Known Wi-Fi Networks (com.apple.wifi.known-networks.plist)

Location

Description

Property list file containing records of all Wi-Fi networks the device has previously connected to. Each network entry includes the SSID, BSSID (access point MAC address), security type (WPA2, WPA3, Open), first joined timestamp, last joined timestamp, and network usage data. Enterprise network entries may include additional EAP configuration details.

Forensic Value

Known Wi-Fi networks establish the physical locations where the device has been used by correlating SSIDs and BSSIDs with known access point locations via wardriving databases or organizational records. The first and last joined timestamps create a location timeline spanning the entire period the device has been in use. Connections to suspicious open networks, rogue access points, or networks associated with adversary infrastructure indicate potential compromise vectors. Enterprise Wi-Fi configurations may contain certificate and credential information relevant to network access investigations.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

ideviceinfo -u <UDID> -q com.apple.mobile.wireless_lockdown > wifi_info.txt

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References