Battery & Power Usage Log (CurrentPowerlog.PLSQL)

Location

Description

SQLite database maintained by the batterystats daemon logging detailed power consumption data per application and system component. Records app usage durations, screen-on time, CPU usage per process, network data transfer volumes, GPS usage, audio playback, and camera usage, all timestamped at regular intervals. The database contains multiple tables organized by power consumer type.

Forensic Value

The PowerLog database provides an independent record of application usage with timestamps that corroborates or supplements knowledgeC.db and Biome data. Network data transfer volumes per application can identify apps that transmitted or received unusually large amounts of data, relevant to data exfiltration investigations. GPS usage records per app reveal which applications were actively tracking location. Camera and microphone usage timestamps identify when recording may have occurred. The PowerLog often retains several weeks of historical data and captures app activity metrics that no other single artifact provides in one place.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 apollo.py -o /forensics/output/ -k ios -v powerlog /path/to/extraction/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References