- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of iPhone location history β Significant Locations, routined visits and moves, Cache.sqlite (locationd), Wi-Fi and Bluetooth association points, cell-tower attaches, Maps history, and photo EXIF β cross-corroborated into a defensible geospatial timeline.
Quick Answer. iPhone location forensics does not rely on a single source. iOS records visits and moves through routined (Cache.sqlite, Local.sqlite), Significant Locations (StateModel*.archive), per-app cached last-known positions (Cache.sqlite), Wi-Fi association scans, Bluetooth pairings, cell-tower attaches (Unified Log), Maps search history, KnowledgeC location events, Find My history, and photo/video EXIF. Corroborating three or more independent artifacts produces a location narrative that withstands Daubert-level scrutiny.
| Artifact | Path | What it proves |
|---|---|---|
| routined visits | /private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite (ZRTLEARNEDLOCATIONOFINTERESTMO / ZRTVISITMO) | Frequented places, arrival/departure with confidence scores |
| Significant Locations | /private/var/mobile/Library/Caches/com.apple.routined/StateModel*.archive | On-device machine-learned home/work/frequent locations (encrypted) |
| locationd Cache.sqlite | /private/var/root/Library/Caches/locationd/Cache.sqlite | CDMA/GSM cell attaches, Wi-Fi RSSI observations, iBeacons |
| CoreLocation client Cache.sqlite | /private/var/mobile/Containers/Data/Application/{UUID}/Library/Caches/{bundle}/Cache.sqlite | Last-known coordinates each app received |
| Photos EXIF + Photos.sqlite ZLATITUDE/ZLONGITUDE | /private/var/mobile/Media/PhotoData/Photos.sqlite | GPS coordinates at capture time |
| Maps history | com.apple.Maps.plist / MapsSync_*.sqlitedb | Searches, directions, dropped pins |
| Find My history | iCloud CKFMDevice records | Server-side location trail |
| KnowledgeC location | CoreDuet /private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db | Coarse “user is at home/work” events |
The routined daemon builds an on-device model of “places you go” from raw Location Services samples. Cache.sqlite holds every learned Location of Interest (LOI) with cluster centroid, radius, confidence, and visit history. ZRTVISITMO rows contain arrival and departure timestamps per LOI β these are the “you were at 123 Main St from 09:14 to 17:22” rows that anchor many civil and criminal matters. We resolve LOI centroids to street addresses, plot every visit chronologically, and compute time-at-location and travel-between-location.
The Significant Locations UI (“Settings β Privacy β Location Services β System Services β Significant Locations”) reads StateModel archives that are encrypted with a key wrapped by the Secure Enclave. On a device we hold with the passcode, iOS decrypts and displays them; forensically we retrieve the same list via a Cellebrite/GrayKey-style advanced logical acquisition when authorized. When those are not available, routined Cache.sqlite typically contains equivalent data.
locationd Cache.sqlite contains observed cell tower attaches (MCC, MNC, LAC, CID with signal strength) and Wi-Fi scans (BSSID with RSSI). Even with GPS off, these observations place a device within ~50β500 meters of known infrastructure. We match BSSIDs against WiGLE/manufacturer databases to place the device at named venues.
Photos.sqlite stores ZLATITUDE and ZLONGITUDE per asset when the user granted Camera location access. EXIF tags in the on-disk .HEIC / .MOV file corroborate the database. Media with stripped EXIF is still located via the Photos.sqlite row unless the row is likewise cleared. We correlate photo capture location and time with routined visits to confirm the device (not the media) was present.
Testimony holds up when at least three independent artifact types agree. For a claim “the device was at 41.8781Β°N, 87.6298Β°W at 14:22 on March 3”:
Where an adverse party alleges GPS spoofing, cell-tower and Wi-Fi records are extremely difficult to fake simultaneously, and Apple’s Secure Enclave signs many of these observations.
Elite Digital Forensics is an independent, defense-aligned iPhone forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the iPhone Forensics hub for the full analytical framework we bring to every matter.
Not without the passcode β the StateModel archives are protected by the Secure Enclave. However, routined Cache.sqlite is often accessible via logical extraction and contains equivalent data.
Significant Locations and many app caches stop, but Wi-Fi and cell observations often continue, and photo EXIF, Maps search, Find My, and app-specific location grants may all still record locations.
Yes when corroborated. Single-source location (e.g. one cell tower) is broad; multi-source corroboration (routined + Wi-Fi + photo EXIF) is accepted under FRE 702.
Frequently β routined Cache.sqlite WAL, prior backups, iCloud location artifacts, photo EXIF, and app caches often survive UI-level clearing.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant