Trying to prove that the user deleted an application from a non-jailbroken device is more difficult because we cant access all of the uninstall/install logs. Here are some files that may help you do this. You are going to have to prove application usage and removal from smartphones. Section 5 of this course will cover recovering deleted applications in more detail.
The three files below will show which apps had access to spotlight and others including the location restrictions/settings:
/Library/Preferences/com.apple.corespotlightui.plist
/Library/TCC/TCC.db
/Library/Caches/locationd/
clients.plist
consolidated.db > Tables of Interest: BeaconFences and Fences **NOTE: The location artifacts here should not be trusted. A great blog to read on this was written by Ian Whiffin: http://www.doubleblak.com/m/blogPosts.php?id=22.
