Authors: Mike Williamson (Magnet Forensics) and Sab Strong (Magnet Forensics)

DFRWS USA 2021

Abstract

How a subtle inconsistency in iOS PowerLog led to a discovery about the very nature of clocks, precision timing and their impact on forensic investigations with Apple devices. In the widely accepted interpretation of timestamps within the iOS PowerLog database, a quirk exists wherein an offset must be applied to resolve the accurate value.

This presentation will show how we leveraged open-source reverse engineering tools to shine a light on the inner workings of several Apple PrivateFrameworks and the actual code responsible for maintaining the PowerLog database. We will demonstrate how we deciphered the story of record creation by observing the inner workings of relevant methods (including the examination of call traces and kernel-level method invocations) highlighting what timestamps really mean and the ‘why’ behind it.

Downloads