Photos.Sqlite_Queries
SQLite query templates that may help with decoding data stored in Photos.sqlite. These queries are based on testing, research and some community published research. These queries were written to work for the Photos.sqlite database stored at:
iOS: /private/var/mobile/media/PhotoData/Photos.Sqlite
Mac OS: /Users//Pictures/PhotosLibrary.photoslibrary/database/Photos.sqlite
My research started in 2020 and since that time, I have continued to research and update the queries. The initial write up was posted via Heather Mahalik’s blog at https://smarterforensics.com/. The write up was later reviewed and validated by DFRWS: https://dfir.pubpub.org/pub/v19rksyf/release/1
A follow-up blog was posted on 11/23/2021 and can be found at https://theforensicscooter.com/2021/11/23/photos-sqlite-queries/
References:
https://abrignoni.blogspot.com
https://www.mac4n6.com https://github.com/mac4n6
http://www.mac4n6.com/blog/tag/sqlite
https://www.forensicmike1.com/2019/05/02/ios-photos-sqlite-forensics/
https://www.cellebrite.com/en/identifying-file-to-album-correlation-using-ios-photos-sqlite/
https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql
https://github.com/kacos2000/Queries/blob/master/Photos_sqlite11.sql
https://github.com/kacos2000/Queries/blob/master/Photos_sqlite3.sql
https://digital-forensics.sans.org/media/DFPS_FOR585_v3.1_0420_R8.pdf
https://github.com/geiszla/iOSLib/wiki/ZGENERICASSET-contents
https://github.com/geiszla/iOSLib/wiki/ZADDITIONALASSETATTRIBUTES-contents
https://artifacts.magnetforensics.com/CommunitiesArtifactExchangeDownload?Id=a6K0b000000CrdoEAC
https://linuxsleuthing.blogspot.com/2013/05/ios6-photo-streams-recover-deleted.html
https://appletoolbox.com/live-photos-on-iphone-complete-guide/