Apple iPhone “Significant Locations” [source: prodigital4n6]

Where & What Are “Significant Locations”


The first step is to identify where and what “Significant Locations” are.  The artifact is available to view on the device at Settings>Privacy>Location Services>System Services>Significant Locations. If location services are turned OFF, the significant locations data will not be logged and therefore unavailable.  Interestingly, to access Significant Locations on the device, the passcode or Touch ID must be entered. As we should all know by now, we need to obtain the passcode in some way (consent, court order, Gray Key, etc.) in order to facilitate data extraction in iOS 11 regardless, so while this may seem like an obstacle, it’s just another reason to obtain the passcode.


Upon accessing Significant Locations, a disclaimer is present; the final sentence that the Significant Locations are encrypted already gives us a clue about whether or not UFED will be able to parse this data, but more on that a little later.




UFED Extraction & Access to “Significant Locations”


An Advanced Logical (option 1) encrypted extraction was conducted in Cellebrite UFED Physical Analyzer v. 7.5 to see if this data would be available through mobile forensic data extraction.  When the names of the locations were searched globally in the case, no results were presented.  When the term “Significant” was searched globally in the case, the following artifacts were located at var/root/library/caches/locationd:


The .plist files were exported and opened in XCode on a Mac system.  Each of these artifacts did not present any data that was readily identifiable as useful.  Is it possible that these artifacts are encoded within the extraction data and could therefore be located?  Sure, but for the purposes of this article, those measures were not undertaken.  As these artifacts are behind a double security wall (main passcode, then re-entry of the passcode to access Significant Locations on the device), it is logical to conclude that they are not accessible through mobile forensic data extraction (i.e., encrypted).



How Does This Help Your Case?


To recap, we located the Significant Locations on the device and performed a data extraction and it appears that these locations are not part of any readable portion of that data.  So how can we best incorporate this data into our investigations to add value?  Unfortunately, the best answer is the “old fashioned way”.  Access the device, navigate to “Significant Locations” and document each entry through photographs (NOT screen shots).  Depending on the level of usage of the device, this can be tedious and time-consuming, but the value of the data cannot be overlooked.


In criminal cases, this data can help put the device in locations where the suspect may have been (or not have been) during the time of the incident.  It can also help identify home locations and frequently visited locations, which can increase investigative leads, present additional accomplices, serve to impeach statements already made and more.  Naturally, accessing the device is key.  It bears noting that the “Significant Locations” data, combined with cellular provider call detail records could help paint a more thorough picture of the device location and/or movements than either one or the other alone.


In civil litigation, this data can be used in much the same way, but more likely to prove or disprove frequent locations, known associates (paramours, accomplices, etc.), and to help confirm or refute deposition or trial testimony.  If your case involves insurance fraud and the claimant says that he cannot travel, this data helps refute that statement without the need to obtain cellular carrier records.  But again, ideally we would couple this data with cellular location data to paint a more complete picture of the device usage patterns.


A couple of final notes about the existence of this data.  First, it can be deleted.  Note the option to “Clear History” is present and if the user selects this, the logging will be reset.  It also appears (from checking a separate device with this logging turned on) that the data is stored for approximately 6 months.  It is unknown whether or not the data would transfer from an older device to an upgraded device as further testing would need to be conducted.  Finally, it is also unknown whether or not this data would be more readily accessible through mobile forensic data extraction on a jail-broken device.

For more, click here.