Authors: Luke Jennings, Matthew Sorell, Hugo G. Espinosa
DFRWS EU 2023
Abstract
Smart fitness tracking devices are becoming more prevalent in criminal investigations. The Apple Health database for Apple Watch and iPhone fitness activity contains a diverse range of digital traces such as exercise or location information. In this paper, we provide an explanation of the database structure and an SQLite query-based approach for as complete database structure oversight as possible.We extract and link time zones to timestamps and limited geo-coordinate data to workout activity, in the context of case studies using a rich 5þ year long real database of one of the authors. Additionally we investigate the impacts of a major iOS change with iOS 16 on these insights to deepen the understanding of the data at hand. We found that the accuracy of geolocation coordinates, time zone entries, and workout information may not necessarily be accurate or consistent and requires contextual interpretation. We demonstrate the forensic value of the database in the context of informing an investigation by establishing context to a victim’s or suspect’s activities.