Tracking traces of deleted applications

Christopher Vance

Alexis Brignoni

iOS – All About the Bundle

• Deletion of an app deletes the entire “Container”

• Native files and databases track references to apps

• Deleted? Or Just Offloaded?

Offloaded?

• Apple allows users to “Offload” apps not frequently used

• Deletes the App container, but not the Data container

Offloaded?

App Storage (ApplicationState.db)Package Name com.atebits.Tweetie2

AppSource Location /private/var/containers/Bundle/Application/15FFD685-5154-4C07-B332-95F3F7521A48/Twitter.app

Application Data Location /private/var/mobile/Containers/Data/Application/1562A7BD-D4FA-4838-88FC-3F48C009EBD0

\private\var\mobile\Library\FrontBoard\applicationState.db

No Directions

• Offloaded apps lose ApplicationState.db entry (no map to container)

• MobileInstallation Log MAY have it depending on time.

• Bundle ID is searchable in FileSystem

IconState.plist (Springboard)

• Still lists the app.

• Device will show a cloud icon next to app on the home screen.

• BundleID is the key!

Search for BundleID.plist

• Each app has a plist file named [BundleID].plist in the Preferences folder

• Source path reveals the UUID for that App!

Learning BundleIDs

• Search for app online [Google: reddit ios app]– Look for http://apps.apple.com/

• Take the number after ID in URL– https://apps.apple.com/us/app/reddit/id1064216828

• Open URL: https://itunes.apple.com/lookup?id=

– Put value after the “=”

Learning BundleIDs

• Data downloaded as .txt file

• Search for “bundleID”

Search for BundleID!• Mobile Installation Logs• UninstalledApplications.plist• DAAP.sqlitedb• AppPurchaseHistory.6.sqlitedb• ScreenTime• PowerLog.PLSQL• KnowledgeC.db• DataUsage• CallHistory.storedata ???

Mobile Installation Logs• /private/var/installd/Library/Logs/MobileInstallation/*.log

(0 or 1)• Tracks when apps are installed, uninstalled, moved

containers, and destroyed containers.• Gives timestamps and path to app.

• iOS-Mobile-Installation-Logs-Parser:• https://github.com/abrignoni/iOS-Mobile-Installation-Logs-

Parser

Mobile Installation Logs

UninstalledApplications.plist

• \private\var\installd\Library\MobileInstallation\UninstalledApplications.plist

BundleIDs & Dates/Times

Goes back MONTHS

DAAP.sqlitedb

• \private\var\mobile\Library\Caches\com.apple.appstored\DAAP.sqlitedb

• DAAP – Digital Audio Access Protocol for sharing media across a local network

• Lists ALL apps purchased by Apple ID!

• Appears to have been added in iOS 12

• Lists who bought the app! (Remember family sharing)

AppPurchaseHistory.6.sqlitedb

• \private\var\mobile\Library\Caches\com.apple.storeservices\AppPurchaseHistory.6.sqlitedb

• Lists out apps purchased by Apple ID holder

• Includes original purchase date

• Very similar to DAAP.sqlitedb (but found in older iOS)

Screen Time

• \private\var\mobile\Library\Application Support\com.apple.remotemanagementd\RMAdminStore-Local.sqlite

• Added in iOS 12, tracks daily usage history of Apps.

• Only stores the last ~7 days for times, app notifications, and on-screen time.

• Synced applications stick around! [Sometimes]

PowerLog.PLSQL• Stores SO much data. • Tracks app usage and deletion times. • Lists offloaded apps as deleted (careful!)• Timestamps didn’t appear as accurate, and different

from table to table.

• SUPER thankful for APOLLO– https://github.com/mac4n6/APOLLO

PowerLog.PLSQL

• PLApplicationAgent_EventNone_AllApps

• PLApplicationAgent_EventNone_AllPlugins

• PLApplicationAgent_EventNone_AppVersions

• PLAppTimeService_Aggregate_AppRunTime

KnowledgeC.db

• Useful to track application install/uninstall dates/times

• Application in Focus (even after removal)

DataUsage.sqlite

• Private\var\wireless\Library\Databases\DataUsage.sqlite

• Found in iTunes backups and full file system

• Tracks only cellular data usage (app must be used once on cellular network)

• Keeps longer records of deleted apps

• Tracks several usage timestamps

DataUsage.sqlite

netusage.sqlite

• Private/var/networkd/netusage.sqlite

• Almost identical structure

• Better at clearing deleted apps

• Tracks WiFi / Cellular / Wired data sizes

• Multiple potential timestamps

Deleted Database Records!

• App could call to Call Log API

– Call Logs now delete records of apps that are deleted

– bundleID can be carved

– {SCREENSHOT}

The Takeaways

• Some apps were there, some weren’t.

• The less time passes the more potential for data.

• Not every artifact will be populated for each deleted app.

Timelining Activity• App Purchase Times

• Potential Install Times

• Usage/Connection Times

• Times in Focus (Last 7-30 days)

• Deleted Time

DAAP / AppPurchase.6

Mobile Installation Logs

DataUsage / NetUsage / PowerLog

KnowledgeC / ScreenTime

Mobile Installation Logs DeletedApplications.plistPowerLog

Android – Trace categories

• Native to Android

• Vendor installed

• User installed 3rd party apps

Native to Android

• Usagestats

– https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528491463.pdf

– Keeps app activity record even after app deletion

Usagestats

Usagestats

• lastTimeActive="1756933803"

• package="com.viber.voip“

• timeActive="512058"

• lastEvent="2"

• appLaunchCount="14"

Usagestats

Usagestats

• Python Script

– https://github.com/abrignoni/Android-Usagestats-XML-Parser

Well known Android native DBs

• /data/com.android.vending/databases

– Localappstate.db

– Library.db

– Package_verification.db

Vendor Installed

• Samsung Members

Samsung Members

• Pocket Geek

• Installed by default

Samsung Members

• Pocket Geek

• Installed by default

• Path:

– /data/com.samsung.oh/databases/

• Databases:• com_pocketgeek_sdk_app_inventory.db -> android_app

• com_pocketgeek_sdk.db -> device_events

Samsung Members

• com_pocketgeek_sdk_app_inventory.db

– Display name

– Package_name

– System_app

– Last_used

Samsung Members

• com_pocketgeek_sdk_app_inventory.db

Samsung Members

• com_pocketgeek_sdk.db– Type

• Network, install, power, and alert events

– Value• JSON

• Inventory data for apps

– Created_at• Epoch time

Samsung Members

• com_pocketgeek_sdk.db

Context log

• Path:

– /data/com.Samsung.android.providers.context/databases/ContextLog.db -> use_app

Context log

• Timestamp: Epoch & human readable

• Timezone offset

• App ID + app sub ID

• Start & stop times: Epoch & human readable

• Duration in miliseconds

Context log

Samsung Smart Manager

Samsung Smart Manager

• Installed by default

• Path:

– /data/com.samsung.android.sm/databases

• Databases:

– sm.db -> crash_info, excluded_app

– lowpowercontext-system-db -> usage_log

Samsung Smart Manager

• lowpowercontext-system-db

– Package_name

– Start_time_string

– End_time_string

Samsung Smart Manager

• lowpowercontext-system-db

User installed 3rd party apps

• CCleaner

CCleaner

• Optimize app usage

• Large user base

• Path:– /data/com.piriform.ccleaner/databases

• Databases:– cleaner_apps_db -> app

– scanner_cache.db -> appInfoCache

CCleaner

• Cleaner_apps_db

CCleaner

• Scanner_cache.db

Resources

• https://github.com/abrignoni

– DFIR SQL Query Repo

• https://www.magnetforensics.com/artifact-exchange/