OS X Location Information: Where Has That MacBook Been?


Readers may remember small tempest created when the consolidated.db (later renamed) file was discovered in Apple’s iOS tracking the phones location information. As it turns out, much the way the consolidated.db file tracked the location of WiFi access points and mobile towers around the iPhone, there is a similar file included as part of OS X Mavericks and other recent versions of OS X.  

Hidden deep in /private/var/folders lies the file cache_encryptedA.db. Tucked away with, an often empty, consolidated.db and other files, cache_encryptedA.db tracks information about WiFi access points located around the Mac as it moves around. Data includes:


WiFi Access Point (WAP) MAC Address
 Latitude and Longitude
 Time Stamp Data
 WiFi Channel Information

Assuming Location Services is turned on and used (by the Maps app for example) the database should look something like this:





The WiFi access points found in the database don’t necessarily reflect the WAPs that the machine connected to (an examination of the timestamps makes this clear), instead the database list WAPs located around the machine. Why do we care? We care because this places a machine in a given area at a given time.

The cache_encryptedA.db file can be found by doing the following: 
  1. In the terminal type: cd /private/var/folders 
  2. Type: sudo find . –name cache_encryptedA.db 
  3. Once identified copy the file and open with a SQLite database tool such as SQLite Database Browser

Popular posts from this blog

SDR and Unitrunker

I've been interested in software defined radio for a while now and I've been using a wonderful application called Unitrunker to listen to my counties trunked radio system. To help others do the same I've created a how-to which walks you through installation and calibration. Check it out: https://sdrhowto.blogspot.com/2020/08/unitrunker-sdr-setup-low-cost-trunked.html#more
Read more

McVey’s 37 Questions for a SOC

The Basics: Do you have… 1. Authority to operate, a defined scope of operation, authority to act 2. Enough staff to meet the desired scope of operation 3. Accurate inventory of endpoints (hosts and serves) 4. Accurate inventory of networks, their design and use 5. Accurate inventory of egress points, VPNs, DMZs, externally accessible servers, and externally hosted resources (“the cloud”) 6. Contact lists for groups of users (departments, offices, etc.), system owners, other IT teams, service providers, and external response organizations 7.  A list of high value assets and the data they hold (PII, financial data, HIPPA, etc.)     Visibility: What is your access to…  8. Logs (Active Directory, DHCP, DNS, firewall, proxy, servers, VPN, etc.) 9. Flow data (source, destination, ports, session time, volume, etc.) 10. Endpoints (disk, memory, and proces
Read more