File 0000000000000001.db? If that’s a file where would you look?

When processing an Apple device, check the files located in /private/var/mobile/Library WebKit/Databases.

The Databases.db file is a SQLite Database file that contains a listing of databases.  This file can include (https) Google Mail and Yahoo Mail.  The corresponding file name is listed for each database entry.
The individual files are located in /private/var/mobile/Library/WebKit/Databases filenames similar to 0000000000000001.db .  This SQLite database contains a full listing of the mail including messages and full information about each message (to / from / subject / attachments /status (draft/deleted/trash/unread etc.).

Information relating to Facebook and YouTube activities also can be found in these databases.

This can be a gold mine that is overlooked many investigators.

Lee Reiber

About Lee Reiber

Pioneering mobile device forensic examiner, consultant and trainer, software development innovator and former LE officer with the Boise Police Department
This entry was posted in Rant and tagged , , , , , , . Bookmark the permalink.