AirDrop Forensics
Welcome to AirDrop forensics!
Let’s start with the basics: what is AirDrop? It’s a file-sharing service in macOS and iOS which uses both Bluetooth and WiFi to transfer files from one Apple-made device to another. The nearby devices discovery is done using Bluetooth, then the file transfer itself is completed over WiFi. AirDrop is part of Apple’s Continuity service — a group of functionalities designed to provide a seamless user experience between multiple Mac devices. Continuity allows you to answer phone calls and SMS on devices different than your phone, easily share websites between browsers on different devices, use your iPad as a monitor for your Apple computer, use your iPhone as a camera for your laptop, send and receive files through AirDrop… This list is not exhaustive — if you’re interested in the full range of Apple’s Continuity capabilities make sure to check their website.
A great rundown of forensics artefacts produced by AirDrop in iPhones was presented by Heather Mahalik and Sarah Edwards in their ‘The Cider Press: Extracting Forensic Artifacts from Apple Continuity’ presentation. I’ve only seen the slides but they are very informative on their own so make sure to check that out. Seeing that analysis inspired me to take a look at what these artefacts will look like in macOS.
Setup
To create a semi-controlled environment, I have purposefully sent some images from both my own device and someone else’s device to my MacBook (iOS -> macOS). When running the log show commands, I therefore…