In the first part of this article, we covered techniques for reading iTunes backups. In the second part of this article, we disclosed the procedure to extract protection class keys from the Backup Keybag and covered the techniques and tools for decrypting the protected backup files and the encrypted backups.
The videos listed in this article will demonstrate the iOS 5 backup analysis techniques in a more detailed fashion.
Note: Demos are captured on Mac OS X Lion 10.6 running with iTunes 10.6. iPhone 4 GSM with iOS 5.0.1 is used in the video.
Decrypting the Normal iOS backups—Video:
Decrypting the Encrypted iOS backups—Video:
A transcript of the video is available at: http://securitylearn.files.wordpress.com/2012/06/analysis-of-ios-backups-video-transcript.docx
Forensic investigation of the backup files allows an examiner to gain access to the entire contents of his or her host phone up until the point when the backup firt took place. It is also quite possible that the seized system might contain older copies of the backup files or other iPhone backups which may contain an additional wealth of information.
To view the list of available backups on a system, open iTunes and navigate to the Edit->Preferences (on windows) or iTunes->Preferences (on Mac) menu and choose the Devices tab. The screenshot below displays an example list of backups.
iTunes also provides an option for deleting backup files. To delete an existing iPhone backup, in the Devices Preferences window (shown in the screenshot above) select a backup and click on the Delete Backup button. If a backup is deleted from a system, a forensic examiner can use data recovery or carving tools to recover the deleted files from the system hard disk. It is easy to recover the deleted files from the computer when compared with iPhone.
The iPhone stores a lot of user data in the backup files. The following table lists the common sources of potential evidence that can be analyzed in an investigation.
|AddressBook.sqlitedb||Contact information and personal data like name, email address, birthday, organization, etc…|
|AddressBookImages.sqlitedb||Images associated with saved contacts|
|Calendar.sqlitedb||Calendar details and events information|
|Call_history.db||Incoming and outgoing call logs including phone numbers and
|Sms.db||Text and multimedia messages along with their timestamps|
|Sfari/Bookmarks.db||Saved URL addresses|
|Safari/History.plist||User’s internet browsing history|
|Notes.sqlite||Apple Notes application data|
|Maps/History.plist||It keeps track of location searches|
|Maps/Bookmarks.plist||Saved location searches|
|consolidated.db||Stores GPS tracking data|
|com.apple.accountsettings.plist||Maintains data about all email accounts that are configured on the Apple Email application|
|com.apple.network.identification.plist||Wireless network data including IP address, router IP address, SSID and timestamps|
In addition to the files listed above, the iPhone backup system also contains third party application files. Sensitive information stored in the third party application files may also provide possible evidence for an investigation.
Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows a user to log into the application without supplying the username and password.
More details about Facebook plist hijacking are documented at: http://blog.scoopz.com/2012/04/11/how-to-hack-facebook-dropbox-linkedin-and-other-ios-apps-using-a-plist-extracted-from-ios-backups/
Forensic analysis of backup files does not compromise the content on a live device. As a result of this, forensic examiners tend to prefer analyzing backup files to collect evidence even though it is not possible to recover the deleted iPhone data.