OS X Location Information: Where Has That MacBook Been?


Readers may remember small tempest created when the consolidated.db (later renamed) file was discovered in Apple’s iOS tracking the phones location information. As it turns out, much the way the consolidated.db file tracked the location of WiFi access points and mobile towers around the iPhone, there is a similar file included as part of OS X Mavericks and other recent versions of OS X.  

Hidden deep in /private/var/folders lies the file cache_encryptedA.db. Tucked away with, an often empty, consolidated.db and other files, cache_encryptedA.db tracks information about WiFi access points located around the Mac as it moves around. Data includes:


WiFi Access Point (WAP) MAC Address
 Latitude and Longitude
 Time Stamp Data
 WiFi Channel Information

Assuming Location Services is turned on and used (by the Maps app for example) the database should look something like this:





The WiFi access points found in the database don’t necessarily reflect the WAPs that the machine connected to (an examination of the timestamps makes this clear), instead the database list WAPs located around the machine. Why do we care? We care because this places a machine in a given area at a given time.

The cache_encryptedA.db file can be found by doing the following: 
  1. In the terminal type: cd /private/var/folders 
  2. Type: sudo find . –name cache_encryptedA.db 
  3. Once identified copy the file and open with a SQLite database tool such as SQLite Database Browser

Popular posts from this blog

Malware Fingerprinting

My malware fingerprinting arrival was finally published in the very excelent Excelcior College Cyber security Journal: http://ecwp.s3.amazonaws.com/wp-content/uploads/sites/34/2016/11/nci-journal-vol-2-no-3.pdf
Read more

Apple Location Service Seed Database

Following my last post, folks may be interested to learn that OS X also ships with a seed database of WAP and other locations (think WiFi access points in and around public places like airports). As part of the Core Location framework factory.db , a SQLite database, holds WAP MAC addresses and locations. The file is located in: Macintosh HD/System/Library/Frameworks/CoreLocation.framework/Versions/A/Support/ The WifiLocation table holds MAC addresses, Latitude, and Longitude information. Other tables may be worth exploring as well. Since this database does not seem to track the location of the device this database is of little use to most people though if you live around an airport it may be interesting to see if your WAP is included. 
Read more