OS X Location Information: Where Has That MacBook Been?

Readers may remember small tempest created when the consolidated.db (later renamed) file was discovered in Apple’s iOS tracking the phones location information. As it turns out, much the way the consolidated.db file tracked the location of WiFi access points and mobile towers around the iPhone, there is a similar file included as part of OS X Mavericks and other recent versions of OS X.  

Hidden deep in /private/var/folders lies the file cache_encryptedA.db. Tucked away with, an often empty, consolidated.db and other files, cache_encryptedA.db tracks information about WiFi access points located around the Mac as it moves around. Data includes:

WiFi Access Point (WAP) MAC Address
 Latitude and Longitude
 Time Stamp Data
WiFi Channel Information

Assuming Location Services is turned on and used (by the Maps app for example) the database should look something like this:

The WiFi access points found in the database don’t necessarily reflect the WAPs that the machine connected to (an examination of the timestamps makes this clear), instead the database list WAPs located around the machine. Why do we care? We care because this places a machine in a given area at a given time.

The cache_encryptedA.db file can be found by doing the following: 
  1. In the terminal type: cd /private/var/folders 
  2. Type: sudo find . –name cache_encryptedA.db 
  3. Once identified copy the file and open with a SQLite database tool such as SQLite Database Browser

Popular posts from this blog

Malware Fingerprinting

McVey’s 37 Questions for a SOC