Identifying File-to-Album Correlation Using iOS Photos.sqlite
Special guest: Shafik G. Punja, IR
In this episode, Shafiq will discuss iOS Photos.sqlite in regard to file-to-album correlation and a reverse-engineering case study regarding an APT attacker.
When you open up the photo’s app on an iOS device, you’ll see the default albums, non-default albums, third-party app albums, and user-created albums displayed.
Shafiq will discuss a scenario where:
- Four screenshots are located in an album called “evidence” in the Photos default app
- Full-file-system (FFS) extraction of iPhone 8 on iOS 12.1.2 obtained by a digital forensics examiner
- Second digital forensics examiner assigned file weeks later
The reference source of methods to apply can be found here.
You can view “iOS Photos SQLite File to Album Correlation.pdf” here.
The easiest part of the analysis was identifying the photographs involved in the case, which were screenshots taken be the victim. The challenge was that Shafiq didn’t have the ability at the time of the investigation to correlate certain pictures to a specific album.
Listen to the podcast to find out how the database ZGENERIALBUM table was used to discover insights.