iOS “Find My” Artifacts Support in Magnet AXIOM and AXIOM Cyber
When the Find My app (creating Find My artifacts) was originally released by Apple in 2019, it was limited to locating user devices, but the app has since expanded to find more than just users’ devices. AirTag data, for example, is also included in the Find My app since they were released in 2021.
With Magnet AXIOM and Magnet AXIOM Cyber, you can parse even further into a user’s GPS-based information with several new Find My artifacts.
If you haven’t upgraded yet, make sure to head over to the Customer Portal or upgrade within AXIOM/AXIOM Cyber today!
The Potential to Collect and Analyze New Source of Data
As iOT devices continue to grow in availability, the potential to collect and analyze new sources of forensically relevant data is quite exciting! With AXIOM and AXIOM Cyber, examiners can find artifacts within the Connected Devices group in the Artifact Explorer, such as Find My Devices, Find My Items, and Find My Locations.
Examiners can always review raw data derived from artifacts using AXIOM’s source linking capabilities, but information for these artifacts specifically can be found on an iOS device here:
/private/var/Library/mobile/Caches/com.apple.findmy.fmipcore/.
Information found within .item (JSON) files include: FamilyMembers, SafeLocations, Items, Owner, Item Groups, and lastly Devices.
Find My Artifacts: Devices
The Find My Devices artifact will include relevant information such as the Device Name, Device ID, Model, Type, and whether it’s a part of a Family Sharing account.
This information can be useful when determining if there are other pieces of evidence or other devices that could be located and relevant within the scope of an investigation.
Find My Artifacts: Items
Find My Items artifacts will include devices such as Apple AirTags as well as other Find My accessories. The Information parsed from this .data file contains:
| Device Name | Serial Number | Device ID | Role | Emoji | Manufacturer | Product ID |
| Vendor ID | Operating System Version | Location Address | Time Stamp | Accuracy (meters) | Latitude | Longitude |
It’s important to note that the “Role” field is used to designate a custom name that a user creates for the accessory being added to the Find My app. Within AXIOM’s artifact view you’ll also get a thumbnail from the world map view to help visualize the geolocation data found within the artifact, as seen below.
Find My Artifacts: Locations
Like the other Find My artifacts, the Locations artifact is a great resource when investigating cases that might depend on geolocation data as a critical part of the investigation. While there are several key fields found within this artifact, one field is particularly important to note and that’s “Location Type.”
The reason “Location Type” is so important to note is because – as Chris Vance, Senior Technical Forensics Specialist here at Magnet Forensics writes in his blog post, “[Air]Tag You’re It!” – not every location stored in the Find My app has been visited by a user: “The SafeLocations.data file stores information about what are considered “Safe Locations” for not alerting when Find My supported devices are left behind. These Safe Locations do NOT have to be locations that the user has ever visited. The locations can be listed in this file as “suggested” locations to the user as well as locations actually set by the user”.
This is especially important to note when you are working to identify if a suspect was at the scene of an incident. Essentially, locations defined as “Safe Location” haven’t necessarily been visited by the user. Nevertheless, these can still be locations of interest or importance to a suspect.
A big shoutout to Chris Vance for his research on both the Find My app and AirTags. Make sure you check out his original article here. Don’t forget to update your copy of AXIOM or AXIOM Cyber today to have access to these new artifacts! As always, if there are artifacts or new features you’d like to see us work on, don’t hesitate to reach out at trey.amick@magnetforensics.com.