Network Usage Statistics (netusage.sqlite)

Location

Description

SQLite database maintained by the networkd daemon tracking network route and interface usage statistics. Records data transfer volumes per network route, connection timestamps, network interface types (Wi-Fi, cellular, VPN), and associated process identifiers. Provides lower-level network usage tracking than DataUsage.sqlite with route-specific detail.

Forensic Value

The netusage database provides network connection detail at the route level, revealing which network destinations each application communicated with and over which interface type. VPN tunnel usage recorded in this database identifies when VPN connections were active and how much data traversed them. Route-specific data volumes can identify communication with specific network endpoints. The combination of process identifiers, interface types, and timestamps enables reconstruction of which apps used the network, when, and over what type of connection. This artifact is particularly valuable for identifying covert communication channels and data exfiltration that may not be visible in higher-level usage databases.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 apollo.py -o /forensics/output/ -k ios -v netusage /path/to/extraction/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References