iOS maintains records of process executions and their respective network usage in two SQLite database files called “DataUsage.sqlite” and “netusage.sqlite” which are stored on the device.
record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist
We already have parsers for these file formats so I suppose what we need is some test data to figure out the schema
Context: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/#_ftn1
iOS maintains records of process executions and their respective network usage in two SQLite database files called “DataUsage.sqlite” and “netusage.sqlite” which are stored on the device.
record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist
We already have parsers for these file formats so I suppose what we need is some test data to figure out the schema