IOS

5 years ago · 8a4af4c33e
parent e334cf735e
commit 8a4af4c33e
6 changed files with 373 additions and 0 deletions
--- a/Photos_sqlite.sql
+++ b/Photos_sqlite.sql
@ -0,0 +1,129 @@
+-- References:
+--
+-- https://github.com/geiszla/iOSLib/wiki/ZGENERICASSET-contents
+-- https://github.com/geiszla/iOSLib/wiki/ZADDITIONALASSETATTRIBUTES-contents
+-- https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html
+
+select 
+Z_PRIMARYKEY.Z_NAME as 'Type',
+case zgenericasset.ZSAVEDASSETTYPE
+		when 0 then 'Saved from other source'
+		when 2 then 'Photo Streams Data'
+		when 3 then 'Made/saved with this device'
+		when 4 then 'Default row'
+		when 7 then 'Deleted'
+		else zgenericasset.ZSAVEDASSETTYPE
+		end as 'AssetType',
+ZDIRECTORY as 'Directory',
+ZFILENAME as 'FileName',
+ZADDITIONALASSETATTRIBUTES.ZORIGINALFILENAME as 'OriginalFilename',
+ZADDITIONALASSETATTRIBUTES.ZORIGINALFILESIZE as 'OriginalSize',
+ZUNIFORMTYPEIDENTIFIER as 'FormTypeIdentifier',
+ZIMAGEURLDATA as 'ImageURLdata',
+ZTHUMBNAILURLDATA as 'ThumbnailURLdata',
+case ZCLOUDDOWNLOADREQUESTS
+	when 0 then 'No'
+	when 1 then 'Yes'
+	end as 'CLOUDDOWNLOADREQUESTS',
+case ZCLOUDISDELETABLE 
+		when 1 then 'Yes'
+		end as 'CLOUDISDELETABLE',
+case ZCLOUDISMYASSET  
+		when 1 then 'Yes'
+		end as 'CLOUDISMYASSET',
+case ZCLOUDLOCALSTATE 
+	when 0 then 'Local'
+	when 1 then 'Remote'
+	end as 'CLOUDLOCALSTATE',		
+case ZFAVORITE   
+		when 0 then 'No'
+		when 1 then 'Yes'
+		end as 'Favorite',		
+case ZHASADJUSTMENTS    
+		when 0 then 'No'
+		when 1 then 'Yes'
+		end as 'Modified',
+ZWIDTH||' x '||ZHEIGHT as 'Dimenasions(WxH)',
+ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILWIDTH||' x '||ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILHEIGHT as 'EmbeddedThumbnail(WxH)',
+ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILOFFSET as 'EmbeddedThumbnailOffset',
+ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILLENGTH as 'ETNLength',
+time(ZDURATION,'unixepoch') as 'Duration',
+case ZORIENTATION    
+		when 1 then 'Horizontal (left)'
+		when 3 then 'Horizontal (right)'
+		when 6 then 'Vertical (up)'
+		when 8 then 'Vertical (down)'
+		else ZORIENTATION
+		end as 'Orientation',
+case ZKIND    
+		when 0 then 'Photo'
+		when 1 then 'Video'
+		end as 'Kind',
+case ZKINDSUBTYPE    
+		when 0 then 'Normal'
+		when 1 then 'Panorama'
+		when 100 then 'Default row'
+		when 101 then 'Slo-mo'
+		when 102 then 'Timelapse'
+		else ZKINDSUBTYPE
+		end as 'SubType',
+case zgenericasset.ZHIGHDYNAMICRANGETYPE 
+	when 0 then 'No HDR'
+	when 1 then 'Low'
+	when 6 then 'High'
+	else zgenericasset.ZHIGHDYNAMICRANGETYPE
+	end as 'HDRtype', --Seen values 0, 1 and 6
+case zgenericasset.ZTRASHEDSTATE     
+		when 1 then 'Deleted'
+		when 0 then 'Not Deleted'
+		else zgenericasset.ZTRASHEDSTATE
+		end as 'TrashState',
+datetime('2001-01-01', ZTRASHEDDATE || ' seconds') as 'TrashedDate',
+case ZCOMPLETE  
+		when 1 then 'Yes'
+		end as 'Complete',		
+case ZVISIBILITYSTATE     
+		when 0 then 'Visible'
+		when 1 then 'Photo Streams Data'
+		when 2 then 'Burst'
+		else ZVISIBILITYSTATE
+		end as 'VisibilityState',
+ZADDITIONALASSETATTRIBUTES.ZCREATORBUNDLEID as 'CreatorBundleID',
+ZADDITIONALASSETATTRIBUTES.ZEDITORBUNDLEID as 'EditorBundleID',
+ZUNMANAGEDADJUSTMENT.ZADJUSTMENTFORMATIDENTIFIER||' ('||ZUNMANAGEDADJUSTMENT.ZADJUSTMENTFORMATVERSION||')' as 'AdjustmentFormatIdentifier',
+datetime('2001-01-01', ZUNMANAGEDADJUSTMENT.ZADJUSTMENTTIMESTAMP || ' seconds') as 'AdjustmentTimestamp',
+datetime('2001-01-01', ZMODIFICATIONDATE || ' seconds') as 'ModificationDate',
+datetime('2001-01-01', ZADDEDDATE || ' seconds') as 'AddedDate',
+datetime('2001-01-01', ZDATECREATED || ' seconds') as 'CreatedDate',
+ZADDITIONALASSETATTRIBUTES.ZEXIFTIMESTAMPSTRING as 'EXIFtimestamp',
+datetime('2001-01-01', ZMOMENT.ZSTARTDATE || ' seconds') as 'MomentStartDate',
+datetime('2001-01-01', ZMOMENT.ZENDDATE || ' seconds') as 'MomentEndDate',
+datetime('2001-01-01', zgenericasset.ZLASTSHAREDDATE || ' seconds') as 'LastSharedDate',
+ZADDITIONALASSETATTRIBUTES.ZTIMEZONENAME||' ('||ZADDITIONALASSETATTRIBUTES.ZTIMEZONEOFFSET||')' as 'TimeZone',
+ZMOMENT.ZAPPROXIMATELOCATIONDATA as 'ApproximateLocationData(bplist)',	
+ZMOMENT.ZREVERSELOCATIONDATA as 'ReverseLocationData0(bplist)',	
+case ZMOMENT.ZREVERSELOCATIONDATAISVALID 
+	when 0 then 'No'
+	when 1 then 'Yes'
+	end as 'LocationValid',	
+ZMOMENTLIST.ZREVERSELOCATIONDATA as 'ReverseLocationData1(bplist)',		
+case ZMOMENTLIST.ZREVERSELOCATIONDATAISVALID 
+	when 0 then 'No'
+	when 1 then 'Yes'
+	end as 'LocationValid',
+ZADDITIONALASSETATTRIBUTES.ZREVERSELOCATIONDATA as 'ReverseLocationData2(bplist)'
+	
+-- case ZADDITIONALASSETATTRIBUTES.ZSHIFTEDLOCATIONISVALID -- Field does not exist in IOS 8.3
+--	when 0 then 'No'
+--	when 1 then 'Yes'
+--	end as 'ShiftedLocationValid'
+
+
+from zgenericasset
+join Z_PRIMARYKEY on zgenericasset.z_ent = Z_PRIMARYKEY.z_ent
+left join ZMOMENTLIST on zgenericasset.ZMOMENT = ZMOMENTLIST.Z_PK
+left join ZMOMENT on ZGENERICASSET."ZMOMENT" = ZMOMENT.Z_PK
+join ZADDITIONALASSETATTRIBUTES on ZGENERICASSET.ZADDITIONALATTRIBUTES = ZADDITIONALASSETATTRIBUTES.Z_PK
+left join ZUNMANAGEDADJUSTMENT on ZADDITIONALASSETATTRIBUTES."ZUNMANAGEDADJUSTMENT" = ZUNMANAGEDADJUSTMENT.Z_PK
+order by MomentStartDate desc
+
--- a/callhistory_storedata.sql
+++ b/callhistory_storedata.sql
@ -0,0 +1,40 @@
+-- IOS 8  \Home\Library\CallHistoryDB
+-- References:
+--
+-- https://avi.alkalay.net/2011/12/iphone-call-history.html
+-- https://books.google.gr/books?id=HodcDgAAQBAJ&pg=PA224&lpg=PA224&dq=zcalltype&source=bl&ots=AxN5C2eH2m&sig=ACfU3U0rLvkJ-gU-3HS9siXl54LrysrW4w&hl=en&sa=X&ved=2ahUKEwiE3p7O9e3iAhVBr6QKHT6LDTkQ6AEwEXoECAkQAQ#v=onepage&q=zcalltype&f=false
+
+select 
+
+z_pk as 'zpk',
+ZISO_COUNTRY_CODE as 'CC',
+ZADDRESS as 'Address',
+ZNAME as  'Name',
+ZNUMBER_AVAILABILITY as 'Nr_Availability',
+case ZORIGINATED
+	when 1 then 'Yes'
+	end as 'Originated',
+case ZANSWERED
+	when 0 then 'No'
+	when 1 then 'Yes'
+	end as 'Answered',
+case ZREAD
+	when 0 then 'No'
+	when 1 then 'Yes'
+	end as 'Read',
+ZDISCONNECTED_CAUSE as'DisconnectedCause',	
+case ZCALLTYPE -- 
+	when 1 then 'Standard Call'
+	when 8 then 'Full AV Facetime Call'
+	when 16 then 'Facetime Audio only Call'
+	else ZCALLTYPE
+	end as 'CallType', 
+ZFACE_TIME_DATA as 'FacetimeData',
+time(ZDURATION,'unixepoch') as 'Duration',
+datetime('2001-01-01', zdate || ' seconds') as 'cdate',
+ZDEVICE_ID as 'DeviceID',
+ZUNIQUE_ID as 'UniqueID'
+
+from zcallrecord
+--where ZCALLTYPE = 8 filter by call type
+order by cdate desc
--- a/healthdb.sql
+++ b/healthdb.sql
@ -0,0 +1,28 @@
+select 
+-- iPhone 7 (9.3.1)
+
+sources.name,
+case datatype_source_order.data_type -- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528385073.pdf
+	when 3 then 'Weight'
+	when 5 then 'Heart Rate'
+	when 7 then 'Steps'
+	when 8 then 'Distance'
+	when 9 then 'Resting Energy'
+	when 10 then 'Active Energy'
+	when 12 then 'Flights Climbed'
+	when 67 then 'Weekly Calorie Goal'
+	when 70 then 'Watch On'
+	when 75 then 'Standing' 
+	when 76 then 'Activity'
+	when 79 then 'Workout'
+	when 83 then 'Some workouts'
+	else datatype_source_order.data_type -- 20’s ~ 30’s = Nutrition
+	end as 'DataType',
+subscription_data_anchors.last_anchor,
+datatype_source_order.ROWID,
+datatype_source_order.user_preferred,
+datatype_source_order.provenance
+
+from datatype_source_order
+join sources on datatype_source_order.source = sources.ROWID
+join subscription_data_anchors on subscription_data_anchors.code = datatype_source_order.data_type
--- a/healthdb_secure.sql
+++ b/healthdb_secure.sql
@ -0,0 +1,41 @@
+-- iPhone 7 (9.3.1)
+-- references:
+--
+-- ref: https://www.mac4n6.com/?offset=1544965200340
+-- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528385073.pdf
+-- https://objectivebythesea.com/v1/talks/OBTS_v1_Edwards.pdf
+
+select -- 
+category_samples.value,
+data_provenances.origin_device||' - '||data_provenances.origin_build as 'Device',
+case samples.data_type  
+	when 3 then 'Weight'
+	when 5 then 'Heart Rate'
+	when 7 then 'Steps'
+	when 8 then 'Distance'
+	when 9 then 'Resting Energy'
+	when 10 then 'Active Energy'
+	when 12 then 'Flights Climbed'
+	when 67 then 'Weekly Calorie Goal'
+	when 70 then 'Watch On'
+	when 75 then 'Standing' 
+	when 76 then 'Activity'
+	when 79 then 'Workout'
+	when 83 then 'Some workouts'
+	else samples.data_type -- 20’s ~ 30’s = Nutrition
+	end as 'DataType',
+quantity_samples.original_quantity||' '||unit_strings.unit_string as 'originalquantity',
+quantity_samples.quantity as 'quantity',
+datetime('2001-01-01', samples.start_date || ' seconds') as 'StartDate',
+datetime('2001-01-01', samples.end_date || ' seconds') as 'EndDate'
+
+from samples
+left join activity_caches on activity_caches.data_id = samples.data_id
+left join quantity_samples on quantity_samples.data_id = samples.data_id
+left join correlations on samples.data_id = correlations.object
+left join data_provenances on data_provenances.ROWID = quantity_samples.original_unit 
+left join category_samples on category_samples.data_id = samples.data_id
+left join unit_strings on unit_strings.ROWID = quantity_samples.original_unit
+
+--where data_type = 5 -- filter by heart rate
+order by StartDate desc
--- a/iPhotoLitedb.sql
+++ b/iPhotoLitedb.sql
@ -0,0 +1,47 @@
+--IOS 9.3.1 (iphoto)
+--\Camera Roll\Media\PhotoData\iPhotoSandboxLibrary\438665323315681\Database\iPhotoLite.db
+
+select 
+BLDBAlbum.uuid as 'AlbumUUID', -- Foldername
+BLDBAlbumMediaJoin.type, -- value can also be seen in the Album.plist in the above folders
+BLDBAlbum.name||' ('||BLDBAlbum.itemCount||')' as 'AlbumName(count)',
+case BLDBAlbum.state 
+	when 1 then 'Exists' end as 'AlbumState', 
+case bldbmedia.state 
+	when 0 then 'Deleted'
+	end as 'MediaState',
+bldbmedia.uuid 'Media UUID',
+bldbmedia.fileName,
+bldbmedia.fileSize,
+bldbmedia.type as 'imageType',
+time(bldbmedia.duration,'unixepoch') as 'Duration',
+bldbmedia.latitude,
+bldbmedia.longitude,
+datetime('2001-01-01',bldbmedia.DateCreated || ' seconds') as 'DateCreated',
+case when bldbmedia.dateViewed != 0.0 then datetime('2001-01-01',bldbmedia.dateViewed || ' seconds') end as 'DateViewed',
+case when bldbmedia.dateAdjusted then datetime('2001-01-01',bldbmedia.dateAdjusted || ' seconds') end as 'DateAdjusted',
+case when bldbmedia.dateModified then datetime('2001-01-01',bldbmedia.dateModified || ' seconds') end as 'DateModified',
+bldbmedia.PixelWidth||' x '||bldbmedia.PixelHeight as 'Dimensions (WxH)',
+bldbmedia.assetPixelWidth||' x '||bldbmedia.assetPixelHeight as 'assetDimensions',
+bldbmedia.originalPixelWidth||' x '||bldbmedia.originalPixelHeight as 'originalDimensions',
+case bldbmedia.assetOrientation    
+		when 1 then 'Horizontal (left)'
+		when 3 then 'Horizontal (right)'
+		when 6 then 'Vertical (up)'
+		when 8 then 'Vertical (down)'
+		else bldbmedia.assetOrientation
+		end as 'AssetOrientation',
+case bldbmedia.originalOrientation    
+		when 1 then 'Horizontal (left)'
+		when 3 then 'Horizontal (right)'
+		when 6 then 'Vertical (up)'
+		when 8 then 'Vertical (down)'
+		else bldbmedia.originalOrientation
+		end as 'OriginalOrientation'
+
+
+from bldbmedia
+join BLDBAlbumMediaJoin on BLDBMedia.primaryKey = BLDBAlbumMediaJoin.mediaKey
+join BLDBAlbum on BLDBAlbumMediaJoin.albumKey = BLDBAlbum.primaryKey
+
+order by DateCreated desc
--- a/sms_db.sql
+++ b/sms_db.sql
@ -0,0 +1,88 @@
+select 
+-- \Library\SMS\sms.db
+
+case when message."date" != 0 then datetime('2001-01-01', message."date" || ' seconds') end as 'MessageDate',
+case when message.date_delivered != 0 then datetime('2001-01-01', message.date_delivered || ' seconds') end as 'DateDelivered',
+case when message.date_read != 0 then datetime('2001-01-01', message.date_read || ' seconds') end as 'DateRead',
+case when message.date_played != 0 then datetime('2001-01-01', message.date_played || ' seconds') end as 'DatePlayed',
+handle.country,
+handle.id,
+message.handle_id as 'handleID',
+message.other_handle as 'OtherID',
+handle.service,
+chat.account_login,
+case message.is_from_me
+	when 1 then 'Yes'
+	end as 'FromME',
+case message.is_from_me
+	when 1 then message.text
+	end as 'MyText',
+case message.is_from_me
+	when 0 then message.text
+	end as 'RemoteText',
+message.attributedBody as 'attributedBody(BLOB)',
+chat.display_name,
+case message.cache_has_attachments
+	when 1 then 'yes'
+	end as 'CacheHasAttachments',
+case attachment.is_outgoing 
+	when 0 then 'Incoming'
+	when 1 then 'Outgoing'
+	end as 'AttachmentDirection',
+attachment.filename,
+attachment.transfer_name,
+attachment.total_bytes,
+attachment.mime_type,
+datetime('2001-01-01', attachment.created_date|| ' seconds') as 'CreatedDate',
+attachment.uti,
+attachment.transfer_state,	-- observed values 5 (temp folder) & 6 (Library)
+attachment.user_info as 'AttachmentUserInfo(bplist)', 
+chat.room_name,
+chat.chat_identifier,	
+chat.last_addressed_handle,
+case message.is_delivered
+	when 0 then 'No'
+	when 1 then 'yes'
+	end as 'is_delivered',
+case message.was_data_detected
+	when 1 then 'yes'
+	end as 'was_data_detected',	
+message.item_type,
+	
+case message.is_empty
+	when 1 then 'yes'
+	end as 'is_empty',
+case message.is_archive
+	when 1 then 'yes'
+	end as 'is_archive',	
+case message.is_finished
+	when 1 then 'yes'
+	end as 'is_finished',
+case message.is_audio_message
+	when 1 then 'yes'
+	end as 'is_audio_message',
+case message.is_delayed
+	when 1 then 'yes'
+	end as 'is_delayed',
+case message.is_emote
+	when 1 then 'yes'
+	end as 'is_emote',	
+	
+chat.properties as 'ChatProperties(bplist)',
+message.guid as 'MessageGUID',
+chat.account_id,
+chat.group_id
+
+
+
+
+from message
+left join handle on message.handle_id = handle.ROWID or message.other_handle = handle.ROWID
+join chat_message_join on chat_message_join.message_id = message.ROWID
+left join message_attachment_join on message.ROWID = message_attachment_join.message_id --A message can have multiple attachments 
+left join attachment on attachment.ROWID = message_attachment_join.attachment_id
+join chat on chat_message_join.chat_id = chat.ROWID
+
+
+
+order by message.ROWID desc