can see two data samples with the same data type “7.” One starts at 12:07:04 and ends at 12:17:04 while the other starts at 12:17:04 and ends at 12:27:04. This is the same activity that starts at 12:07:04 and ends at 12:27:04.

(Figure 2)

As you can see, manual aggregation of data can quickly become a drain on time and seem an impossible task as investigators try to distinguish activities and locations from a long list, see Figure 3.

(Figure 3)

To solve this challenge, Cellebrite Physical Analyzer aggregates the data to reduce the amount of review time that investigators must perform manually in order to isolate certain activities and establish their geolocation starting point.

How Start Location Artifacts are Generated and Stored

While start location artifacts are not generated natively by the Health app, they can come from apps that sync with the health_secure.sqlite database. One good example is the Activity app, which syncs the start locations of the user’s workouts using another native Apple Watch app called Workout.

Note: According to my tests, the Workout app won’t sync start locations unless the Activity app is installed on the iPhone. During the Apple Watch set up, all 3 apps are either downloaded or already present and then become synced to one another.

After syncing, these workouts get stored in the “samples” table in the health_secure.sqlite database. This table contains a field called “data_type,” which is a number that uniquely identifies the type of data sample stored. For our case, it turns out that type 79 means “workout,” so we can get the start and end timestamps of the activities, as seen below.

(Figure 4)

From the table’s metadata_keys and metadata_values you can parse latitude, longitude, weather, humidity, time zone, and more.

(Figure 5)

(Figure 6)

Note: The workout data only saves the start location of the workout.

At this point, you might be wondering what the “originates from” column that we parsed in the Cellebrite Physical Analyzer is. The answer is simple. The “originates from” column refers to the data that is stored and comes from the iPhone. See below:

(Figure 7)

Experiments

Test 1 – iPhone Data vs. Apple Watch Data for same activities:
While wearing both the iPhone and Apple Watch, I walked on a treadmill for about 20 minutes, and then went outside and walked about 400 meters. The two activities were recorded on the Health app. The first data activity stream was from the synced iPhone and the second was from the watch. The iPhone data lumped the treadmill and 400-meter walking activity data as one activity, whereas the Health App data from the Apple Watch was able to distinguish the two different activities.

Test 2 – Only the iPhone:
With only the iPhone in my pocket, I walked and then went for a bicycle ride for 3 kilometers. I then stopped and kept walking. Only my walking data was recorded but not my bike ride activity data.

Test 3: What happens if the iPhone is in airplane mode, but the Apple Watch is functioning?

The Apple Watch doesn’t sync with the Health app if the iPhone is in airplane mode. When the iPhone is turned on, it syncs with all the data that the Apple Watch saved up to that point.

Conclusion

The additional Apple Watch Health app data along with other third-party app data delivers better time, location, and activity log accuracy that can speed up time-to-evidence for faster case resolution. Cellebrite Physical Analyzer also makes it easy to identify whether the device data is generated from either from the iPhone or Apple Watch.

Upgrade to the latest Cellebrite Physical Analyzer version today.

Share this post