My Authors
Read all threads
To play with FTI's findings, I'm doing forensics on a second phone, namely my current iPhone XS. It makes me even more suspicious of FTI's conclusions.
One of FTI's conclusions is that they looked at several phones with normal baseline traffic, with only Bezos's showing an anomaly after you downloaded that video from MBS. As far as I can tell, this must be a lie. That's not how these things work. All phones show weird anomalies.
I'm using only 4 programs here:
1. iTunes, to grab backup of my iPhone
2. "iPhone Backup Extractor" to extract 'DataUsage.sqlite'
3. "sqlitebrowser" to get the ZLIVEUSAGE table and execute an SQL query to get data from that table
4. 'Microsoft Excel" to graph the data
I plug my phone into my laptop, tell it to trust the computer, then go into iTunes to create a backup.
I go into iPhone Backup Extractor and this backup appears in the list, so I just click on it.
I then go to the "Expert Mode" tab and navigate the tree to DataUsage file and hit the "extract" button, saving thing as a file under my Documents folder.
Now I run the sqlitebrowser and open that file:
I then run the following SQL query to extract just the data I want, and to convert the timestamp. The query is from github.com/mac4n6/APOLLO/…
I then save the results view as a CSV file and open in Excel.
There's multiple entries per day, or usually zero entries (as I'll describe below). I therefore create column G with a list of days (first row is 1/1/2019, subsequent ones are +1 the previous). Then in column H, the formula you see to sum.
I then create a line graph for columns G and H to get the following result.
So here's the thing about those spikes: they are highly inaccurate. If you open an app, do some traffic, and completely close the app (such as by turning off the phone), then it'll accurately reflect that traffic for that day.
But if you are like me and open an app and leave it running in the background for months, then things get wonky. There will be only one entry in the database for all that activity.
So why did Uber send 56-megabytes of data? it didn't -- it's that I closed all the apps around Xmas, so causes apps to finalize which data all the traffic for months was going to be accounted for. Likewise, 9gigs for Twitter and 2.5gigs for Brave reflect months of traffic.
You see that @iamevltwin already handled this in her original scripts, grabbing multiple timestamps for the process, not just the one from this table.
@iamevltwin Why the heck is there 100-megabytes of UPLOAD in the Podcast app when I only DOWNLOAD them? Looks suspicious, like the Saudi's hacked me. There is so much inexplicable behavior by apps in this data.
@iamevltwin Anyway, I've tried to document this so that everyone can replicate this sort of forensics on your own phone. If you've already decided that MBS/HackingTeam hacked your phone, you'll find much to support this conclusion.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Rob ☃️ Graham (not at Shmoocon this year)

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!