Network Data Usage Per App (DataUsage.sqlite)

Location

Description

SQLite database tracking cellular and Wi-Fi data usage on a per-application basis. The ZPROCESS table maps process names and bundle identifiers to usage records, while the ZLIVEUSAGE table contains timestamped data transfer measurements including bytes sent (ZWIFIBYTESSENT, ZWWANBYTESSENT) and bytes received for both Wi-Fi and cellular connections.

Forensic Value

Data usage records reveal which applications transmitted and received the most data, identifying potential data exfiltration channels where an app sent unusually large volumes of data over cellular or Wi-Fi. Comparing upload volumes against download volumes per application identifies apps with disproportionate outbound traffic characteristic of data theft. The per-process granularity attributes network usage to specific applications, enabling identification of the app responsible for suspicious transfers. Historical usage data spanning weeks or months reveals changes in data transfer patterns that may correlate with the start of malicious activity. First and last seen timestamps for each process establish the active usage period of each application.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 apollo.py -o /forensics/output/ -k ios -v datausage /path/to/extraction/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References