Earlier this year I wrote a post about Observations.db, which is a component of Apple’s FindMy functionality. It was the second part of a post I had written in 2024 about rogue Bluetooth trackers and FindMy compatible devices on iOS devices. In short, FindMy data can offer examiners additional sources of location information along with information about other Apple devices that may be on a given account.
During the post about Observations, I mentioned I had employed some artificial intelligence to help with the encryption that was in use with that database, and others. That spawned an additional question: Could AI be employed to create a series of scripts that could parse the data discussed in both blog posts? I was working with addtional FindMy data and found myself having to do a lot of manual work, something AI could possibly assist with.
Just now you may have wondered to yourself if my blog had fell victim to a hostile takeover; after all, those that know me know I have a very healthy dose of skepticism when it comes to AI, especially when it is used in digital forensics. There can be so many nuances with data that is used as evidence (both criminal and civil) and how that data aligns with real-world actions. Nuances that LLMs can (and often do) struggle with, and a sophistication that requires a human’s ability to put the pieces together to tell the story of the data that is being examined. I am not saying that AI can not be used in digital forensics, but the genie is out of the bottle so to speak, and our community is going to have to find a way to live with this thing. If we continue to go down this road, there needs to be real thought about how it is employed, and that it is done responsibly and transparently. After all, someone’s reputation, livelihood, or even their life could depend on that data, so it is extremely important that we, as a community, get this right the first time.
With all of this in mind, I set out to see what I could do, if anything, with AI. Mainly for my own edification. For the past few weeks I have been working with Claude Code, and have come up with Lost Apples: a GUI front-end for a series of Python scripts that can handle the FindMy data that is discussed in my two blog posts. The idea was to leverage Claude to create a tool that would automate tasks I was previously doing manually, not to interpret data or answer subjective/ambiguous questions. That latter bit would cut out the human element, something I believe we should not do.
Lost Apples requires Python 3.8 or higher, only two dependencies (Pillow and cryptography), and it uses tkinter, so it may look very familiar (ahem….LEAPPs).
Lost Apples can:
- Ingest both Premium/Inseyets and Graykey extractions (no additional processing required). Just point it at the zip file. While you do need to provide the keychain for Graykey extractions, it will pick up the keychain from within Premium/Inseyets extractions automatically so no need to extract it.
- Ingest a single com.apple.icloud.searchpartyd folder with accompanying keychain
- Decrypt the encrypted binary plist (bplist) data found in .record files
- Decrypt Observations.db and it’s -WAL file
- Query (on-demand) Observations.db both with and without its -WAL file
- Export parsed data to CSV, KML, and text
- Create decrypted versions of encrypted data for later analysis if needed
- Export its logs (for auditing)
I have tested this tool against as many extractions as I can find, both from Cellebrite and Graykey. I have also verified the output against known data sets that I possess. All of that being said, verify the output (as you should do with any tooling). I have also tested this in both macOS and Windows, and things seem to be working, but its always possible I have missed something.
You can find Lost Apples here.
