Abstract
How to Use iOS Bluetooth Connections to Solve Crimes Faster
Highlights
Forensics Question: We aim to educate those working iOS investigations on the primary files that are used to track Bluetooth connectivity and to provide a deeper understanding of the timestamp formats
Proving whether a driver was distracted before a fatal accident occurred is a common request
Were they really connected to Bluetooth? How can you be sure? What about a “seen” Bluetooth device? Can you leverage that to put a suspect in an approximate location at a point in time? Yes, you can
Summary
Matt and I could have worked on this together in 2018, but we weren’t aware we were both researching the same thing, which is a common theme in DFIR In this scenario, the detective needed to know how to determine the correct time from an iOS plist. What is stored in each f ile com.apple.MobileBluetooth.ledevices.other.db: This database tracks low energy devices the iOS device detected or came into range with. Low energy includes devices that stay in a “sleep mode” and wake up when connected They operate on a different band from normal Bluetooth. Com.apple.MobileBluetooth.devices.plist: This plist tracks paired devices and last-detected times This is one of the most important files that requires attention for pairing!
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
