Significant Locations / routined Cache (Cache.sqlite)

Location

Description

SQLite database maintained by the routined daemon containing significant locations visited by the device owner, learned location patterns, and place visit records. Stores latitude, longitude, altitude, horizontal accuracy, visit entry and exit timestamps, and place labels derived from reverse geocoding. This database powers the Significant Locations feature in iOS Settings.

Forensic Value

The routined cache provides the most comprehensive location history available on iOS devices, recording places the user visited with entry and exit timestamps that establish duration of stay. Location records persist for extended periods and may cover months of movement history. The data reveals home and work addresses, frequently visited locations, and travel patterns. Visit duration data distinguishes between brief stops and extended stays. This artifact is particularly valuable because it continues to record locations even when individual apps do not have location permission, as it operates at the system level using combined sensor data.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 apollo.py -o /forensics/output/ -k ios -v routined /path/to/extraction/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References