abrignoni
commented
11 months ago This is not an issue with the repository.
Closed upintheairsheep2 closed 11 months ago
abrignoni
commented
11 months ago This is not an issue with the repository.
Apple Watch devices are everywhere now and they contain evidence such as health data, audio levels, messages, emails, settings, photos, and more synced from a phone or generated by itself. Let’s say either A1, a criminal, or A2, a person who has died in a car crash has their phone but refuse to unlock it with modern encryption breaking tech failing due to the modernity of the device, and in both scenarios, they do not back up their phones to iCloud nor any computers, leaving their phone data either lost or damaged physically. Their watch can hold valuable heart rate and noise level data to determine when “action” happened. A robbery or a car crash has both. Health data on iOS is supported but not WatchOS yet. There is some information given on where the data is on CheckRainable models.
https://dfir.pubpub.org/pub/xqvcn3hj
However backup analysis of iOS via iTunes and iCloud contain a folder called DeviceRegistry with the Apple Watch backup.
https://subscription.packtpub.com/book/security/9781786464200/6/ch07lvl1sec53/the-apple-watch
Apparently Apple Watch (as well as Apple TV!) dumps can be processed via iLEAPP already, however only by themselves. There should be a way to process Apple Watch backups on iTunes and iCloud backups. I don’t know if we should merge them with iPhone processed data or add them by themselves. Apple Watch can also have multiple backups on one iOS device similar to Time Machine. Apple Watch backups can maybe be provided as a flag to the iLEAPP tool to process Watch backups rather than iPhone backups, or certain watchOS-exclusive data such as watchOS apps, Apple Watch Settings, Apple Watch Photo Sync, Apple Watch Faces, and Apple Watch Battery could be added to the main iLEAPP on default, or an entire category filled with all watchOS data in the bottom of the list called “Apple Watch” could be added.
https://blog.elcomsoft.com/2019/06/apple-watch-forensics-02-analysis/
This is a more in depth analysis in analysis of Apple Watch backups, but anyone with an Apple Watch should donate their backups here. I tried to backup my iPhone twice to get the backups, but long story short, almost lost all of my data to the “low storage respring loop” bug twice, first one solved by a force reboot and second one I had to use control center WiFi settings to offload Keynote.
But a proper example Apple Watch backup should include sample data and sample settings from all built in apps, from heart rate to mail to mindfulness to Memoji to photos. Remember that Timer, Stopwatch, World Clock, Compass, and Alarm data should be added as well, and put a few watch faces including ones that include user photos. Third-party apps including WatchTube (YouTube client for Apple Watch that requires the watchOS App Store to install and includes Search History, Recommendations, (video) Watch History, and Like History), Mu Browser, WatchApp Plus, Nano For Reddit, Tik Watch, and optional investigation of miscellaneous apps that have no iPhone client app and are free: Digital Time, Hangman WatchKit App, HeartRand, Memory Moves, MonthDay, Now Playing+, Pingo Watch, RHR Tracker, SubwayStats, TubeStats, The Habit Trainer WatchKit App, Watch Health Logger, WatchMoji, Weeks, WorkWork Watch, and WristSteps.
This does kind of sound like a “process every piece of software available without providing any sample data” post but the list of apps was just to have a backup filled with said sample data. This post is mainly to provide separate parsing of Apple Watch backups from greater iPhone backups. I have provided detail on which database files are where and have said that most work is already completed, and you may possibly only add small artifacts like compass waypoints for example.