Buying for a Team? Gift This Course
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: iOS App Forensics - chat to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: iOS App Forensics - chat

Learn how to deconstruct iOS apps for forensic evidence.
4.6 (10 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
405 students enrolled
Last updated 6/2014
30-Day Money-Back Guarantee
  • 2 hours on-demand video
  • 7 Supplemental Resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Have a coupon?
What Will I Learn?
Learn how third party apps store their data
Learn where evidence files will most likely be within the app's directories
Learn what tools to use to examine app data
Learn how to identify and interpret chat databases
Learn how to bulk convert epoch times into UTC or your local time
Learn how to bulk decode chat and call flags, such as sent, received, opened, unopened, etc
View Curriculum
  • Mac or PC (Mac with PC virtual machine preferred)
  • MS Excel (optional for machine time conversion)

Welcome to Surviving Digital Forensics training series. If you deal with iPhone evidence then this class is for you. We are going to focus on learning how to deconstruct iOS third party applications. The concept is important to learn because, oftentimes, automated tools will miss this type of evidence or not parse it properly. We first spend some time learning how the evidence is organized and the tools (free or low cost of course!) to use to do it. Once we have become familiar with this we will learn how to break out chat from third party apps and manually connect the dots, convert machine times, translate database so it all makes sense and can be used as evidence. This is not that difficult to do, heck this class is about two hours, so you will be up and deconstructing in no time. Speaking of time, we will also have a special focus on learning how to bulk convert those pesky machine time values using nothing but Excel. So, the next time you pull 100+ chat messages from a third party app database you can quickly bulk translate them into UTC or your local time zone.

As with past SDF classes, the curriculum is split between a brief presentation to go over important points and familiarize you with the process. After that it is all hands on as we learn by doing. Videos will walk you through the process, step-by-step. All the source files for testing are provided.

Who is the target audience?
  • Computer Forensic Analysts
  • IT Professionals
  • Students
Students Who Viewed This Course Also Viewed
Curriculum For This Course
Expand All 24 Lectures Collapse All 24 Lectures 02:00:21
Welcome & Introduction
2 Lectures 20:08

Before we get hands on, let's take a few moments to learn about the objects we will be working with. Once you understand how third party apps store the information we are looking for you may apply the technique to most any app.

Preview 20:08

1 page

Quiz #1
4 questions
Getting setup to deconstruct!
1 Lecture 03:40

We are going to use all low cost/ no cost tools in the practical exercises. The following will show you how I set my Windows and Mac systems for iOS app forensics.

Survival Gear Check
Textfree App Deconstruction
10 Lectures 48:26

Let's look at the chat app we are going to be working with, Textfree. This module will show you what is looks like from a user's point-of-view and point out some interesting facts about it. No two chat apps are the same, however, if you can forensically deconstruct this one you have the skills the do the same to most other chat/ messaging apps.

Overview of Textfree

Textfree Quiz
1 question

In this module we are going to take a closer look at the Plists associated with the app.

Plist Evidence

Plist Practical
1 page

Plist Quiz
2 questions

Textfree, like some other third party apps, allows users to make calls within the app. All information is stored within the app. Let's take a closer look.

Textfree call history

Sqlite Database Practical
1 page

What type of database id call history stored in?
1 question

iOS apps usually stored dates and times in machine time. This is something your automated forensic tools decipher for you. Let's take a closer look a how to do this manually. Oftentimes I see this as the difference between making the case and not making the case and if your tool fails, this becomes a skill to have.

Deciphering machine time

Now let's look at how these apps store messages and how to interpret the databases to turn the data into information.

Texting Evidence and databases

Texting Evidence Practical
1 page

Texting Quiz
3 questions

Let's go through the deciphering process again but this time we will look at a different type of machine time common in iOS apps.

Decoding machine time... again

It is important to remember to explore other databases to make associations with the table evidence. In this module we will see how this is true with the Textfree app.

Other databases
Bulk decoding machine time using MS Excel
10 Lectures 39:44

Exporting tables out of a database is fairly straightforward, but there are a few things to keep in mind in order to make life easier later. This module walks you through the process. Don't forget to download the attached document, it goes over al the steps we do in this section.

Exporting Database Tables

This section shows you the formula for bulk converting epoch time.

Bulk Converting Epoch Time to UTC

This section shows you the formula for bulk converting epoch time.

Bulk Converting Epoch Time to Local Time Zones

Time Conversion Practical
1 page

This section shows you the formula to bulk convert database flags.

Converting Database Flags

Flag Conversion Practical
1 page

Let's take a closer look at that call log database and figure out a way to convert the machine time using MS Excel.

Bulk Converting Mac Epoch Time Part 1

Let's take a closer look at that call log database and figure out a way to convert the machine time using MS Excel.

Bulk Converting Mac Epoch Time Part 2

Epoch Quiz
2 questions

The flag conversion in this database is more complicated to write out, but typical of what you are tasked to do in manual app forensics. Let me walk you through the formula and then you can try it on your own.

Converting Database Flags... again!

Last Practical
1 page
1 Lecture 01:23

Thanks for joining me in another edition of the Surviving Digital Forensics series!

Check out other classes of the SDF series at

Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.

Check out our Blog at

Check out our Youtube channel

Final Thoughts
About the Instructor
4.1 Average rating
290 Reviews
2,245 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Report Abuse