forked/osxphotos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated Logs of shared images (markdown)

Rhet Turnbull
2022-09-08 09:21:15 -07:00
parent 3b5fd2ab98
commit fb22e765f5
1 changed files with 48 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
Logs-of-shared-images.md

@@ -35,4 +35,51 @@ and
default 05:45:12.878412-0700 sharingd Start transaction to "John Doe's iPhone"
default 05:45:12.878443-0700 sharingd AirDrop client transaction begin (1)
So if you really need to reconstruct this, you could write some tools to parse the logs and give you an idea of what happened. From Mac to iPhone, you could likely reconstruct exactly which photo was sent to which person (or device). From iPhone to iPhone or iPhone to Mac, you could determine which photos were shared and who photos were shared with (and when) but not necessarily who each photo was shared with (as best as I can tell...but I'm not a cyber forensic expert). But you could narrow it down based on date stamps (e.g. a photo taken after X date could not have been shared before X date).
So if you really need to reconstruct this, you could write some tools to parse the logs and give you an idea of what happened. From Mac to iPhone, you could likely reconstruct exactly which photo was sent to which person (or device). From iPhone to iPhone or iPhone to Mac, you could determine which photos were shared and who photos were shared with (and when) but not necessarily who each photo was shared with (as best as I can tell...but I'm not a cyber forensic expert). But you could narrow it down based on date stamps (e.g. a photo taken after X date could not have been shared before X date).
## Response to OP's follow up question about how long the data is saved
I don't know about the iPhone but on the Mac, logs are rotated (deleted) regularly. It depends on how much log activity there is--could be a few days to up to a month. The iPhone is likely similar. I looked in my Logs folder on the iPhone (using iMazing) and it looks like there are about 24 hours of logs.
The `ZSHARECOUNT` value in the Photos database will persist indefinitely so you can always go back and see which photos were shared and how many times but you'll lose the context from the log files.
Apple may keep other data that is not accessible to the user but of course, I have no way of determining that.
If you want to look at `ZSHARECOUNT` yourself, you could copy the the files:
- `Photos.sqlite`
- `Photos.sqlite-shm`
- `Photos.sqlite-wal`
from Media/Photo Data on the phone to your Mac. You can then run the following command in the terminal. First, save the following sql in a text file (`share_date.sql`)
```sql
SELECT
ZADDITIONALASSETATTRIBUTES.ZORIGINALFILENAME,
ZADDITIONALASSETATTRIBUTES.ZSHARECOUNT,
-- need to add 978307200 to the date to convert from MacOS time epoch (1 Jan 2000) to unix epoch (1 Jan 1970)
datetime((ZASSET.ZADDEDDATE+978307200),'unixepoch') as ZADDEDDATE,
datetime((ZASSET.ZLASTSHAREDDATE+978307200),'unixepoch') as ZLASTSHAREDDATE
FROM
ZASSET
JOIN
ZADDITIONALASSETATTRIBUTES ON ZADDITIONALASSETATTRIBUTES.ZASSET = ZASSET.Z_PK
WHERE
ZADDITIONALASSETATTRIBUTES.ZSHARECOUNT > 0
ORDER BY
ZASSET.ZLASTSHAREDDATE DESC
```
Then run this command on the Photos.sqlite file you copied from the iPhone:
sqlite3 Photos.sqlite ".headers on" ".read share_date.sql"
You'll get a list of all photo names, the share count, date the photo was added to the library, the date of the last share in a format like this:
```
ZORIGINALFILENAME|ZSHARECOUNT|ZADDEDDATE|ZLASTSHAREDDATE
IMG_0582.HEIC|1|2022-09-06 21:55:47|2022-09-06 21:56:28
IMG_0045.HEIC|1|2022-09-06 03:57:53|2022-09-06 18:58:00
IMG_0042.HEIC|1|2022-09-06 03:05:43|2022-09-06 18:58:00
```
The results will be sorted most recent share at the top to last share on the bottom.
Note that this includes shares besides just those shared by AirDrop. For example, shared folders, iMessage, etc. I don't know of a way to distinguish amongst these share types without looking at the individual log details.