Apple Maps on iOS versions has changed over time. Up until iOS 7, the History.mapsdata file was leveraged for Apple Maps artifacts. This file was located at /private/var/mobile/Containers/Data/Application/<Apple_Maps_GUID>/Library/Maps/History.mapsdata. 

For iOS 8 through iOS 11, the updated Apple Maps storage file was GeoHistory.mapsdata. This file is located in /private/var/mobile/Containers/Data/Application/<Apple_Maps_GUID>/Library/Maps/GeoHistory.mapsdata.  Notice the top image contains both GeoHistory.mapsdata and History.mapsdata; this is because the user upgraded to iOS 11 from iOS 7. Even a gradual upgrade will show these artifacts. Finding traces like this is helpful to profile how long the device user has been using iOS.

There were inconsistencies in iOS10 and sometimes the GeoHistory.mapsdata file was present, sometimes it was used by Apple Maps and often it was there and just not leveraged. This left us wondering where the artifacts were being stored. Everything depended on how iOS 10 ended up on the device. Was it purchased with that version? Upgraded from a previous version? Or possibly a jailbroken device? For more details on this, read the blog by Heather Mahalik on “How the Grinch Stole Apple Maps”.¹

Since iOS 10, we may only be able to recover Apple Maps from iCloud. And this may not be pulled via an iCloud backup, but instead by accessing the syncing data in iCloud. These methods will be shown in Section 4. Also, the GeoHistory.mapsdata may be missing from any iOS image running 11.2.6 or later. Read the blog article by Heather Mahalik called “First the Grinch and Now the Easter Bunny! Where Is Apple Maps Hiding?”²  To make matters even more confusing, GeoHistory.mapsdata is missing completely in iOS 12.

iOS 14 made another change which is still present in iOS 15, and a new file was introduced. The /private/var/mobile/Containers/Shared/AppGroup/group.com.apple.Maps/Maps/MapsSync_0.0.1 was introduced, (NOTE, there may be various numbers at the end of the filename) and at the time of writing this material, it was not supported by any tools. Thus, we created a query for you and Adrian Leong wrote a script.³ Adrian’s script was based on Heather Mahalik’s initial research on iOS 14.⁴

Bottom line, don’t assume you cannot parse Apple Maps data. You have to know where to look for it. Please refer to your cheat sheet and class poster to remember these key files.

References:

[1] https://www.for585.com/grinch (iOS 10 blog)

[2] https://www.for585.com/easter (iOS 12 blog)

[3] https://for585.com/monkey14 (iOS 14 script)

[4] https://for585.com/ios14blog (iOS 14 blog)

.

Elcomsoft Phone Breaker, which will be covered in more detail in Section 4, has the capability to pull data synced with iCloud. This includes Apple Maps! This may be your only chance to recover these artifacts, as they are the current searches conducted in Apple Maps. For more information on this tool, stay tuned for section 4.