This week I focused on a subtle but forensically valuable artefact: detecting when a device was physically connected to power. Or physically connected to a USB cable without charging.
USB connections are often overlooked during triage, but can be critical in timelines where investigators want to know:
- When was the device connected to a USB cable?
- When was the device connected and charging?
- Was the screen active during charging?
- Etc
So let’s dive in!
Artifact: USB cable connected
2025-03-09 14:54:07.272183+0100 localhost powerexperienced[119]: [com.apple.powerexperienced:chargedurationpredictor] plugin state changed to 1 |
Timestamp: 2025-03-09 14:54:07.272183 (UTC+1)
Process: powerexperienced
This is a low-level system daemon responsible for managing power states, battery behavior, and performance scaling during charging and unplugging events.
Subsystem: chargedurationpredictor
Part of the power management stack that estimates how long the device will take to fully charge based on past behavior, current draw, and battery health.
EventMessage:
plugin state changed to 1
The device was physically connected to an external power source. A state = 1 confirms that charging has started or that power input is actively detected (typically via USB).
Forensic relevance
This artefact provides a precise timestamp for a physical event, the connection of a USB cable or power source. It can be cross-referenced with other events (e.g., unlocks, screen activity) to establish user interaction or possible forensic acquisition windows.
Artefact: powerexperienced
2025-03-09 14:54:07.272234+0100 localhost powerexperienced[119]: [com.apple.powerexperienced:RestrictedPerfMode] evaluatePowerMode: <private>: 0 display 1, carPlaySession 0, nFCSession 0, audioSession 0, sleepInProgress 0, wakeInProgress 0, onenessSession 0, siriAudio 0, pluggedIn 1 (allowOnCharger: 0)
Timestamp: 2025-03-09 14:54:07.272234 (UTC+1)
Process: powerexperienced
This daemon manages real-time power conditions, performance modes, and system behaviors in response to charging, screen state, and user interactions.
Subsystem: RestrictedPerfMode
Evaluates and applies dynamic performance restrictions or enhancements depending on whether the device is running on battery or external power.
EventMessage:
| Field | Value | Meaning |
|---|---|---|
| display | 1 | The screen was active — the device was being used. |
| pluggedIn | 1 | Device was connected to external power (e.g., USB). |
| carPlaySession | 0 | No active CarPlay connection. |
| nFCSession | 0 | No ongoing NFC session (e.g., Apple Pay or transit). |
| audioSession | 0 | No active audio playback or call. |
| sleepInProgress | 0 | Device was not entering sleep mode. |
| wakeInProgress | 0 | Device was not in the process of waking. |
| onenessSession | 0 | No Continuity or cross-device session (e.g., Handoff). |
| siriAudio | 0 | Siri was not active or listening. |
The combination of pluggedIn = 1 and display = 1 strongly indicates that the device was active while connected to power. Since all contextual flags are set to 0, it is likely that the activity was manual and user-driven, rather than system- or accessory-triggered (such as CarPlay, Siri, or Apple Pay).
Forensic relevance
This artefact offers more than just power state confirmation — it provides a snapshot of user context. When pluggedIn = 1 and display = 1, while all session flags remain 0, it strongly suggests that the device was:
- Actively in use by a person
- Not engaged in background processes like Siri, NFC, audio, or CarPlay
- Fully awake, ruling out passive charging or standby state
In forensic timelines, this artefact can help to:
- Correlate USB connection with intentional user interaction
- Exclude background or automated system triggers
- Anchor precise start points for acquisition windows
- Differentiate between charging-only versus active use scenarios
Combined with prewarmCamera, unlockedEnvironmentMode, or keybag transitioning artifacts, this line becomes a strong indicator of human presence at a specific moment.
Conclusion
The powerexperienced artefacts found in the Apple Unified Log offer precise and interpretable indicators of physical device interaction. When a USB cable is connected, the system logs not only the charging state (plugin state changed to 1) but also evaluates contextual conditions via RestrictedPerfMode.
The presence of pluggedIn = 1 alongside display = 1 — and with all other session flags disabled — creates a strong forensic signal: the device was not just charging, it was actively used by a person.
These artefacts are often overlooked during triage but can be critical in reconstructing access patterns, acquisition moments, or validating testimony about device handling. Their timestamped nature and low-level reliability make them a solid addition to any iOS forensic workflow.
Happy hunting!
Bravo, excellent idea
In it something is. Thanks for the help in this question. I did not know it.
——
car hire abu dhabi international airport
Hey there, I was wondering if you took guest posts on thesisfriday.com? If so, how would I go about getting one on your site? If there is a fee, let me know.
Also, if you have any other sites you can get me a post on please list them.
Thanks
Justin
Hello Justin,
I can take guest posts, of course depends on the subject.
You can reach out to info@thesisfriday.com
With Kind regards,
Tim Korver
Was just browsing thesisfriday.com and was impressed the layout. Nicely design and great user experience. Just had to drop a message, have a great day! we7f8sd82
Hello,
Add your website thesisfriday.com in Google Search Index to have it displayed in Web Search Results.
Submit thesisfriday.com at https://searchregister.net
Hi,
Add your thesisfriday.com website to Google Search Index to be displayed in Google Search Results!
Register thesisfriday.com at https://searchregister.info
Hello,
Add thesisfriday.com website to SEODIRECTORY fort a better position in Web Search results order and to get an improvement in traffic:
https://seodir.pro
Boost thesisfriday.com seo ranking with best seo backlinks!
BonusBacklinks.com – we provide daily backlinks and drive organic clicks to your page EVERY DAY:
+ Take 85% SALE
+ Trusted daily seo backlinks
+ Organic website traffic
+ Price cheap as $1
+ Bonus coupon codes
https://tiny.cc/BonusBacklinks-85Deal
BonusBacklinks.com – daily seo backlinks and organic traffic to grow your webpage every day