diff --git a/Photos_sqlite.sql b/Photos_sqlite.sql new file mode 100644 index 0000000..14c26ea --- /dev/null +++ b/Photos_sqlite.sql @@ -0,0 +1,129 @@ +-- References: +-- +-- https://github.com/geiszla/iOSLib/wiki/ZGENERICASSET-contents +-- https://github.com/geiszla/iOSLib/wiki/ZADDITIONALASSETATTRIBUTES-contents +-- https://forensenellanebbia.blogspot.com/2015/10/apple-ios-recently-deleted-images.html + +select +Z_PRIMARYKEY.Z_NAME as 'Type', +case zgenericasset.ZSAVEDASSETTYPE + when 0 then 'Saved from other source' + when 2 then 'Photo Streams Data' + when 3 then 'Made/saved with this device' + when 4 then 'Default row' + when 7 then 'Deleted' + else zgenericasset.ZSAVEDASSETTYPE + end as 'AssetType', +ZDIRECTORY as 'Directory', +ZFILENAME as 'FileName', +ZADDITIONALASSETATTRIBUTES.ZORIGINALFILENAME as 'OriginalFilename', +ZADDITIONALASSETATTRIBUTES.ZORIGINALFILESIZE as 'OriginalSize', +ZUNIFORMTYPEIDENTIFIER as 'FormTypeIdentifier', +ZIMAGEURLDATA as 'ImageURLdata', +ZTHUMBNAILURLDATA as 'ThumbnailURLdata', +case ZCLOUDDOWNLOADREQUESTS + when 0 then 'No' + when 1 then 'Yes' + end as 'CLOUDDOWNLOADREQUESTS', +case ZCLOUDISDELETABLE + when 1 then 'Yes' + end as 'CLOUDISDELETABLE', +case ZCLOUDISMYASSET + when 1 then 'Yes' + end as 'CLOUDISMYASSET', +case ZCLOUDLOCALSTATE + when 0 then 'Local' + when 1 then 'Remote' + end as 'CLOUDLOCALSTATE', +case ZFAVORITE + when 0 then 'No' + when 1 then 'Yes' + end as 'Favorite', +case ZHASADJUSTMENTS + when 0 then 'No' + when 1 then 'Yes' + end as 'Modified', +ZWIDTH||' x '||ZHEIGHT as 'Dimenasions(WxH)', +ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILWIDTH||' x '||ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILHEIGHT as 'EmbeddedThumbnail(WxH)', +ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILOFFSET as 'EmbeddedThumbnailOffset', +ZADDITIONALASSETATTRIBUTES.ZEMBEDDEDTHUMBNAILLENGTH as 'ETNLength', +time(ZDURATION,'unixepoch') as 'Duration', +case ZORIENTATION + when 1 then 'Horizontal (left)' + when 3 then 'Horizontal (right)' + when 6 then 'Vertical (up)' + when 8 then 'Vertical (down)' + else ZORIENTATION + end as 'Orientation', +case ZKIND + when 0 then 'Photo' + when 1 then 'Video' + end as 'Kind', +case ZKINDSUBTYPE + when 0 then 'Normal' + when 1 then 'Panorama' + when 100 then 'Default row' + when 101 then 'Slo-mo' + when 102 then 'Timelapse' + else ZKINDSUBTYPE + end as 'SubType', +case zgenericasset.ZHIGHDYNAMICRANGETYPE + when 0 then 'No HDR' + when 1 then 'Low' + when 6 then 'High' + else zgenericasset.ZHIGHDYNAMICRANGETYPE + end as 'HDRtype', --Seen values 0, 1 and 6 +case zgenericasset.ZTRASHEDSTATE + when 1 then 'Deleted' + when 0 then 'Not Deleted' + else zgenericasset.ZTRASHEDSTATE + end as 'TrashState', +datetime('2001-01-01', ZTRASHEDDATE || ' seconds') as 'TrashedDate', +case ZCOMPLETE + when 1 then 'Yes' + end as 'Complete', +case ZVISIBILITYSTATE + when 0 then 'Visible' + when 1 then 'Photo Streams Data' + when 2 then 'Burst' + else ZVISIBILITYSTATE + end as 'VisibilityState', +ZADDITIONALASSETATTRIBUTES.ZCREATORBUNDLEID as 'CreatorBundleID', +ZADDITIONALASSETATTRIBUTES.ZEDITORBUNDLEID as 'EditorBundleID', +ZUNMANAGEDADJUSTMENT.ZADJUSTMENTFORMATIDENTIFIER||' ('||ZUNMANAGEDADJUSTMENT.ZADJUSTMENTFORMATVERSION||')' as 'AdjustmentFormatIdentifier', +datetime('2001-01-01', ZUNMANAGEDADJUSTMENT.ZADJUSTMENTTIMESTAMP || ' seconds') as 'AdjustmentTimestamp', +datetime('2001-01-01', ZMODIFICATIONDATE || ' seconds') as 'ModificationDate', +datetime('2001-01-01', ZADDEDDATE || ' seconds') as 'AddedDate', +datetime('2001-01-01', ZDATECREATED || ' seconds') as 'CreatedDate', +ZADDITIONALASSETATTRIBUTES.ZEXIFTIMESTAMPSTRING as 'EXIFtimestamp', +datetime('2001-01-01', ZMOMENT.ZSTARTDATE || ' seconds') as 'MomentStartDate', +datetime('2001-01-01', ZMOMENT.ZENDDATE || ' seconds') as 'MomentEndDate', +datetime('2001-01-01', zgenericasset.ZLASTSHAREDDATE || ' seconds') as 'LastSharedDate', +ZADDITIONALASSETATTRIBUTES.ZTIMEZONENAME||' ('||ZADDITIONALASSETATTRIBUTES.ZTIMEZONEOFFSET||')' as 'TimeZone', +ZMOMENT.ZAPPROXIMATELOCATIONDATA as 'ApproximateLocationData(bplist)', +ZMOMENT.ZREVERSELOCATIONDATA as 'ReverseLocationData0(bplist)', +case ZMOMENT.ZREVERSELOCATIONDATAISVALID + when 0 then 'No' + when 1 then 'Yes' + end as 'LocationValid', +ZMOMENTLIST.ZREVERSELOCATIONDATA as 'ReverseLocationData1(bplist)', +case ZMOMENTLIST.ZREVERSELOCATIONDATAISVALID + when 0 then 'No' + when 1 then 'Yes' + end as 'LocationValid', +ZADDITIONALASSETATTRIBUTES.ZREVERSELOCATIONDATA as 'ReverseLocationData2(bplist)' + +-- case ZADDITIONALASSETATTRIBUTES.ZSHIFTEDLOCATIONISVALID -- Field does not exist in IOS 8.3 +-- when 0 then 'No' +-- when 1 then 'Yes' +-- end as 'ShiftedLocationValid' + + +from zgenericasset +join Z_PRIMARYKEY on zgenericasset.z_ent = Z_PRIMARYKEY.z_ent +left join ZMOMENTLIST on zgenericasset.ZMOMENT = ZMOMENTLIST.Z_PK +left join ZMOMENT on ZGENERICASSET."ZMOMENT" = ZMOMENT.Z_PK +join ZADDITIONALASSETATTRIBUTES on ZGENERICASSET.ZADDITIONALATTRIBUTES = ZADDITIONALASSETATTRIBUTES.Z_PK +left join ZUNMANAGEDADJUSTMENT on ZADDITIONALASSETATTRIBUTES."ZUNMANAGEDADJUSTMENT" = ZUNMANAGEDADJUSTMENT.Z_PK +order by MomentStartDate desc + diff --git a/callhistory_storedata.sql b/callhistory_storedata.sql new file mode 100644 index 0000000..2125413 --- /dev/null +++ b/callhistory_storedata.sql @@ -0,0 +1,40 @@ +-- IOS 8 \Home\Library\CallHistoryDB +-- References: +-- +-- https://avi.alkalay.net/2011/12/iphone-call-history.html +-- https://books.google.gr/books?id=HodcDgAAQBAJ&pg=PA224&lpg=PA224&dq=zcalltype&source=bl&ots=AxN5C2eH2m&sig=ACfU3U0rLvkJ-gU-3HS9siXl54LrysrW4w&hl=en&sa=X&ved=2ahUKEwiE3p7O9e3iAhVBr6QKHT6LDTkQ6AEwEXoECAkQAQ#v=onepage&q=zcalltype&f=false + +select + +z_pk as 'zpk', +ZISO_COUNTRY_CODE as 'CC', +ZADDRESS as 'Address', +ZNAME as 'Name', +ZNUMBER_AVAILABILITY as 'Nr_Availability', +case ZORIGINATED + when 1 then 'Yes' + end as 'Originated', +case ZANSWERED + when 0 then 'No' + when 1 then 'Yes' + end as 'Answered', +case ZREAD + when 0 then 'No' + when 1 then 'Yes' + end as 'Read', +ZDISCONNECTED_CAUSE as'DisconnectedCause', +case ZCALLTYPE -- + when 1 then 'Standard Call' + when 8 then 'Full AV Facetime Call' + when 16 then 'Facetime Audio only Call' + else ZCALLTYPE + end as 'CallType', +ZFACE_TIME_DATA as 'FacetimeData', +time(ZDURATION,'unixepoch') as 'Duration', +datetime('2001-01-01', zdate || ' seconds') as 'cdate', +ZDEVICE_ID as 'DeviceID', +ZUNIQUE_ID as 'UniqueID' + +from zcallrecord +--where ZCALLTYPE = 8 filter by call type +order by cdate desc \ No newline at end of file diff --git a/healthdb.sql b/healthdb.sql new file mode 100644 index 0000000..d46cf7e --- /dev/null +++ b/healthdb.sql @@ -0,0 +1,28 @@ +select +-- iPhone 7 (9.3.1) + +sources.name, +case datatype_source_order.data_type -- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528385073.pdf + when 3 then 'Weight' + when 5 then 'Heart Rate' + when 7 then 'Steps' + when 8 then 'Distance' + when 9 then 'Resting Energy' + when 10 then 'Active Energy' + when 12 then 'Flights Climbed' + when 67 then 'Weekly Calorie Goal' + when 70 then 'Watch On' + when 75 then 'Standing' + when 76 then 'Activity' + when 79 then 'Workout' + when 83 then 'Some workouts' + else datatype_source_order.data_type -- 20’s ~ 30’s = Nutrition + end as 'DataType', +subscription_data_anchors.last_anchor, +datatype_source_order.ROWID, +datatype_source_order.user_preferred, +datatype_source_order.provenance + +from datatype_source_order +join sources on datatype_source_order.source = sources.ROWID +join subscription_data_anchors on subscription_data_anchors.code = datatype_source_order.data_type \ No newline at end of file diff --git a/healthdb_secure.sql b/healthdb_secure.sql new file mode 100644 index 0000000..9ec89e5 --- /dev/null +++ b/healthdb_secure.sql @@ -0,0 +1,41 @@ +-- iPhone 7 (9.3.1) +-- references: +-- +-- ref: https://www.mac4n6.com/?offset=1544965200340 +-- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528385073.pdf +-- https://objectivebythesea.com/v1/talks/OBTS_v1_Edwards.pdf + +select -- +category_samples.value, +data_provenances.origin_device||' - '||data_provenances.origin_build as 'Device', +case samples.data_type + when 3 then 'Weight' + when 5 then 'Heart Rate' + when 7 then 'Steps' + when 8 then 'Distance' + when 9 then 'Resting Energy' + when 10 then 'Active Energy' + when 12 then 'Flights Climbed' + when 67 then 'Weekly Calorie Goal' + when 70 then 'Watch On' + when 75 then 'Standing' + when 76 then 'Activity' + when 79 then 'Workout' + when 83 then 'Some workouts' + else samples.data_type -- 20’s ~ 30’s = Nutrition + end as 'DataType', +quantity_samples.original_quantity||' '||unit_strings.unit_string as 'originalquantity', +quantity_samples.quantity as 'quantity', +datetime('2001-01-01', samples.start_date || ' seconds') as 'StartDate', +datetime('2001-01-01', samples.end_date || ' seconds') as 'EndDate' + +from samples +left join activity_caches on activity_caches.data_id = samples.data_id +left join quantity_samples on quantity_samples.data_id = samples.data_id +left join correlations on samples.data_id = correlations.object +left join data_provenances on data_provenances.ROWID = quantity_samples.original_unit +left join category_samples on category_samples.data_id = samples.data_id +left join unit_strings on unit_strings.ROWID = quantity_samples.original_unit + +--where data_type = 5 -- filter by heart rate +order by StartDate desc \ No newline at end of file diff --git a/iPhotoLitedb.sql b/iPhotoLitedb.sql new file mode 100644 index 0000000..562210d --- /dev/null +++ b/iPhotoLitedb.sql @@ -0,0 +1,47 @@ +--IOS 9.3.1 (iphoto) +--\Camera Roll\Media\PhotoData\iPhotoSandboxLibrary\438665323315681\Database\iPhotoLite.db + +select +BLDBAlbum.uuid as 'AlbumUUID', -- Foldername +BLDBAlbumMediaJoin.type, -- value can also be seen in the Album.plist in the above folders +BLDBAlbum.name||' ('||BLDBAlbum.itemCount||')' as 'AlbumName(count)', +case BLDBAlbum.state + when 1 then 'Exists' end as 'AlbumState', +case bldbmedia.state + when 0 then 'Deleted' + end as 'MediaState', +bldbmedia.uuid 'Media UUID', +bldbmedia.fileName, +bldbmedia.fileSize, +bldbmedia.type as 'imageType', +time(bldbmedia.duration,'unixepoch') as 'Duration', +bldbmedia.latitude, +bldbmedia.longitude, +datetime('2001-01-01',bldbmedia.DateCreated || ' seconds') as 'DateCreated', +case when bldbmedia.dateViewed != 0.0 then datetime('2001-01-01',bldbmedia.dateViewed || ' seconds') end as 'DateViewed', +case when bldbmedia.dateAdjusted then datetime('2001-01-01',bldbmedia.dateAdjusted || ' seconds') end as 'DateAdjusted', +case when bldbmedia.dateModified then datetime('2001-01-01',bldbmedia.dateModified || ' seconds') end as 'DateModified', +bldbmedia.PixelWidth||' x '||bldbmedia.PixelHeight as 'Dimensions (WxH)', +bldbmedia.assetPixelWidth||' x '||bldbmedia.assetPixelHeight as 'assetDimensions', +bldbmedia.originalPixelWidth||' x '||bldbmedia.originalPixelHeight as 'originalDimensions', +case bldbmedia.assetOrientation + when 1 then 'Horizontal (left)' + when 3 then 'Horizontal (right)' + when 6 then 'Vertical (up)' + when 8 then 'Vertical (down)' + else bldbmedia.assetOrientation + end as 'AssetOrientation', +case bldbmedia.originalOrientation + when 1 then 'Horizontal (left)' + when 3 then 'Horizontal (right)' + when 6 then 'Vertical (up)' + when 8 then 'Vertical (down)' + else bldbmedia.originalOrientation + end as 'OriginalOrientation' + + +from bldbmedia +join BLDBAlbumMediaJoin on BLDBMedia.primaryKey = BLDBAlbumMediaJoin.mediaKey +join BLDBAlbum on BLDBAlbumMediaJoin.albumKey = BLDBAlbum.primaryKey + +order by DateCreated desc \ No newline at end of file diff --git a/sms_db.sql b/sms_db.sql new file mode 100644 index 0000000..8d2ff8d --- /dev/null +++ b/sms_db.sql @@ -0,0 +1,88 @@ +select +-- \Library\SMS\sms.db + +case when message."date" != 0 then datetime('2001-01-01', message."date" || ' seconds') end as 'MessageDate', +case when message.date_delivered != 0 then datetime('2001-01-01', message.date_delivered || ' seconds') end as 'DateDelivered', +case when message.date_read != 0 then datetime('2001-01-01', message.date_read || ' seconds') end as 'DateRead', +case when message.date_played != 0 then datetime('2001-01-01', message.date_played || ' seconds') end as 'DatePlayed', +handle.country, +handle.id, +message.handle_id as 'handleID', +message.other_handle as 'OtherID', +handle.service, +chat.account_login, +case message.is_from_me + when 1 then 'Yes' + end as 'FromME', +case message.is_from_me + when 1 then message.text + end as 'MyText', +case message.is_from_me + when 0 then message.text + end as 'RemoteText', +message.attributedBody as 'attributedBody(BLOB)', +chat.display_name, +case message.cache_has_attachments + when 1 then 'yes' + end as 'CacheHasAttachments', +case attachment.is_outgoing + when 0 then 'Incoming' + when 1 then 'Outgoing' + end as 'AttachmentDirection', +attachment.filename, +attachment.transfer_name, +attachment.total_bytes, +attachment.mime_type, +datetime('2001-01-01', attachment.created_date|| ' seconds') as 'CreatedDate', +attachment.uti, +attachment.transfer_state, -- observed values 5 (temp folder) & 6 (Library) +attachment.user_info as 'AttachmentUserInfo(bplist)', +chat.room_name, +chat.chat_identifier, +chat.last_addressed_handle, +case message.is_delivered + when 0 then 'No' + when 1 then 'yes' + end as 'is_delivered', +case message.was_data_detected + when 1 then 'yes' + end as 'was_data_detected', +message.item_type, + +case message.is_empty + when 1 then 'yes' + end as 'is_empty', +case message.is_archive + when 1 then 'yes' + end as 'is_archive', +case message.is_finished + when 1 then 'yes' + end as 'is_finished', +case message.is_audio_message + when 1 then 'yes' + end as 'is_audio_message', +case message.is_delayed + when 1 then 'yes' + end as 'is_delayed', +case message.is_emote + when 1 then 'yes' + end as 'is_emote', + +chat.properties as 'ChatProperties(bplist)', +message.guid as 'MessageGUID', +chat.account_id, +chat.group_id + + + + +from message +left join handle on message.handle_id = handle.ROWID or message.other_handle = handle.ROWID +join chat_message_join on chat_message_join.message_id = message.ROWID +left join message_attachment_join on message.ROWID = message_attachment_join.message_id --A message can have multiple attachments +left join attachment on attachment.ROWID = message_attachment_join.attachment_id +join chat on chat_message_join.chat_id = chat.ROWID + + + +order by message.ROWID desc \ No newline at end of file