Significant Locations / routined Cache (Cache.sqlite)

iosLocation DataDevice Extraction

Location

private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite

Description

SQLite database maintained by the routined daemon containing significant locations visited by the device owner, learned location patterns, and place visit records. Stores latitude, longitude, altitude, horizontal accuracy, visit entry and exit timestamps, and place labels derived from reverse geocoding. This database powers the Significant Locations feature in iOS Settings.

Forensic Value

The routined cache provides the most comprehensive location history available on iOS devices, recording places the user visited with entry and exit timestamps that establish duration of stay. Location records persist for extended periods and may cover months of movement history. The data reveals home and work addresses, frequently visited locations, and travel patterns. Visit duration data distinguishes between brief stops and extended stays. This artifact is particularly valuable because it continues to record locations even when individual apps do not have location permission, as it operates at the system level using combined sensor data.

Tools Required

iLEAPPAPOLLOCellebrite UFEDMagnet AXIOMDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud