Sorell, MatthewEspinosa, Hugo G.Phillips, BradenJennings, Luke2025-05-272025-05-272025https://hdl.handle.net/2440/144736Smart watches are the culmination of mechanical watches, health monitoring, mobile communication services and customisable applications over decades of technological advancements. From the arrival of smart watches to today, smart watches have been paired with mobile phones. Mobile phones have always been a rich source of digital traces for evidence in criminal investigations. Smart watches provide a different set of forensic challenges compared to mobile phones. These challenges come from the watch and the interactions with the paired host phone, and the focus on the interpretation of sensor-derived logs. The first known murder where a commercial fitness device played a significant role in the investigation occurred in 2016 in Adelaide, South Australia. The victim of the crime, Myrna Nilsson, was bludgeoned to death in her home. During the events of the crime, Myrna’s Apple Watch recorded details of the assault including the intensity of the attack, and time of death. Later in 2016, the second known murder world-wide involving a commercial fitness device occurred, this time in Germany. The suspect’s Apple Watch recorded details of the location of the assault, a riverbank, as step counts, distances and flights of stairs climbed. These incidents highlighted the emerging class of consumer device where a knowledge gap became apparent. Health data in isolation does not provide many interesting insights, particularly in the context of a criminal investigation. However, the health data recorded by a fitness device such as an Apple Watch, combines not only health data but also timestamps and ontext. This context, which is the movements of a person, turns health data into personal data, and this is where the potential of Apple Watches as digital evidence in a physical world investigation becomes apparent. The new and emerging technology of Apple Watches and Apple Health have highlighted a gap in knowledge. If we wish to use this technology in an investigative context, the validity, trustworthiness and understanding of the data is paramount and must be addressed. This study aims to address these challenges by answering four specific questions: 1. How accurate are the summary measurements reprted in Apple Health logs? 2. How accurate and precise are the timestamps of the data acquired from the sensors? 3. What unexpected data can be found in the Apple Health ecosystem? 4. How can Apple Health be exploited in digital forensics? This thesis makes use of controlled experiments, analysis of a real longitudinal data set acquired since 2017, and further ad hoc experiments. The thesis is also informed by, but cannot report, insight obtained from assisting in real-world criminal investigation. The controlled experiments reveal that on a pure acceleration basis, the step counts are accurate but there are timing lags between sensor measurement and logged times, with dependency on step rate and distribution. The ad-hoc longitudinal dataset reveals unexpected data found within the Apple Health database including the source of the health records, hardware and firmware, (which Apple refers to as provenance) and location information (timezone and geolocation). This unexpected data can be analysed in the context of a criminal investigation to provide insights and intelligence for a case to inform the investigator. The provenance can be exploited to infer the existence of other artefacts from other devices not yet discovered or examined, and the location information can provide context into a user’s true actions, as opposed to what the health data reports what is happening. This work indicates that Apple Health data can be a powerful tool in criminal investigation if its limitations and potential are understood clearly. It has shown that step counts are the most reliable health metric in the database for interpreting the movement and activity of a person, and that there are specific challenges with the other health data types that require their own specific detailed understanding if they are to be included in a forensic capacity. This work is informed by active subject matter expert consultancy since 2016, and has informed criminal investigations, prosecutions and defence in several high-profile matters in Australia and other courts since 2019. Some of these matters, especially those in which the thesis author is the court-recognised subject matter expert, are currently sub judice.enDigital ForensicsApple HealthSmart WatchFitness WatchPhoneDevice ForensicsArtefact ForensicsWearablesThesis