Health App GPS/Location Data (healthdb_secure.sqlite)
Location
HealthDomain/Health/healthdb_secure.sqliteDescription
Encrypted SQLite database storing Apple Health data including workout route GPS coordinates, step count timestamps, heart rate readings with location context, and activity data from the Health app and connected fitness devices. Workout routes contain detailed GPS tracks with latitude, longitude, altitude, speed, and timestamps recorded at frequent intervals during exercise activities.
Forensic Value
Health data provides granular location tracking through workout GPS routes that record the precise path traveled during exercise activities with timestamps at sub-minute intervals. Step count and activity data with timestamps corroborate or contradict claims about the user physical location and activity level at specific times. Heart rate data may indicate stress responses correlating with specific events. The health database often contains months or years of historical data due to its large storage allocation. This artifact is frequently overlooked in investigations but can provide location and activity evidence that no other artifact captures.
Tools Required
Collection Commands
idevicebackup2
idevicebackup2 backup --full /forensics/ios_backup/
iLEAPP
python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/
APOLLO
python3 apollo.py -o /forensics/output/ -k ios -v health /path/to/extraction/
Collection Constraints
- •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.