According to the CHFI v11 Mobile and IoT Forensics objectives, iOS devices maintain geolocation-related artifacts through the location services subsystem (locationd) . One of the key forensic artifacts associated with this subsystem is Clients.plist .
The Clients.plist file stores information about applications and system services that have requested or used location services . It contains identifiers for apps, service names, permission states, and timestamps indicating when location data was accessed. This makes it highly valuable for investigators attempting to determine which apps accessed location data and when , which is crucial in cases involving surveillance, stalking, fraud, or physical movement reconstruction.
The other files listed do not store geolocation data. Cookies.plist contains browser cookie information, Sms.db stores SMS and iMessage content, and DraftMessage.plist holds unsent message drafts. None of these files are related to GPS or location services.
CHFI v11 emphasizes correlating Clients.plist with other artifacts such as location caches, application logs, and timestamps to reconstruct user movement and application behavior on iOS devices.
Therefore, the file that contains geolocation data of applications and system services on iOS devices—fully aligned with CHFI v11—is Clients.plist , making Option D the correct answer.
Submit