iPhone forensics can be performed on the backups made by iTunes or directly on the live device. This Previous article on iPhone forensics detailed the forensic techniques and the technical challenges involved in performing live device forensics. Forensic analysis on a live device reboots the phone and may alter the information stored on the device. In critical cases, forensic examiners rely on analyzing the iPhone logical backups acquired through iTunes. iTunes uses AFC (Apple file connection) protocol to take the backup and also the backup process does not modify anything on the iPhone except the escrow key records. This article explains the technical procedure and challenges involved in extracting data and artifacts from the iPhone backups. Understanding the forensics techniques on iTunes backups is also useful in cases where we get physical access to the suspect’s computer instead of the iPhone directly. When a computer is used to sync with the iPhone, most of the information on the iPhone is likely to be backed up onto the computer. So, gaining access to the computer’s file system will also give access to the mobile devices’ data.
Note: iPhone 4 GSM model with iOS 5.0.1 is used for the demos. Backups shown in the article are captured using iTunes 10.6.
Goal: Extracting data and artifacts from the backup without altering any information.
Researchers at Sogeti Labs have released open source forensic tools (with the support of iOS 5) to read normal and encrypted iTunes backups. Below are the details outlining their research and an overview on usage of backup recovery tools.
With iOS 5, data stored on the iPhone can be backed up to a computer with iTunes or to a cloud based storage with iCloud. This article briefs about iCloud backups and provides a deep analysis of iTunes backups.
iCloud allows backup & restoring the iPhone contents over Wi-Fi/3 G to a cloud with a registered Apple account. iCloud backups the photos, application data, device settings, messages and mail, etc. iCloud services were introduced to provide a computer free backup solution. It acts as a remote backup service and allows data to move seamlessly between different Apple devices like Mac, iPod and iPad. iCloud also provides services to track the lost phone, lock the device remotely, and wipe the data remotely. iCloud limits the free backup storage to 5 Giga Bytes. However, additional iCloud data storage can be purchased by paying annual fees to Apple. iCloud uses a secure token for authentication and secures the content by encrypting it when sent over the internet. Use of a secure token for authentication eliminates the need to store iCloud passwords on devices. Apple also claims that all the iCloud data, except the emails and notes, is stored encrypted on a disk using 128 bit encryption algorithm. Encrypted data stored on the disk is decrypted on the fly when requested from an authentication device. Data stored on the iCloud can also be backed up to a computer and more details are available at Apple documentation.
On the iPhone, iCloud backup storage can be turned on/off by navigating to Settings -> iCloud -> Storage & Backup.
iCloud Backup toggle is shown in Figure 1.
iCloud data is effectively safe from hackers as Apple provides the best authentication mechanism by enforcing the users to use strong passwords, which would prevent the brute force attacks. As long as the user uses a strong password, information stored on the iCloud is safe.
iTunes is used to backup the iPhone to a computer. When the iPhone is connected to a computer for the first time and synced with iTunes, iTunes automatically creates a folder with device UDID (Unique device ID – 40 hexadecimal characters long) as the name and copies the device contents to the newly created folder. The iPhone can be synced with iTunes over Wi-Fi or over an USB connection. If the automatic sync option is turned off in iTunes, the user has to manually initiate the backup process whenever the device is connected to the computer. Once the backup folder is created on the computer, then each time the device is synced with the iTunes, it will only update the files in the existing folder. During the first sync, iTunes takes a full backup of the device. From there on, iTunes only backups and overwrites the files which are modified on the device. The behaviour can be observed by looking at different timestamps for the files in the backup. iTunes also initiates an automated backup when the iPhone is updated or restored. During an iOS update/restore, iTunes creates a differential backup with a folder name [UDID] + ‘-‘ + [Time stamp] in the same backup location. iTunes backup location varies for different operating systems and the exact directory paths are listed in Table-1. Backup files created by iTunes are platform independent and can be moved from one operating system to other.
|Operating system||Backup Location|
|Windows XP||C:\Documents and Settings\[user name]\Application Data\Apple Computer\MobileSync\Backup\|
|MAC OS X||~/Library/Application Support/MobileSync/Backup/
(~ represents user’s home directory)
|Windows 7||C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\|
If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the user to enter the passcode (shown in Figure 2) and unlock the device before starting the sync process.
Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows it to backup and sync with the computer. From there on, iTunes will allow it to backup or sync the iPhone without entering the passcode as long as it connects to the same computer. During backup, iTunes also creates a property list file with device UDID as the name and stores the Escrow key bag, Device certificate, Host ID, Host certificate and Host private key in it. Escrow Keybag allows a paired device (normally a computer) to gain full access to the iPhone file system when the phone is in a locked state. This improves the usability by not asking the user to unlock the device during every backup. Escrow key bag location varies for different operating systems and the exact directory paths are listed in Table-2.
|Operating system||Escrow Keybag Location|
|MAC OS X||/private/var/db/lockdown/|
Escrow Keybag is encrypted with a key computed from the iPhone hardware (key 0x835) and is protected with a 32 byte passcode, which is stored on the iPhone. Escrow Keybag passcode gets stored in a PList file ([Host ID].plist) located at – /private/var/root/Library/Lockdown/escrow_records directory on the iPhone. With iOS 5, Escrow Keybag is also protected with a passcode key derived from the user’s passcode, restricting to perform Escrow Keybag attacks. Escrow Keybag attack bypasses the iPhone data protection mechanism and allows decrypting every file on the device without requiring the user’s passcode. Escrow Keybag is a copy of the System Keybag and contains a collection of protection class keys that are used for data encryption on the iPhone. Protection class keys stored in the Escrow Keybag allow iTunes to access protected files & keychain items when the iPhone is locked.
iTunes also creates a Backup Keybag for each backup. It consists of class keys that are different from the ones in the System Keybag. The files in the backup are encrypted using AES 256 in CBC mode, with a unique key and a null IV. These file keys are stored wrapped by a class key from the Backup Keybag. Keys in the Backup Keybag facilitate to store the backups in a secure manner. By default, Backup Keybag is encrypted with a key (key 0x835) derived from the iPhone hardware key (UID key). So even if someone gains access to the backup, it is not possible to retrieve all the data from the backup unless they know the hardware key, which can be achieved only through physical access to the device. As the backup files are encrypted with a hardware key, backup taken from a device can only be restored to the original device. With iOS 4, Apple introduced a feature to encrypt the iTunes backups, which provides portability and allows restoring the backup files of one device to another device. Encrypted backups are designed for data migration between different iOS devices. Data migration is achieved by encrypting the backup with a password that a user gives in iTunes instead of the devices hardware key. With encrypted backups, all the backup data can be migrated except the content which is protected by ThisDeviceOnly class keys.
To create encrypted backups, connect the device to the computer and select ‘Encrypt iPhone Backup’ option in iTunes. During the encrypted backup, iTunes prompts the user to enter a password as shown in Figure 3. Later, the password is used to encrypt all the files in the backup. In encrypted backups, Backup Keybag is encrypted with the backup password. This would allow decrypting the backups without physical access to the device.
iTunes backup makes a copy of everything on the device like contacts, SMS, photos, calendar, music, call logs, configuration files, database files, keychain, network settings, offline web application cache, safari bookmarks, cookies and application data, etc. It also backups the device details like serial number, UDID, SIM hardware number and the phone number.
The backup folder contains a list of files which are not in a readable format, and it consists of uniquely named files with a 40 digit alphanumeric hex value without any file extension. Example file name is: f968421bd39a938ba456ef7aa096f8627662b74a.
iTunes 10.6 backup of an iOS 5 device is shown in the Figure 4.
This 40 digit hex file name in the backup folder is the SHA1 hash value of the file path appended to the respective domain name with a ‘-‘ symbol. So the hash of DomainName-filepath will match to the correct file in the backup. In iOS 5, applications and inside data are classified into 12 domains (11 system domains and one application domain). The list of system domains can be viewed from /System/Library/Backup/Domains.plist file on the iPhone. Domains.plist file contents are listed out in Figure 5.
The method of managing the backups has changed with every major release of iTunes; however, the method of converting the path names to the file names still remains the same.
A few examples for path name to backup file name conversions are shown below -
Ex 1: Address book images backup file is – cd6702cea29fe89cf280a76794405adb17f9a0ee and this value is computed from SHA-1(HomeDomain-Library/AddressBook/AddressBookImages.sqlitedb).
*Online hash calculator –
Ex 2: AppDomain is used for the applications which are downloaded from AppStore.
Skype property list backup file is – bc0e135b1c68521fa4710e3edadd6e74364fc50a and this value is computed from SHA-1(AppDomain-com.skype.skype-Library/Preferences/com.skype.skype.plist).
*Online Hash calculator – http://www.fileformat.info/tool/hash.htm?text=AppDomain-com.skype.skype-Library%2FPreferences%2Fcom.skype.skype.plist
Ex 3: Keychain sqlite database backup file is – 51a4616e576dd33cd2abadfea874eb8ff246bf0e and
this value is computed from SHA-1(KeychainDomain-keychain-backup.plist).
*Online Hash calculator – http://www.fileformat.info/tool/hash.htm?text=KeychainDomain-keychain-backup.plist
iTunes stores/reads the domain names and path names from Meta files. Every iOS backup contains four Meta files – Info.plist, Manifest.plist, Status.plist and Manifest.mbdb along with the actual file contents.
Info.plist: The property list file contains the device details like device name, build version, IMEI, phone number, last backup date, product version, product type, serial number, sync settings and a list of application names that were installed on the device, etc.
Manifest.plist: The property list file contains the applications bundle details, Backup Keybag, a flag to identify the passcode protected devices (WasPasscodeSet) and a flag to identify the encrypted backup (IsEncrypted), etc.
Status.plist: The property list file contains the details about the backup. It includes backup state, a flag to identify the full backup (IsFullBackup), date and version, etc.
Manifest.mbdb: The binary file contains information about all other files in the backup along with the file sizes and file system structure data. Backup file structure in older version of iTunes is managed by two files – Manifest.mbdx and Manifest.mbdb. In which, Manifest.mbdx file acts as an index file for the backup and indexes the elements that will be found in Manifest.mbdb. Since the introduction of iTunes 10, index file (mbdx) is eliminated and the backup is managed by a single mbdb file.
A sample Manifest.mbdb file is shown in Figure 6. As Manifest.mbdb is a binary file, a Hex editor is used to view the contents.
Manifest.Mbdb file header and record format is shown in Table 3 & Table 4.
Mbdb file header is a fixed value of 6 bytes and the value acts as a magic number to identify the mbdb files.
Record: Mbdb file contain many records and each record is of variable size. Every record contains various details about a file.
|string||Target||Absolute path for Symbolic Links|
|string||Digest||SHA 1 hash
Mostly None (0xff 0xff) for directories & AppDomain files
0x00 0x14 for System domain files
|string||Encryption_key||None (0xff 0xff) for un encrypted files|
|uint16||Mode||Identifies the File Type
‘0xa000’ for a symbolic link
‘0x4000’ for a directory
‘0x8000’ for a regular file
|uint64||inode number||Lookup entry in inode table|
|uint32||User ID||Mostly 501|
|unit32||Group ID||Mostly 501|
|uint32||Last modified time||File last modified time in Epoch format|
|uint32||Last accessed time||File last accessed time in Epoch format|
|uint32||Created time||File created time in Epoch format|
|uint64||Size||Length of the file
‘0’ for a symbolic link
‘0’ for a directory
Non zero for a regular file
|uint8||Protection class||Data protection class (values 0x1 to 0xB)|
|uint8||Number of properties||Number of properties|
In the backup, most of the information is stored as plist files, sqlite database files and images files. Backup files can be viewed directly by adding an appropriate file extension.
Ex: Adding .plist file extension to bc0e135b1c68521fa4710e3edadd6e74364fc50a file allows viewing the contents of Skype property list file using a plist editor.
There are many free tools available to read iTunes backups. Some of the famous tools are listed here.
MAC OS X – iPhone Backup Extractor – http://supercrazyawesome.com/
Windows – iPhone Backup Browser – http://code.google.com/p/iphonebackupbrowser/
Mac OS X & Windows – iBackupBot – http://www.icopybot.com/itunes-backup-manager.htm
These tools parse the information stored in the Mbdb file and create the file structure. The tools convert the gibberish backup files into a readable format as shown in Figure 7.
Some of these tools leverage the Apple mobile devices API that comes with iTunes to create and read backups. The amount of information that can be extracted by the backup extractors is limited as the protected files in the backup are encrypted.
Ex: Keychain-backup.plist file extracted from the backup can be opened using a plist editor. However, the contents inside the file are encrypted as shown in Figure 8.
Protected files in the backup are encrypted using class keys that are stored in the Backup Keybag. In normal backups, Backup Keybag is protected with a key generated from the iPhone hardware (Key 0x835), and in encrypted backups, it is protected with iTunes password.
Part 2 of this article will disclose the procedure to extract protection class keys from the Backup Keybag. It will also cover the techniques & the tools to decrypt the protected backup files and the iTunes encrypted backups.