I came across a short research paper that was recently published on ResearchGate from Ruud Schramp of the Netherlands Forensic Institute. He found a new possible evidence source in a SQLite database on iOS devices at path:
/private/var/mobile/Containers/Data/PluginKitPlugin/<GUID>/Documents/AMDSQLite.db.0*
The tables of interest are:
- AMDAppStoreUsageEvents - app install/update dates and app foreground usage
- DeviceStorageUsage - shows free storage capacity at certain intervals
- AMDAppStoreAnalyticsData - app info and feeds via the App Store app
AMDAppStoreUsageEvents
This is the meat of what Ruud's paper looks at. This table records app events that show when an app was installed or updated as well as when the app was opened to the foreground and for how long.
- time - timestamp of the event
- creationTime - another timestamp which I thought calculated duration but still needs more research
- type - type of event occurring,
- 0 = Install/Update,
- 1 = Uninstall
- 2 = Open or run
- 3 = TBD
- adamId - Apple store identifier for an application
- appVersion - version number of the application
- foregroundDuration - how long the app was in the foreground in seconds
- userId - unique identifier to the user opening the apps
We don't directly get the app names here but we do get adamIDs which I've seen before in the storeUser.db. If we pull in an attach that database here we can get bundle names to correlate with the adamIDs. We can also match the userId to an Apple ID found in storeUser as well.gm
Figure 1: AMDAppStoreUsageEvents query in DB Browser
From Josh Hickman's iOS 17 image we can see a sample of Signal activity lines up almost exactly (given local to UTC offset conversion).
Figure 2: iOS 17 image creation documentation from Josh Hickman
DeviceStorageUsage
In this simple table we get some indicators of capacity used for the phone itself.- time - timestamp of the event
- creationTime - appears to be duplicative of time in this table instance
- availableDeviceCapacityGB - amount of GB free space
- totalDeviceCapacityGB - total amount of GB on the device
Maybe this would be helpful to have for an examiner to show usage over time.
Figure 3: Device capacity over time in DB Browser
AMDAppStoreAnalyticsData
This table shows information and suggested content straight from the Apple App Store application such as the Today page and trending apps. In my limited testing there appears to be some information related to searches and download/redownload events of apps.
Figure 4: AMDAppStoreAnalyticsData table
One of the original motivations why I created ASP is to look up these adamIDs here. I am in the process of implementing possible code to this parser but work is ongoing. More research to follow for this table.
For now, parsers for the App Usage and Storage capacity events have been implemented into iLEAPP.