TechnicalSupport.ca
26Apr/110

Quick iPad Forensics and consolidated.db

Protect Your Privacy - Delete your iDevice tracks - ZeroTracks - is available for download

Quick iPad Forensics on consolidated.db and Associated Files
This quick test is enough to raise red flags re privacy issues. A full test would take days using TCPdump and or Wireshark

Test iPad 1st gen  iOS 4.2.1 3G with Jailbreak

consolidated.db
/private/var/root/Library/Caches/locationd/consolidated.db

Opened with FireFox SQLite Manager The plug-in available here



Geo data viewed on TechnicalSupport.ca Mac with iPhoneTacker

cache.plist
/private/var/root/Library/Caches/locationd/clients.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CachedAutomaticTimeStatus</key>
<integer>2</integer>
<key>CachedSystemTime</key>
<dict>
<key>referenceTimeStamp</key>
<real>325058687.04903185</real>
<key>rtctime</key>
<real>24897457.5</real>
<key>source</key>
<integer>4</integer>
<key>time</key>
<real>325058679</real>
</dict>
<key>CachedSystemTimeSet</key>
<true/>
<key>CleanShutdown</key>
<false/>
<key>FileUpdate.http://configuration.apple.com/configurations/pep/cl/WMM.dat</key>  Download from Apple here
<real>324931099</real>
<key>FileUpdate.http://iphone-wu.apple.com/7day/v2/latest/lto2.dat</key> Download from Apple here
<real>325207170</real>
<key>IgnoredCells</key>
<dict/>
<key>LastCellUpload</key>
<real>0.0</real>
<key>LastLocationUpload</key>
<real>321688901.78805602</real> Time Geo data uploaded to Apple       The time-stamp shows the time in seconds since January 1st 2001
<key>LastWifiUpload</key> Time logged is excessively accurate note 321688901.78805602 Date and Time Confirmed here
<real>324931593.47473902</real>
<key>NetworkTimeZone</key>
<dict>
<key>dstActive</key>
<true/>
<key>tzOffset</key>
<integer>-240</integer>
</dict>
<key>PreviousLocation</key>
<dict>
<key>Altitude</key>
<real>0.0</real>
<key>HorizontalAccuracy</key>
<real>100</real>
<key>Latitude</key>
<real>45.367931540000001</real> These are extremely accurate co-ordinates Location Confirmed here
<key>Lifespan</key>
<real>104.75341904163361</real>
<key>Longitude</key>
<real>-75.681164800000005</real>
<key>Timestamp</key>
<real>324932288.12809497</real>
<key>Type</key>
<integer>4</integer>
<key>VerticalAccuracy</key>
<real>-1</real>
</dict>
<key>PreviousTimeZone</key>
<string>America/Toronto</string>
<key>RtcTimeOffset</key>
<real>300161217.5</real>
<key>RtcTimeOffsetError</key>
<real>0.10000000000000001</real>
<key>RtcTimeOffsetTimestamp</key>
<real>24965183.5</real>
<key>TimeSource</key>
<integer>1</integer>
<key>TimeZoneBorderDistance</key>
<real>7018.4998950754261</real>
<key>TimeZoneBorderDistanceTimestamp</key>
<real>324931094.14994001</real>
<key>WifiLocationNearby</key>
<dict>
<key>Altitude</key>
<real>0.0</real>
<key>HorizontalAccuracy</key>
<real>100</real>
<key>Latitude</key>
<real>45.367980119999999</real>
<key>Lifespan</key>
<real>90</real>
<key>Longitude</key>
<real>-75.680729920000005</real>
<key>Timestamp</key>
<real>321663758.94263899</real>
<key>Type</key>
<integer>4</integer>
<key>VerticalAccuracy</key>
<real>-1</real>
</dict>
</dict>
</plist>

stats.plist
/private/var/root/Library/Caches/locationd/stats.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Eph-update</key>
<string>4/21/11 6:17 PM</string>
<key>GPS-fix</key>
<string>4/21/11 9:36 PM</string>
</dict>
</plist>

Appendix

Side Note: Messages from Little Snitch firewall on the test Mac a few hours after testing
locationd wants to connect to mac-services.apple.com on tcp port 443 (https)
locationd  wants to connect to iphone-wu.apple.com on tcp port 80 (http)

/System/Library/Frameworks/CoreLocation.framework/Support/consolidated.db
Seems to be installed when installing the iOS. Could be date of the iOS release ?
This file is not the one with your location data

WMM.dat
WMM (World Magnetic Model) data originates from NOAA's National Geophysical Data Center (NGDC)
The World Magnetic Model is a joint product of the United States and the United Kingdom

lto2.dat
LTO ( Long-Term Orbit ) technology originates from from Global Locate now owned by Broadcom
as part of their Location-Based Services products

consolidated.db is stored on a Mac or Windows PC obfuscated
Each time you sync up an iOS device (iPad, iPhone, etc) files will be copied into a new folder inside the folder Backup

Mac /Users/<your user name>/Library/Application Support/MobileSync/Backup/
Windows XP C:\Documents and Settings\<your user name>\Application Data\Apple Computer\MobileSync\Backup\
Windows 7 / Vista C:\Users\<your user name>\AppData\Roaming\Apple Computer\MobileSync\Backup\
The folder(s) inside Backup looks like this 720edff06aaa14218f0ab563149236dad464ba8a
The actual file gets renamed to something like this 2041457d5fe04d39d0ab481178355df6781e6858

Apple Docs on Backup and Restore is here

 

Filed under: Apple is Tracking You Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

No trackbacks yet.

» «

Recent Articles

Categories

Archives

Links

Related Sites


$5 Donations or more are appreciated