Post 001 (The one about water, iPhones, and no screen shots).

The purpose of this draft is to determine what, if any; technical causation may create a digital forensics artifact within the iOS logical file system commonly referred to as “headphone connected artifact”, as it relates to an Apple iPhone 6S running iOS 12.2.

 This artifact resides logically within the iOS filesystem at: "\private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”. Namely a write event to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 61, which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 61, in which the “Z_DKAUDIOMETADATAKEY” column has the value “Headphones” ^{[1] [2]} . This artifact often shows when wired headphones are connected.

 Testing was conducted utilizing an Apple iPhone 6s with iOS 12.2 ^[3]installed. The Apple iOS knowledgeC.db has existed for numerous iOS versions prior to iOS 10 and after iOS 12. The knowledgeC.db is observed historically to have changed little if at all between iOS 10 and iOS 12. ^[4] The device was factory reset. Upon initialization the device was jailbroken using Checkra1n version 0.12.4 ^[5]. ArtEx version 2.8.0.9^[6] was utilized to establish an SSH connection to allow for the real-time inspection of the iOS logical file system.

 The device 3.5 mm audio port was inspected and was free of debris and contamination. Further the device was inspected to determine if audio routing was to the speaker or to headphones. This is performed by a user depressing the volume up or volume down buttons. After a period of time, no erroneous entries were created concerning the connection of wired headphones. A pair of functioning headphones were then inserted into the 3.5mm audio jack.

The knowledgeC.db was viewed, and it indicated a pair of wired headphones had been connected at the expected time and date. The headphones were then removed. The knowledgeC.db indicated the headphones had been removed at the expected. This task was performed to determine the proper working condition of the 3.5mm audio jack of the test device and to check one technical causation of the artifact. However, as will be later discussed, more technical causations exist.

Tap water with cotton pad test

I then introduced a 100% cotton swab which had been saturated with tap water (pH 7.5, 100 mg/L as CaCO3) into the 3.5 mm audio port. The iPhone was resting upon a flat, non-conductive, dry, non-porous surface with the screen facing up. Upon insertion, I viewed the knowledgeC.db, which falsely indicated wired headphones had been connected. Namely, the immediate creation of an artifact was created at that time at:

"\private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”. This resulted in a write to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 61, which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 61. In which the “Z_DKAUDIOMETADATAKEY” column has the value “Headphones”.

I then removed the cotton swab and once more viewed the knowledgeC.db. The knowledgeC.db indicated wired headphones had been disconnected. During this test I noted no odd behavior of the iOS device, nor was I alerted to the presence of water by iOS.

Tap water test

The 3.5 mm audio port was then vacuumed, and swabbed with 97% isopropyl alcohol and allowed to dry. The device was then observed to indicate audio output through the speakers. Additionally an artifact was created at that time at: ”\private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”, namely a write event to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 59; which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 59, in which the “Z_DKAUDIOMETADATAKEY” column has the value “Speakers”.

 I then introduced 0.5 ml of tap water (pH 7.5, 100 mg/L as CaCO3), via a syringe to the opening of the 3.5mm audio jack. The iPhone was resting upon a flat, non-conductive, dry, non-porous surface with the screen facing up. The iOS device displayed “headphones” when the volume up button or volume down button were pressed. Additionally there was an immediate creation an artifact at that time at ” \private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”, namely a write event to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 61; which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 61, in which the “Z_DKAUDIOMETADATAKEY” column has the value “Headphones”. During this test I noted no odd behavior of the ios device, nor was I alerted to the presence of water by iOS.

 The 3.5 mm audio port was then vacuumed, and swabbed with 97% isopropyl alcohol and allowed to dry. The device was observed to indicate audio output through the speakers. Additionally an artifact was created at that time at ” \private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”, namely a write event to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 59; which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 59, in which the “Z_DKAUDIOMETADATAKEY” column has the value “Speakers”. I then introduced a mixture of 0.5ml solution of 10 ml collected rainwater (pH 5.5, 10 mg/L as CaCO3) which had been mixed with 1 gram of collected top soil (Sandy clay loam).

Soil contaminated rainwater test

 I then introduced 0.5 ml of the solution, via a syringe to the opening of the 3.5mm audio jack. The iPhone was resting upon a flat, non-conductive, dry, non-porous surface with the screen facing up. The iOS device displayed “headphones” when the volume up button or volume down button were pressed. Additionally an artifact was created at that time at ”\private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”, namely a write event to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 61; which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 61, in which the “Z_DKAUDIOMETADATAKEY” column has the value “Headphones”. During this test I noted no odd behavior of the ios device, nor was I alerted to the presence of water by iOS.

 Based upon my testing, I found: Foreign conductive materials other than a pair of functioning wired headphones with a male 3.5mm audio jack may cause the false belief headphones were connected.

This artifact is located at ”\private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db”, namely a write event to the “ZOBJECT” table with a “ZSTRUCTUREDMETADATA” column value of 61; which relates to the “ZSTRUCTUREDMETADATA” table with a “Z_PK” column value of 61, in which the “Z_DKAUDIOMETADATAKEY” column has the value “Headphones”.

^[1] https://dfir.pubpub.org/pub/g2v1z97i/release/1

^[2] https://belkasoft.com/knowledgec-database-forensics-with-belkasoft

^[3]  https://developer.apple.com/documentation/ios-ipados-release-notes/ios-12_2-release-notes

^[4] https://doubleblak.com/blogPost.php?k=knowledgec

^[5] https://github.com/checkra1n

^[6] https://www.doubleblak.com/app.php?id=ArtEx2