Perhaps it is becoming a bit of a cliché, but it remains true that as technology evolves it continues to become more integrated with our lives. Never has this been so apparent as with the development of the first smartphone. These precious devices seemingly never leave the possession of their owners and often receive more interaction than human companions. It should be no surprise then that a smartphone can supply investigators with lots of insight into their owner. For example, messages may provide insight into the state of mind of the owner or knowledge of particular facts. They may even shed light on previously unknown information. Location history is another useful artifact we can extract from these devices and can be helpful to validate an individual's alibi. We will learn to extract this information and more.

A common source of evidentiary value on smartphones are SQLite databases. These databases serve as the de facto storage for applications in most smartphone operating systems. For this reason, many scripts in this chapter will focus on teasing out data and drawing inferences from these databases. In addition to that, we will also learn how to process PLIST files, commonly used with Apple operating systems, including iOS, and extract relevant data. The scripts in this chapter focus on solving specific problems and are ordered by complexity:

• Learning to process XML and binary PLIST files
• Using Python to interact with SQLite databases
• Identifying missing gaps in SQLite databases
• Converting an iOS backup into a human-readable format
• Processing output from Cellebrite and performing Wi-Fi MAC address geolocation lookups with WiGLE
• Identifying potentially intact deleted content from SQLite databases