Internet history is a part of most forensic investigations today. Knowing how a user accessed a specific website is, in a lot of cases, just as important as identifying what site was visited.
One feature of iCloud is the ability for the user to view a web page that he or she was previously viewing on another iCloud-connected device. This feature, called Continuity, displays the available web page(s) the user was viewing on the first device, allowing the user to select which page he or she wishes to continue viewing on the second device.
In this blog entry we will look at the effects of Continuity on an iOS device's Safari History.db file.
The fist step in our test is to delete the current browser history from the iOS device.
On an iCloud-connected Mac, several web pages were visited. The following screenshot shows the Safari history, as it is displayed on the Mac.
With Continuity, the page currently being viewed on the Mac is available for continued reading on the iOS device.
Using BlackLight, the iOS device is acquired and examined.
In the above BlackLight screenshot we see the Internet history from the iOS device, showing us a series of web pages that have been viewed. The problem is, none of these pages were actually physically viewed on this iOS device. (Remember, we deleted the current browser history from the iOS device before acquiring the device in BlackLight.)
Below, notice that the page that Continuity has made available for reading is recorded in the Safari history.
The takeaway for examiners is that you may not be able to tell what device actually viewed the web page when a user has iCloud-connected devices.
And now you know!
If you would like more information on forensics, or using BlackBag software, contact BlackBag's training team today.