Overview
macOS Location Services provides applications with the device's geographic location using Wi-Fi positioning, Bluetooth, and (on some hardware) GPS. The location subsystem maintains records of which applications have accessed location data, cached location information, and significant locations the user has visited frequently. These artifacts provide physical location evidence and privacy-relevant access patterns.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| Location clients | Which apps have accessed location data |
| Client authorization | Permission level granted to each app |
| Cached positions | Recent location coordinates |
| Significant locations | Frequently visited places (home, work) |
| Wi-Fi location data | Location estimates from Wi-Fi networks |
| Access timestamps | When location was accessed |
File Locations
| Artifact | Path | Format | Access |
|---|
| Location clients | /var/db/locationd/clients.plist | Plist | Root |
| Location cache | /var/db/locationd/consolidated.db | SQLite | Root |
| Significant locations | ~/Library/Preferences/com.apple.routined/ | Encrypted | Root + user password |
| Cache directory | /var/db/locationd/ | Various | Root |
Key Data
clients.plist
Records every application that has requested location access:
| Key | Description |
|---|
| Bundle ID (dict key) | Application identifier |
Authorized | Authorization level (0=not determined, 1=restricted, 2=denied, 3=authorizedAlways, 4=authorizedWhenInUse) |
BundlePath | Path to the application |
Executable | Executable name |
Registered | Registration timestamp |
LocationTimeStopped | When location access last stopped |
Whitelisted | Whether the app is whitelisted by Apple |
consolidated.db
Historical location cache with coordinates, timestamps, and confidence levels:
| Column | Description |
|---|
Latitude | GPS latitude |
Longitude | GPS longitude |
HorizontalAccuracy | Position accuracy in meters |
Timestamp | Core Data timestamp |
Speed | Movement speed |
Course | Direction of travel |
SELECT
datetime(Timestamp + 978307200, 'unixepoch') AS time,
Latitude,
Longitude,
HorizontalAccuracy AS accuracy_m
FROM CdmaCellLocation
UNION ALL
SELECT
datetime(Timestamp + 978307200, 'unixepoch') AS time,
Latitude,
Longitude,
HorizontalAccuracy
FROM WifiLocation
ORDER BY time DESC
LIMIT 50;
Analysis Notes
- Root access required: Location databases are in
/var/db/locationd/ which requires root access. On a live system, use sudo. - Client list value: Even without cached coordinates, the
clients.plist reveals which applications accessed location data and their authorization level. - Significant locations encryption: The routined data containing significant locations is encrypted with the user's password. It cannot be read without the password or a device unlock.
- Wi-Fi positioning: macOS primarily uses Wi-Fi positioning rather than GPS (most Macs lack GPS hardware). Location accuracy is typically 50-100 meters.
- Timestamp correlation: Location timestamps correlate with Wi-Fi connection events, KnowledgeC entries, and Calendar event locations.
- Privacy implications: Location data is among the most sensitive forensic artifacts. Handle according to investigation scope and legal authority.
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| sqlite3 | Manual database inspection (requires root) |
| plutil (macOS built-in) | Read clients.plist |
| mac_apt | Open-source location parser |
References