Investigating iOS Burner
23/05/2025 Friday
Burner is a mobile app designed to enhance privacy by providing
users with temporary, disposable phone numbers. These virtual numbers
can be used for calls, texts, or signing up for services without
revealing the user’s real phone number. Once the number is no longer
needed, the user can easily "burn" it, permanently deactivating it to
prevent further contact. This helps protect against spam, unwanted
calls, and potential privacy breaches, ensuring personal information
stays secure.
Digital Forensics Values of iOS Burner
The forensic value of iOS Burner lies primarily in the services it
provides, which focus on protecting users’ privacy and concealing their
real personal phone numbers. While the app is designed to protect
privacy, users may potentially misuse these services for illegal
activities, such as harassment, fraud, or other crimes. Therefore,
analyzing any left-behind artifacts can help investigators examine usage
patterns and correlations with other digital activities to gather
insights into such activities.
Location of iOS Burner
iOS Burner artifact can be found at the following location:
private/var
/mobile/Containers/Shared/AppGroup/<App-GUID>/Phoenix.sqlite
Analyzing iOS Burner Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract iOS Burner
artifacts from iOS machines’ files and what kind of digital forensics
insights we can gain from the artifact.
After you have created your case and added evidence for the
investigation, at the Artifact Selection phase, you can select iOS
Burner artifact parser:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iOS Burner artifacts in ArtiFast.
iOS Burner Numbers
- Date Created: The date when the user account was created.
- Burner ID: The unique identifier for the Burner user.
- Burner Number: The burner number associated with the Burner user.
- Is Notification Enabled: Indicates whether notifications are allowed or not.
- Total Minutes: The total minutes available to the user.
- Inbound Caller ID: Indicates whether it is a burner number or a caller number.
- Display Name: The user's display name.
- Is Auto Reply Enabled: Indicates whether message auto-reply is enabled.
- MMS: Indicates whether MMS is enabled.
- Total Texts: The total texts.
- Remaining Texts: The remaining texts available to the user.
- Unlimited Minutes: Indicates whether unlimited minutes are available.
- Video: Indicates whether video is enabled.
- Voicemail Transcription: Indicates whether voicemail transcription is enabled.
- Remaining Minutes: The remaining minutes available to the user.
- Auto Reply Text: The auto reply text.
- In-App Calling: Indicates whether it is standard voice or VoIP.
iOS Burner Calls
- Call Date/Time: The date and time when the call was made.
- Call ID: The unique identifier of the call.
- Call Type: The type of the call.
- Remote Partner Phone Number: The conversation participant’s phone number.
- Burner ID: The burner account associated with the call.
- Direction: Indicates whether the call is incoming or outgoing.
- Is Read: Indicates whether the call was seen.
iOS Burner Messages
- Message ID: The unique identifier of the message.
- Remote Partner Phone Number: The conversation participant’s phone number.
- Burner ID: The burner account associated with the message.
- Text Content: The content of the message.
- Direction: Indicates whether the message is incoming or outgoing.
- Is Read: Indicates whether the message was read.
- Send Date: Message send date and time.
iOS Burner Contacts
- Contact ID: The unique identifier of the user associated with the contact.
- Phone Number: The phone number of the contact.
- Name: Contact name.
- Is Blocked: Indicates whether the contact is blocked.
- Is Muted: Indicates whether the contact is muted.
- Notes: Additional notes about the contact.
iOS Burner Pictures
- Message ID: The unique identifier of the message.
- Remote Partner Phone Number: The conversation participant’s phone number.
- Burner ID: The burner account associated with the message.
- Picture URL: The attached picture’s URL.
- Direction: Indicates whether the message is incoming or outgoing.
- Is Read: Indicates whether the message was read.
- Send Date: Message send date and time.
For more information or suggestions please contact: ekrma.elnour@forensafe.com
