App Location Access History (clients.plist)

iosLocation DataDevice Extraction

Location

RootDomain/Library/Caches/locationd/clients.plist

Description

Property list file maintained by the locationd daemon recording which applications have requested and received location data. For each app bundle identifier, it stores the authorization status (always, when in use, denied), the timestamp of the last location request, the number of location requests made, and the distance filter and accuracy settings used.

Forensic Value

The clients.plist reveals which applications were actively tracking the user location and how aggressively, with request counts and accuracy levels distinguishing between normal app usage and potential stalkerware behavior. Applications requesting high-accuracy location data at frequent intervals may indicate surveillance software. The authorization status history shows if the user knowingly granted location access. Correlating app bundle IDs with installed application lists identifies location-tracking apps including those that may have been subsequently uninstalled. Timestamps of last location requests help establish when tracking applications were last active.

Tools Required

iLEAPPAPOLLOCellebrite UFEDplist EditorMagnet AXIOM

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud