by Professor Matthew Sorell, CTO, Digital Forensic Sciences Australia Pty Ltd; Dusan Kozusnik, managing director at Compelson; and Luke Jennings, PhD candidate at the University of Adelaide.
In 2016 we assisted in the investigation of an Apple Watch worn by a murder victim. We understand this as one of the first cases where the last moments of a victim were captured on a wearable device.
In 2019 we began researching the capabilities of these devices and the data they collect. We built a simulated stepping rig to which we attached an Apple Watch and we began experimenting… with some unexpected results.
By the time Covid hit and our workshops shut down in 2020, we had accumulated three years of data across an evolution of iPhones and Apple Watches, and just as importantly, the evolution of their respective firmware. Our first presentation of this work began as a short oral presentation for DFRWS APAC 2020, which was held virtually in 2021 due to Covid.
By 2022 our dataset had five years’ worth of health data and we had begun to really understand some of the intricacies involved with interpreting this rich dataset. We ran both a workshop and the CTF Rodeo for DFRWS APAC 2022. The CTF Rodeo acted as a scaffolded exercise which challenged participants to explore the health database and make meaningful and contextual interpretations.
The major takeaway from the CTF challenges was how overwhelming the dataset can be without guidance.
For example, a set of challenges we designed were around interpreting the location data inside the health database, which is stored in different ways from GPS coordinates to timezone information across several tables. Participants struggled with determining which table was the best source of location data within the various tables in the database to best fit the answer to the challenge.
Although that CTF challenge had ended, we moved to hosting this challenge ourselves, such that participants can attempt these challenges year-round. In November 2022 we also presented this challenge to Interpol, at the Digital Forensics Expert Group Meeting in Gandhinagar, India.
These observations reinforced our research goals of demonstrating the potential of the Apple Health database for digital investigation. We then wrote a paper on “Interpreting the location data from the Apple Health database”, which was published and presented at DFRWS EU 2023 in Bonn, Germany.
In that paper we explored the five years’ worth of health data to track the users’ workouts across various locations around the world in the form of case studies. We showed that while the health database had numerous rowing workouts recorded, careful interpretation and analysis of these records revealed a pattern, that is these workouts were being performed in various local churches.
This observation lead to the identification that the user is a church bell ringer, and that activity was being recorded by their Apple Watch, allowing us to identify several other churches where the GPS data was not reliably accurate.
This year we continue the workshop from 2022, exploring the structure as well as the expected and unexpected data that can be found in this database. Since the previous workshop, the Apple Health database underwent a major upgrade with the inclusion of iOS 16 which altered many of the existing tables, as well as including many new ones.
These new tables provide even more potential to the interpretations of this dataset. The key difference between now and the 2022 CTF is that instead of a competition, the CTF acts as more of a tutorial that we can use to guide participants through this rich dataset.
Join Luke, Matthew, and Dusan on Tuesday, 17 October for their “Wearables and Health Data Workshop.” Register to attend DFRWS APAC 2023 here.
 L. Jennings, M. Sorell, DFRWS APAC 2022 Workshop: Apple Health Data, https://dfrws.org/presentation/apple-health-data/
 M. Sorell, L. Jennings, Health Data CTF, https://healthdata.ctfd.io/
 L. Jennings, M. Sorell, H. G. Espinosa, Interpreting the location data extracted from the apple health database, Forensic Science International: Digital Investigation 44 (2023) 301504