- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of iOS Wi-Fi and Bluetooth artifacts — known networks, join history, AirDrop peers, Handoff, Bluetooth pairings and BLE discovery — to prove location, association with people, and device co-presence.
Quick Answer. iOS records every Wi-Fi network the device has joined (com.apple.wifi.plist, com.apple.wifi.known-networks.plist) with SSID, BSSID, security type, first- and last-join times. Bluetooth pairings are stored in com.apple.MobileBluetooth.ledevices and com.apple.MobileBluetooth.services with peer address, name, and last-connected timestamp. AirDrop, Handoff, and Continuity generate additional Unified Log evidence of co-presence with specific Apple devices.
| File | Contents |
|---|---|
| /private/var/preferences/SystemConfiguration/com.apple.wifi.plist (pre-iOS 14) | Known networks and join history |
| /private/var/Keychains/… com.apple.wifi.known-networks.plist (iOS 14+) | Known networks (BSSID, security, timestamps) |
| /private/var/root/Library/Caches/locationd/Cache.sqlite | Observed Wi-Fi BSSIDs with RSSI and coordinates |
| /private/var/log/wifi/ | Wi-Fi daemon logs (via sysdiagnose) |
| File | Contents |
|---|---|
| com.apple.MobileBluetooth.ledevices.other.db | Discovered BLE peers |
| com.apple.MobileBluetooth.ledevices.paired.db | Paired BLE devices with names and addresses |
| com.apple.MobileBluetooth.services.plist | Bluetooth services registered by peers |
| Unified Log com.apple.CoreBluetooth | Per-connection events and RSSI |
AirDrop generates log entries in com.apple.sharingd naming the peer’s Apple ID hash, device name, and file names. Handoff activity broadcasts app state between paired Apple devices and is logged in com.apple.corecontinuity. These artifacts are decisive in showing that two specific Apple devices were within Bluetooth Low Energy range at a specific time — often proving physical co-presence of two named people.
Elite Digital Forensics is an independent, defense-aligned iPhone forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the iPhone Forensics hub for the full analytical framework we bring to every matter.
Yes since iOS 14 (Private Wi-Fi Address). This affects scanning, not the joined-network log — the device still records the SSID and the AP’s BSSID.
Often, yes. When both devices are Apple, CoreBluetooth logs and Continuity events on both sides converge on the same times. This is decisive in many civil matters.
Yes — BSSID lookups against WiGLE/Apple’s crowd-sourced Wi-Fi Positioning System, plus locationd Cache.sqlite, associate BSSIDs with physical coordinates.
iOS still scans intermittently unless “Airplane Mode” is set from Settings (Control Center toggles do NOT fully disable scans on modern iOS).
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant