John Hyla When reviewing Biome and KnowledgeC artifacts in iOS Forensics there are often references to stream names for events. There is a plist file that seems to provide a little more information about these stream names including descriptions and some precision and rate limit values. It can be found at: /System/Library/PrivateFrameworks/CoreDuet.framework/com.apple.coreduet.systemevents.plist The below table is taken … Read more
Disclaimer: This format was reverse engineered to the best of my ability. This blog article is subject to future updates or corrections if anything new is learned. Please reach out if you have any insights Introduction I recently found a file that Apple has started using at some point which seems to be known as … Read more
Introduction I recently had a case involving Discord where the case investigator had observed images within the thread on an iPhone but they were not appearing in the threads in Cellebrite Physical Analyzer. The investigator described the images to me and I was able to locate them in a folder associated with Discord so I … Read more
In this blog I will discuss my findings on the AppIntent files that are located within the Biomes folder in many iOS extractions. These files contain many forensic artifacts that may no longer appear elsewhere on the device including deleted iMessages.