The Shifting iOS Acquisition Landscape
.jpeg)
Cellebrite published an article this week noting that iOS 26 effectively ends physical jailbreaking as a viable forensic acquisition path.
What does it mean for mobile forensics:
- Full filesystem extractions from modern iOS devices increasingly require either the device's passcode + GrayKey/Cellebrite UFED, or other licensed platforms
- Logical and advanced logical acquisitions remain viable for many cases but don't reach the same locations and full filesystem
iOS Battery Artifact Path:
Battery data is one of those iOS artifact categories that could potentially be of use for pattern of life forensics.
Located at:
/private/var/db/Battery/BDC/Inside this directory you'll find a collection of CSV files. The ones of forensic interest have the prefix BDC_SBC — these are the only files in the folder that include battery percentages and human-readable fields.
Key Fields in BDC_SBC CSV Files
| Field | Description | Forensic Significance |
|---|---|---|
| TimeStamp | Event timestamp | Primary timeline anchor for all battery events |
| Current Capacity | Raw battery capacity (%) | Tracks charge level across time — useful for device usage timelines |
| IsCharging | Boolean charging status | Proves device was plugged in at specific times |
| Temperature | Phone temperature in C × 1000 | Abnormal heat can indicate sustained CPU load (e.g., encryption, crypto mining, heavy app use) |
| Amperage | Current draw in mA (negative = draining, positive = charging) | Differentiates passive standby from active use; identifies fast vs. slow charging |
| Voltage | Voltage in mV | Combined with amperage, can indicate charging watt profile |
| StateOfCharge | Battery percentage as shown in iOS UI | Corroborates screenshots or user claims about charge level |
| Watts | Wattage input during charging | Identifies slow charging (5W) vs. fast charging (20W+) |
What You Can Establish From This Data
Charging timeline: IsCharging combined with TimeStamp creates a precise record of when the device was connected to power.
Active use vs. standby: A device in standby draws minimal current (low negative amperage, stable temperature). Sustained negative amperage combined with elevated temperature indicates active use — CPU-intensive processes running, app activity, or communication. This can challenge an alibi claim of "the phone was just sitting there."
Charging speed as a charger identifier: Fast chargers (20W+) produce a distinct wattage signature vs. standard 5W USB charging. In cases where charger type matters (e.g., travel location, specific hardware correlation), the Watts field may help.
Temperature anomalies: Sustained high temperature periods can indicate background processes running when the user claims the device was idle. Combined with other app activity artifacts, this can paint a fuller picture.
Multiple Files = Extended Timeline Coverage
The BDC directory typically contains multiple CSV files compiled across different date ranges. Correlate the timestamps across files to build a continuous battery timeline for the investigation period.
For manual review: the CSV files can be opened directly in any spreadsheet application. Filter by IsCharging to isolate charging windows, sort by TimeStamp to build a chronological view, and flag rows where Temperature exceeds expected idle thresholds (roughly 25,000–35,000 in the raw C×1000 scale, depending on ambient conditions).
Battery data could potentially be useful evidence it doesn't get deleted by the user, and it records continuously. But requires a full filesystem extraction
No comments:
Post a Comment