Hey everyone,

Just published my first write-up on a recent case where commercial forensic tools (Cellebrite, Oxygen, XRY) successfully created a full file system extraction from an iPhone 11 but completely missed the browsing history from a third-party Tor browser app.
The app's Core Data SQLite database was empty, but I discovered it actually stores history in a Realm database (default.realm). Additionally, WebKit's Intelligent Tracking Prevention database (observations.db) provided independent corroboration of visited domains - and users cannot clear this.

The article covers:
- Database architecture analysis of iOS Tor browser apps
- Python scripts for Realm binary extraction with timestamps
- How to cross-reference WebKit ITP data for validation
- Why Z_PRIMARYKEY analysis matters for understanding data storage Recovered 279 unique URLs with precise Unix timestamps that automated tools missed entirely.

Full write-up : https://medium.com/@gerisson/when-commercial-forensic-tools-fail-manual-extraction-of-tor-browser-evidence-from-ios-devices-40b02e2523e3

Happy to answer any questions or discuss methodology.