I've been taking a further look at the Apple Health databases as of late to refamiliarize myself with it after checking out Heather Mahalik and Jared Barnhart's talk from the SANS DFIR Summit. During their presentation "Building a Pattern of Life. Leveraging Location and Health Data" they provided all sorts of queries to pull valuable information out. To say that the "healthdb_secure" is complicated and large is an understatement. With 56 tables of SQLite to parse through (from test data on iOS 14.3) it can get complicated quickly.
The database can be found at the path:
/private/var/mobile/Library/Health/healthdb_secure.sqlite*
Correlating queries with some other data that Ian Whiffin put together months back on Data and Activity types there is potentially a lot more data that can be pulled depending on how much the user puts into their details (such as medical history, dietary details, etc.).
I chose to focus in on something that is always of interest to me and that's audio. What you may not know but Apple Health can track headphone levels and decibels to help protect your ear health from prolonged usage at high volumes. You can get to it by going through:
Health App > Browse > Hearing > Headphone Audio Levels
Figure 1: Sample screenshot from the Health app
It seems the Health app will collect data for a full 12 months (perhaps longer if you migrated data to your next phone). Unfortunately I don't have a test iPhone to work on generating data (if you have test data
reach out to me!!!) but what I did have was Josh Hickman's
public image.
The table of interest was the "samples" table but with a bunch of table joins we pull in various details from:
- quantity_samples
- metadata_values
- metadata_keys
- objects
- data_provenances
One extra thing that I found during my research was that certain samples had devices attached to them. Especially for the audio levels I saw details about headphones associated.
Figure 2: Sample device details in Health app
We can see some details such as device name, manufacturer and model at the bottom of an entry. We can also see that some instances showed the "Media Sources" which include app names.
Back to our query, we are also going to attach the "healthdb.sqlite" file found here for adding device details:
/private/var/mobile/Library/Health/healthdb.sqlite*
From this DB we'll be pulling in the "source_devices" table. Using Ian's table I found that data type 173 referred to "Headphone Audio Levels" from the "samples" table so we can filter specifically on this. With a few tweaks from the query Heather and Jared used in their presentation I can hone in on just the audio events of interest (
Query found here).
What we get in the end is start/end timestamps of the reading, the decibels that were detected at that certain time period, the application bundle (if applicable) that produced the audio as well as the connected headphone details. This may include MAC addresses if they are bluetooth.
I'm envisioning cases that may involve say a distracted driver that may have headphones on that causes a crash. I'm sure there are other forensic use cases for this data.
Of course an iLEAPP parser has been made available for this in the latest release.
Figure 3: iLEAPP Report for Health audio levels
I'm still digging through the Health DB to see what other nuggets of information can be found but potentially having more reference points for device connections and application usage is always a plus.