Forensics Question: | |
OS Versions:
iOS 15 Update: iPhone 6s Plus (iPhone8,2 (A1687)) iOS 15.0.2 FFS Acquisition iPhone 13 Pro (iPhone14,2 (A2483)) iOS 15.3.1 UFED Advance Logical Acquisition Both device acquisitions contained the plists needed to analyze if location services were on or off. | |
Tools:
|
Awhile back, I, started working on some research whether the device speed recorded in an iPhone database could be considered reliable evidence for how fast a device was traveling. I was going to discuss some device settings in the paper, but quickly learned the Location Services and System Services settings should be discussed in a bit more detail and decided to write a separate paper about what I found.
After completing some of the research, I asked Ian Whiffin to review what I have found and asked him to add anything I might have missed. Ian, being the iOS location guru, was happy to assist and was willing to co-author this paper with me. Thanks for everything Ian!!
In this paper we will be discussing how to determine if specific application Location Services is ON or OFF and if System Services were turned ON or OFF when the data was acquired.
Note: There has been previous research published about these settings, but it appears, based on what we have found, the research is a few years old. Here is a link to a SANS presentation by Sarah Edwards discussing her research for some of these settings:
Test Devices:
Apple iPhone 6s Plus MKV22LL/A A1687 – No Sim Card and no Mobile data
Apple iPhone Xs MTAL2LL/A A1920 – Has SIM card and mobile data
Artifact Location:
\private\var\mobile\Library\Preferences\com.apple.locationd.plist
\private\var\root\Library\Caches\locationd\clients.plist
Extraction Methods that contained both com.apple.locationd.plist and clients.plist:
Cellebrite Advance Logical Full File System UFED 4PC – Jailbroken
Cellebrite Advance Logical Extraction – UFED 4PC
Magnet AXIOM Full Acquisition – Jailbroken
Magnet AXIOM Quick Extraction
ArtEx ArtExtraction – Full Extraction – Jailbroken
ArtEx ArtExtraction – Live Connection – Jailbroken
Graykey Full File System
Settings > Privacy:
To check if Location Services is ON or OFF, navigate to Settings > Privacy. In Figure 1 Location Services is ON.
Figure 1
After the device data is acquired, how can we determine if Location Services was ON or OFF? The plist of interest is com.apple.locationd.plist.
The plist is located at: \private\var\mobile\Library\Preferences\
Once you have located the plist, you will want to analyze the LocationServicesEnabledIn8.0 key which will have a True or False value.
True value means Location Services is turned ON
False value means Location Services is turned OFF
You will also want to analyze the LastSystemVersion key. This key will list the last/current iOS version, in this case it was iPhone OS14.4.2/18D70.
In Figure 2, Location Services is ON. We can see the com.apple.locationd.plist, the keys previously mentioned and their values. Figure 2.1 is a look at the plist from iOS 15.0.
Figure 2
Figure 2.1 iOS 15
In Figure 3, Location Services is OFF. We can see the com.apple.locationd.plist, the keys previously mentioned and their values.
Figure 3
Privacy > Location Services:
After determining Location Services was ON, we will review some of the applications using location services. Clicking on the Location Services button within the Privacy menu will bring us to a menu pictured in Figure 4. The applications listed are those using Location Services and a brief glimpse into the application settings. Notice in Figure 5, the applications pictured are all set to While Using the App. Let’s begin analyzing the Maps application.
Figure 4
When we click on the Maps application, we are presented with a new set of Location Services settings, seen in Figure 5. The settings for Maps are set to Allow Location Access While Using the App and Precise Location is ON.
Figure 5
Note: Please read through the resources for additional details about the differences when Precise Location is ON or OFF. When it is OFF it is also known as Reduced Accuracy.
We are going to review the plist that contains the Apple Maps Location Services settings to determine what was set when the device data was acquired. The plist of interest is the clients.plist. This plist is located at: \private\var\root\Library\Caches\locationd\.
The clients.plist contains the settings for applications and system services using location services. During this section, we will be focusing on the application settings for location services. In Figure 6, we have highlighted two applications, Apple Maps – com.apple.Maps and Apple Calendar – com.apple.mobilecal.
Figure 6
After reviewing the Apple Maps (com.apple.Maps) settings, seen in Figure 7, we can see the Maps application is set to Never Allow Location Access. Notice there is not an option to change between Precise Location or Reduced Accuracy.
Figure 7
Within the clients.plist, you will want to find the application you wish to analyze. During testing, ArtEx and Mushy were used to view the plist. To view the keys listed under the application, we have to click on the applications, in this instance that was com.apple.Maps. Depending on your plist viewing tool, you should expand the keys belonging to the application you are analyzing. The keys you will want to analyze are Authorization and CorrectiveCompensationEnabled, seen in Figure 8.
The Authorization key is the setting for Allow Location Access. During testing, two key values were encountered. There were also some instances where the Authorization key was missing or hidden:
1 = Never
2 = While Using the App
When the Authorization key is missing/hidden = Ask Next Time
Note: The Weather application had two settings that appeared to be similar. The two settings were While Using the App and While Using the App or Widgets. Both settings had a value of 2 in the plist during testing.
The other key we want to analyze is the CorrectiveCompensationEnabled key, which is the setting for Precise Location. During testing, two key values were encountered:
1 = Precise Location is turned ON
2 = Precise Location is turned OFF or not set.
Note: A value of 2 indicates Reduced Accuracy
Note: During testing there were occasions when both the Authorization key and the CorrectiveCompensationEnabled key were missing/hidden. In some instances, this was because the setting was never changed from the default setting. After changes were made to the settings, the keys would then be listed in the plist. There might be other factors that would cause the keys to be missing/hidden, but those could not be determine during testing. An example of this displayed in Figure 10.
Test 1 Device Settings as seen in Figure 7 and 8:
Never is selected
Precise Location is missing/hidden
clients.plist keys:
Authorization value 1
CorrectiveCompensationEnabled value 2
Figure 8
Test 2 Device Settings as seen in Figure 9 and 10:
Ask Next Time is selected
Precise Location was OFF
clients.plist keys:
Authorization was not listed
CorrectiveCompensationEnabled value 2
Figure 9
Figure 10
Test 3 Device Settings as seen in Figure 11 and 12:
Ask Next Time is selected
Precise Location was ON
clients.plist keys:
Authorization missing/hidden
CorrectiveCompensationEnabled value 1
Figure 11
Figure 12
Figure 12.1 iOS 15.0 Camera settings
Test 4 Device Settings as seen in Figure 13 and 14:
While Using the App selected
Precise Location was ON
clients.plist keys:
Authorization value 2
CorrectiveCompensationEnabled value 1
Figure 13
Figure 14
Test 5 Device Settings:
At the end of testing, the Apple Maps Location Services settings were set as While Using the App and Precise Location was ON. In a final test, the setting was changed from While Using the App to Never. When the change was made the Precise Location toggle switch disappeared but was still in the ON position.
Based on previous testing, the Authorization value should have been 1 and the CorrectiveCompensationEnabled value should have been 2, but that was not the case. The Authorization value was 1, as expected, but the CorrectiveCompensationEnabled value was 1, indicating it was using Precise Location. Further testing was not completed to determine if the Precise Location was being used or not, just wanted to note this variation could appear in your data.
Now that we have analyzed specific application Location Services, Let’s review what was discovered when testing the System Services settings.
Figure 15
Note: Please review, https://support.apple.com/en-us/HT207056, as it outlines some of the System Services.
Location Services > System Services:
In Location Services > System Services there is a list of items, seen in Figure 15. Notice all the services are turned ON. After the iPhone data was acquired, we were able to determine if items listed under System Services were turned ON or OFF. To do this, we must again view the clients.plist Authorization key. During testing, two key values were encountered:
1 = OFF
4 = ON
In Figure 16, highlighted is the Routing & Traffic system services button. Based on testing, the Routing & Traffic system services button controls the following services in the clients.plist:
com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle
com.apple.locationd.bundle-/System/Library/LocationBundles/AltimeterHarvest.bundle
com.apple.locationd.bundle-/System/Library/LocationBundles/IonosphereHarvest.bundle
com.apple.locationd.bundle-/System/Library/LocationBundles/TraceHarvest.bundle
Figure 16
In Figure 17, a screenshot of the clients.plist is opened in Mushy. Notice the com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle service is expanded and has an Authorization key value of 4, meaning the setting is ON and a CorrectiveCompensationEnabled key value of 1, meaning Precise Location is ON.
Figure 17
When the Routing & Traffic setting is turned OFF, seen in Figure 18, the Authorization key in the clients.plist changed from a value of 4 (ON) to a value of 1 (OFF), see Figure 18 and Figure 19:
Figure 18
Figure 19
During testing, we were able to identify and match up most of the items listed under System Services to their counterpart listed in the clients.plist, as seen in Figure 20. Notice there are some ON/OFF switches that control multiple System Services.
Location Services > System Services Menu | clients.plist |
---|---|
Apple Pay Merchant Identification | com.apple.locationd.bundle-/System/Library/LocationBundles/PassbookMerchantLookup.bundle |
Cell Network Search | com.apple.locationd.bundle-/System/Library/Frameworks/CoreTelephony.framework |
Compass Calibration | com.apple.locationd.bundle-/System/Library/LocationBundles/CompassCalibration.bundle |
Device Management | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/DeviceManagement.framework |
Emergency Calls & SOS | com.apple.locationd.bundle-/System/Library/LocationBundles/Emergency SOS.bundle |
Find My iPhone | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/FindMyDevice.framework |
HomeKit | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/HomeKitDaemon.framework |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/MapsAnnouncements.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/NavdLocationBundleiOS.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/RemindersAlerts.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/CalendarLocation.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/BulletinBoard.framework |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/Wea.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/ShortcutsLocation.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/CarPlayHomeLocation.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/AppSuggestions.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/PassbookRelevancy.bundle |
Location-Based Alerts | com.apple.locationd.bundle-/System/Library/LocationBundles/DestinationdLocationBundleiOS.bundle |
Location-Based Suggestions | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/CoreParsec.framework |
Motion Calibration & Distance | com.apple.locationd.bundle-/System/Library/LocationBundles/MotionCalibration.bundle |
Networking & Wireless | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/MobileWiFi.framework |
Networking & Wireless | com.apple.locationd.bundle-/System/Library/LocationBundles/UWBRegulatory.bundle |
Setting Time Zone | com.apple.locationd.bundle-/System/Library/LocationBundles/TimeZone.bundle |
Share My Location | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/FMF.framework |
System Customization | com.apple.locationd.bundle-/System/Library/LocationBundles/SystemCustomization.bundle |
System Customization | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/ChronoCore.framework |
Significant Locations | com.apple.locationd.bundle-/System/Library/LocationBundles/Routine.bundle |
Product Improvement | clients.plist |
iPhone Analytics | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/WirelessDiagnostics.framework |
Popular Near Me | com.apple.locationd.bundle-/System/Library/LocationBundles/AppGenius.bundle |
Routing & Traffic | com.apple.locationd.bundle-/System/Library/LocationBundles/Traffic.bundle |
Routing & Traffic | com.apple.locationd.bundle-/System/Library/LocationBundles/AltimeterHarvest.bundle |
Routing & Traffic | com.apple.locationd.bundle-/System/Library/LocationBundles/IonosphereHarvest.bundle |
Routing & Traffic | com.apple.locationd.bundle-/System/Library/LocationBundles/TraceHarvest.bundle |
Improve Maps | Could not identify |
Status Bar Icon | Could not identify |
Other Settings | clients.plist |
Exposure Notifications - COVID-19 | com.apple.locationd.bundle-/System/Library/LocationBundles/ExposureNotificationBundle.bundle |
Phone Wi-Fi Calling | com.apple.locationd.bundle-/System/Library/LocationBundles/WifiCalling.bundle |
Wallet App in Location Services Menu | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/PassKitCore.framework |
App Clips in Location Services Menu | com.apple.locationd.bundle-/System/Library/LocationBundles/ClipServicesLocation.bundle |
Siri & Dictation | com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework |
Note: Some of the items listed in the clients.plist are not listed in System Services menu, they are however listed elsewhere in the general settings menu. Some examples of these settings might be the Do Not Disturb setting, Wi-Fi Calling setting and Exposure Notification setting, just to name a few. Additional Note, in iOS 14.8 Wi-Fi Calling was listed in the System Services menu. iOS 15.0 update – most of these were also listed in iOS 15.0 clients.plist along with a few new ones.
After the bulk of this was written, Ian Whiffin, discovered several other key artifacts, namely in cases where location related applications are launched the first time, the user may be given the options of:
Allow Once
Allow while using
Don’t allow
The options for Allow while using and Don’t allow were covered above. But the option of Allow Once wasn’t.
The clients.plist shows a TemporaryAuthorization which can be seen in key 5 below.
Crucially, when the application closes, this node is deleted altogether. This means that the user may have allowed locations temporarily, even though the plist file will not reflect this.
Furthermore, some applications also have an option to Always Allow which means it will and work even if the app isn’t in use. These applications are given the authorization 4, just like system services.
We put together a quick look-up table to help you if required
clients.plist value | |||
---|---|---|---|
Temporary | Authorization | Corrective | |
Ask Next Time | 1 | ||
Ask Next Time | 2 | ||
Allow Once used with Precise location enabled | 1 | 1 | |
Allow Once used with Precise location disabled | 1 | 2 | |
Do Not Use / Never | 1 | 1 | |
Do Not Use / Never | 1 | 2 | |
Allow While Using with Precise location enabled | 2 | 1 | |
Allow While Using with Precise location disabled | 2 | 2 | |
Always Allow with Precise location enabled | 4 | 1 | |
Always Allow with Precise location disabled | 4 | 2 |
Conclusion:
We are sure you will find other applications and services that have not been discussed, but we hope this will at least assist you with determining if Location Services is ON or OFF and what System Services might be ON or OFF when the device data was acquired. Knowing these settings might be able to assist you when analyzing iPhone locations and determining why you might have highly accurate device locations and/or less than accurate device locations.
Resources:
June 5, 2018, Vladimir Katalov
December 23, 2018, Sarah Edwards
July 18, 2019, Krista Merry and Pete Bettinger
June 25, 2020, Ryan NHP
July 18, 2020, Ian Whiffin
December 10, 2020, Bryan Ambrose
December 21, 2020 Ian Whiffin
March 26, 2021, Ian Whiffin
December 2, 2021 Cellebrite Staff iOS Locations
Apple Developer Website
This is a very relevant topic for mobile forensics as understanding location settings is important in a variety of different cases. This paper is well written and the testing is thorough. The authors provided ample screenshots to allow readers to follow along and understand the keys being discussed. Reviewers were able to confirm some of the authors’ findings with their own testing.
One of the reviewers suggested that it would have been helpful if the author detailed what changed and what remained the same since Sarah Edwards’ work.
The authors mention “Precise Location” but do not detail the version of iOS where this feature because available.
There was some confusion as to which devices were used for testing. In the “Test Devices” section, there are 2 devices listed: Apple iPhone 6s Plus and Apple iPhone Xs. Then, under iOS 15 Update, there is an iPhone 13 Pro listed. The screenshots seem to reflect the iPhone 6s Plus. This could be better clarified.
The "CorrectiveCompensationEnabled" key in the clients.plist file is not reliable. This information is not always present even if Precise Location is turned ON. On the reviewer’s iPhone 6s, this key is always present even if this setting is never displayed on the device, regardless of "Allow location access".
Reviewers found that one of the tools used (Mushy) was not listed in the Tools section.
Do the contents of client.plist change if location services are turned off after they have been on (i.e. are all application and service subkeys "reset" to values corresponding to no location access)?
A potential area for future research work is to determine if the authorization key is recoverable or how one can possibly determine if "Allow Once" was temporarily authorized for an app if analyzing a phone after the app is closed or days later.
Future work on this topic could include additional mapping of the remaining client.plist keys to applications/services as well as more research into various timestamps present in subkeys.
There is another plist in the same directory as the com.apple.locationd.plist titled com.apple.locationd.StatusBarIconManager.plist that contains a subkey titled ShowSystemServices. This may correspond to the Status Bar Icon that did not have a corresponding key in client.plist, but additional testing would be required for verification.
Amanda Chung (Methodology Review)
Arica Kulm (Methodology Review, Validated Review Using Reviewer Generated Datasets)
Selena Ley (Methodology Review, Validated Review Using Reviewer Generated Datasets)
Johann Polewczyk (Methodology Review, Validated Review Using Reviewer Generated Datasets)
Linda Shou (Methodology Review, Validated Review Using Reviewer Generated Datasets)
Hannes Spichiger (Methodology Review)