There are tons of locations that track application usage on iOS devices. Here is just a sampling. Your cheat sheet is full of files that track application usage, so make sure you refer to it. Some of the files included here are only available on jailbroken devices. All of the files below offer some form of application information, whether it be the file path, date used, date installed, date uninstalled, bundle ID, and more.

  •  Crash Logs from iOS Device

  •  /Library/Databases/DataUsage.sqlite

  •  /var/mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb

  •  /installd/Library/MobileInstallation/UninstalledApplications.plist: Full file system extraction required

  •  /installd/Library/Logs/MobileInstallation/*.log: Full file system extraction required

  •  /Library/Logs/mobile_installation_helper.log*

  •  /Library/Preferences/addaily.plist

  •  /Library/Keyboard/langlikelihood.dat

  •  /Library/FrontBoard/applicationState.db

  •  /Library/Application Support/com.apple.remotemanagementd/RMAdminStore-Local.sqlite - Screentime

  •  /Library/CoreDuet/Knowledge/KnowledgeC.db

A parser created by Alexis Brignoni, a former FOR585 student, available here: https://github.com/abrignoni/iOS-Mobile-Installation-Logs-Parser

If you are lucky enough to have a jailbroken device, we recommend using his script! You can also use iLEAPP, which will parse these files. iLEAPP is available in your VM and is covered later in this section. APOLLO dives deep into knowledgec.db and is coming up later in this section.

Other files, like UninstalledApplications.plist and MobileInstallation/*, may only be available with a full file system dump, not an iTunes backup. The mobile_installation_helper.log will be available regardless, as will addaily.plist and langlikelihood.dat. All of the files listed in this slide add value to your examination if applications are a concern.

The /Library/com.apple.itunesstored/itunesstored2.sqlitedb stores apps that were downloaded via iTunes. This may contain traces of deleted applications. In the example in the slide, com.wunderground.weatherunderground was deleted by the user.