Logs of shared images

In response to this reddit post, I did a little digging and found the following as related to reconstructing when/who an image was shared with.

From iPhone -> MacBook (and it's likely the same iPhone to iPhone):

There's a log in the Apple Unified Log (there are some good tools here for working with Unified Log) that an AirDrop event occurred but it does not appear that the actual photo name is in the log. You can view log events on your iPhone from a Mac using the Console app when the phone is in proximity to the Mac. I don't know if there are tools to view log events directly on the iPhone. You can access the raw log files in the Logs folder on the iPhone. When you AirDrop a photo on the iPhone the following happens:

1. The ZSHARECOUNT value in the ZADDITIONALASSETATTRIBUTES table of the Photos.sqlite database (located in Media/Photo Data on the iPhone) is incremented. You can verify this by using an app that allows you to access the filesystem of the iPhone like iMazing.
2. There is a log entry that shows an AirDrop connection occurred:

default 06:06:53.826292-0700 sharingd MetricEvent 'com.apple.sharing.AirDrop.SessionInfo' : { "transfersInitiated" : 1, "startTimestamp" : 684335205429, "bid" : "com.apple.mobileslideshow", "totalPeersDiscovered" : 1, "browserID" : "7D46D930DB7A", "firstDiscoveryMs" : 0.841451, "transfersCompleted" : 0, "sid" : "EF9DA930166F", "durationMs" : 8.293702, "maxPeersDiscovered" : 1, "discoveryLevel" : 2, "legacy" : false, }

3. There's log entries showing which device and which person sharing daemon is sharing with:

default 06:06:55.534943-0700 sharingd Query: -[SDXPCHelperConnection CGImgForNameLabelWithString:textColor:maxNumberOfLines:isAirDrop:ignoreNameWrapping:processOppositeColor:],John Doe's MacBook Pro,(UIColor 1.0,1.0,1.0,1.0),1,1,0,,2,UICTContentSizeCategoryXXL,0,,

and

default 06:06:57.759937-0700 sharingd Set status for John Doe’s MacBook Pro to Sent

and

default 06:06:57.769475-0700 sharingd Stop AirDrop session with <SFNode {John Doe,id=XXXX-D0B8-0FDD-7AE4-XXXX,dev=MacBook Pro,t=Rapport,sib=[ <SFNode {John Doe,id=XXX,dev=MacBook Pro,t=Bonjour,sib=NULL}>, <SFNode {John Does,id=XXX,dev=MacBook Pro,t=Rapport,sib=NULL}> ]}>

4. There's also log entry showing the BlueTooth connection to the AirDrop device. (Not shown here)

From MacBook to iPhone

1. The ZSHARECOUNT in ZADDITIONALASSETATTRIBUTES table of Pictures/Photos Library.photoslibrary/database/Photos.sqlite is incremented.
2. Unlike the iPhone, there is a log of which photo was sent in the Universal Log:

​

default	05:45:10.945714-0700	sharingd	Item in the cache.
default	05:45:12.877151-0700	sharingd	No conversion needed for IMG_0041.heic
default	05:45:12.878412-0700	sharingd	Start transaction to "John Doe's iPhone"
default	05:45:12.878443-0700	sharingd	AirDrop client transaction begin (1)

So if you really need to reconstruct this, you could write some tools to parse the logs and give you an idea of what happened. From Mac to iPhone, you could likely reconstruct exactly which photo was sent to which person (or device). From iPhone to iPhone or iPhone to Mac, you could determine which photos were shared and who photos were shared with (and when) but not necessarily who each photo was shared with (as best as I can tell...but I'm not a cyber forensic expert). But you could narrow it down based on date stamps (e.g. a photo taken after X date could not have been shared before X date).

Response to OP's follow up question about how long the data is saved

I don't know about the iPhone but on the Mac, logs are rotated (deleted) regularly. It depends on how much log activity there is--could be a few days to up to a month. The iPhone is likely similar. I looked in my Logs folder on the iPhone (using iMazing) and it looks like there are about 24 hours of logs.

The ZSHARECOUNT value in the Photos database will persist indefinitely so you can always go back and see which photos were shared and how many times but you'll lose the context from the log files.

Apple may keep other data that is not accessible to the user but of course, I have no way of determining that.

If you want to look at ZSHARECOUNT yourself, you could copy the the files:

• Photos.sqlite
• Photos.sqlite-shm
• Photos.sqlite-wal

from Media/Photo Data on the phone to your Mac. You can then run the following command in the terminal. First, save the following sql in a text file (share_date.sql)

SELECT
	ZADDITIONALASSETATTRIBUTES.ZORIGINALFILENAME,
	ZADDITIONALASSETATTRIBUTES.ZSHARECOUNT, 
	-- need to add 978307200 to the date to convert from MacOS time epoch (1 Jan 2000) to unix epoch (1 Jan 1970)
	datetime((ZASSET.ZADDEDDATE+978307200),'unixepoch') as ZADDEDDATE, 
	datetime((ZASSET.ZLASTSHAREDDATE+978307200),'unixepoch') as ZLASTSHAREDDATE
FROM
	ZASSET
JOIN 
	ZADDITIONALASSETATTRIBUTES ON ZADDITIONALASSETATTRIBUTES.ZASSET = ZASSET.Z_PK 
WHERE
	ZADDITIONALASSETATTRIBUTES.ZSHARECOUNT > 0
ORDER BY
	ZASSET.ZLASTSHAREDDATE DESC

Then run this command on the Photos.sqlite file you copied from the iPhone:

sqlite3 Photos.sqlite ".headers on" ".read share_date.sql"

You'll get a list of all photo names, the share count, date the photo was added to the library, the date of the last share in a format like this:

ZORIGINALFILENAME|ZSHARECOUNT|ZADDEDDATE|ZLASTSHAREDDATE
IMG_0582.HEIC|1|2022-09-06 21:55:47|2022-09-06 21:56:28
IMG_0045.HEIC|1|2022-09-06 03:57:53|2022-09-06 18:58:00
IMG_0042.HEIC|1|2022-09-06 03:05:43|2022-09-06 18:58:00

The results will be sorted most recent share at the top to last share on the bottom. Note that this includes shares besides just those shared by AirDrop. For example, shared albums, iMessage, etc. I don't know of a way to distinguish amongst these share types without looking at the individual log details.