If you are like me, you likely follow Magnet Forensics for software updates and new or improved artifacts. Last month, Magnet Forensics announced the release of Magnet AXIOM 7.3 and among the list of improvements was the addition of a new iOS artifact for Apple Health Workout. As someone who has done a good bit of research, SQL querying, and XML work with Apple Health Workout data, I was immediately interested in updating my software and parse some data.

Software:

Magnet AXIOM, Version 7.3.0.36507 and 7.2.0.36145

Data Parsing:

Because I have been reviewing this data for a while, I had a few healthdb_secure.sqlite databases to process using Magnet AXIOM Process but for good measure I also obtained a current version of the database through iOS 16.5. Ultimately, I processed two versions of the database, one being iOS 15.0.2 and the other was iOS 16.5.

Note: To achieve faster processing times for these means, you can recreate a portion of the file system instead of processing a Full File System Extraction. For example, my evidence source was a compressed folder containing a folder titled “Health,” which in turn contained the healthdb_secure.sqlite database and related files. Once your .zip is created you can navigate to it like you would normally load your evidence into Magnet AXIOM Process.

One of the features that has made me a big fan of Magnet Forensics is that negative data is not shown within the artifact details. Or, put another way, if data for a column is not present then there will not be a header and blank area within the artifact information details view. This still stands when reviewing Apple Health data and is a terrific help in reviewing hundreds of thousands of artifacts.

First Thoughts:

The added support to Apple Health Distance, Apple Health Floors, Apple Health Heart Rate, and Apple Health Steps artifacts is subtle but beneficial.

Magnet AXIOM 7.2 supported these artifacts; however, device attribution data ended with the Model ID.

Magnet AXIOM 7.3 parses the Model ID, the Source Type, and the Bundle ID, if these values are present. Within my tested data the Model ID values revealed which data was recorded by the iPhone versus the Watch, but the added Source Type returned the user’s name for the iPhone and Watch that generated the data.

So, where 7.2 would return Model ID “Watch3,2”; 7.3 could return Model ID “Watch3,2” and Source Type “James’ Apple Watch” or some other very creatively named device.

My point here is that the added data gets you one step closer to the likely user of the device at the time of activity. So, beyond the external factors such as seized from the residence of or off the person of John Smith, you could have internal data such as “John’s Apple Watch,” a small but welcomed addition. This was also present for Distance, Floors, Heart Rate, and Steps and supported for both iOS 15 and 16 versions of the database.

Apple Health Workout:

The thing I like best about the Apple Health Workout artifact is that it is finally supported within Magnet AXIOM Process’s default artifact selection, Apple Health being checked automatically. If Apple Health Workout data is present in the extraction this data will be parsed, unless the user deselects the Apple Health artifact.

Magnet AXIOM Parsing Review:

Reviewing one workout we can see the duration of the workout in minutes, the starting timestamp, the ending timestamp, and the Model ID of the device that generated the data.

At the heart of it, this parsing provides the vital information you need when comparing this data to other information from the device for pattern of life analysis, possible user attribution, or alibi confirmation – the timestamps being the big thing. This portrays a period in which an Apple Heatlh Workout took place, and they have parsed the duration time as well. It is important to note, this artifact supports iOS 15 and 16 versions of the database.

What I also like about the Apple Health Workout is that there is a ton of potential for the artifact, and Magnet Forensics is a company that continually improves and refines their artifacts and application support so I am confident we will see updates to this artifact as well.

Suggested Improvements:

Outside of their software, one of Magnet Forensics best resources is their Artifact Exchange. This is something I have long been a supporter and fan of, submitting artifacts to the exchange when possible.

Once you have access to the Magnet Forensics Customer Support page you can access the Artifact Exchange, downloading custom artifacts created by others in the DFIR Community or upload your own artifacts. Magnet Forensics even has a free tool to assist in creating custom artifacts, the MAGNET Custom Artifact Generator.

Reviewing this new artifact inspired me to revisit a custom artifact for Apple Health Workouts I created just about a year ago. At the time, the artifact parsed Workouts, Heart Rate, Calories Burned, Distance, Traveled, Steps Taken, Flights Climbed, Height, and Weight. More information about my work into this area is available here.

Upon revisiting the artifact, changes were made to provide support for both iOS 15 and 16, Heart Rate and other values were removed as to not duplicate default parsing by Magnet AXIOM, Workouts Location Data and Location Data Analysis were added, and height and weight were maintained as they are not supported currently.

Note: This custom artifact is pending approval and addition to the Artifact Exchange. Contributions to Magnet Forensics’ Artifact Exchange discussed within this work follow the contribution terms of use located in the community’s artifact exchange upload page. Metadata Forensics, LLC, within this work, outlines the following custom artifact for awareness of the capabilities solely and does not profit or collect any form of compensation through the use or submission of the custom artifact.

Custom Artifact Parsing:

Looking at the same Apple Health Workout data, parsed through the custom artifact:

Again, the most important information is the starting and ending timestamps of the workout, but the additional data provides a greater overview of what occurred during these 18 minutes and 34 seconds. Also, we have the location data for the start of the workout which we can see was an Outdoor/Indoor Walk.

Not shown above, this artifact also supports parsing of the temperature in Degrees Fahrenheit and the Humidity Percentage. The data for these values were not present in the data and therefore were also not parsed.

The metadata_keys table of the healthdb_secure.sqlite database holds key values for other data points as well, such as: Average METs, Max Heart Rate, Average Heart Rate, Max Ground Elevation, Min Ground Elevation, Elevation Ascended, etc. Custom artifacts, seemingly, do not allow more than 15 columns of data so these values were not included; however, changes could be made to the artifact should the column number increase or if these values were prioritized higher than other data points within the artifact.

A Quick Look at Location Data through the Custom Artifact:

Loading a custom artifact to your processing can add a single artifact or numerous artifacts depending on how the XML or python script was written. In this case, the custom artifact contains a total of six artifacts. First are iOS 15 and 16 versions of the above Workout artifact, then an Apple Fitness Workout Location Data artifact, an Apple Fitness Workout Location Data Analysis artifact, height, and weight. The majority of these artifacts are covered through this article and the new location data and analysis artifacts are covered through this article.

Apple Fitness Workout Location Data:

As a quick reference, the iOS 16 version of the healthdb_secure.sqlite database can store location data an average of a location point per second during the ongoing workout. Visually, the location data for the above reviewed workout displays the following:

Through Magnet AXIOM Examine’s World Map View, Individual Points not Clusters, we can review 219 location points for the Outdoor/Indoor Walk, which we can interpret as an Outdoor Walk given the visual display.

You may ask, if a location data point is captured each second during an ongoing workout and this workout was 18 minutes and 34 seconds in duration why were only 219 location points generated?

The answer lies within our Apple Fitness Workout Location Data Analysis artifact for the Workout, as displayed through Magnet AXIOM Examine:

Reviewing the minimum and maximum location timestamps, the first and last timestamps for individual location points within the workout, we can see our answer as to why only 219 location points were captured. This workout was not initiated by the user and instead was suggested by the Watch as a possible ongoing workout activity which was approved by the user at about 4:31:28 PM on 3/31/2023. From that point to the end of the workout about 218 seconds passed and 219 location points were recorded within the database.

Processing our data with Apple Fitness Workout Location Data artifact and Apple Fitness Workout Location Data Analysis artifact from our custom artifact provides a wealth of location data as well as information on workout initiation.

Conclusion:

Magnet Forensics’ new Apple Health Workout artifact is very exciting and has the potential to add new important data to investigations. Because the artifact is included in processing by default if the data is present the data will be parsed, and these time periods of activity could have a big impact on investigations. After all, no artifact is pertinent until it is pertinent. Looking forward to seeing how this artifact advances and future updates added by Magnet Forensics!