Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available

Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available

In the first part of this article, we covered techniques for reading iTunes backups. In the second part of this article, we disclosed the procedure to extract protection class keys from the Backup Keybag and covered the techniques and tools for decrypting the protected backup files and the encrypted backups.

The videos listed in this article will demonstrate the iOS 5 backup analysis techniques in a more detailed fashion.

Note: Demos are captured on Mac OS X Lion 10.6 running with iTunes 10.6. iPhone 4 GSM with iOS 5.0.1 is used in the video.

Decrypting the Normal iOS backups—Video:

Download [Normal backup.mp4]

Decrypting the Encrypted iOS backups—Video:

Download [encrypted backup.mp4]

A transcript of the video is available at: http://securitylearn.files.wordpress.com/2012/06/analysis-of-ios-backups-video-transcript.docx


Forensic investigation of the backup files allows an examiner to gain access to the entire contents of his or her host phone up until the point when the backup firt took place. It is also quite possible that the seized system might contain older copies of the backup files or other iPhone backups which may contain an additional wealth of information.

To view the list of available backups on a system, open iTunes and navigate to the Edit->Preferences (on windows) or iTunes->Preferences (on Mac) menu and choose the Devices tab. The screenshot below displays an example list of backups.


iTunes also provides an option for deleting backup files. To delete an existing iPhone backup, in the Devices Preferences window (shown in the screenshot above) select a backup and click on the Delete Backup button. If a backup is deleted from a system, a forensic examiner can use data recovery or carving tools to recover the deleted files from the system hard disk. It is easy to recover the deleted files from the computer when compared with iPhone.

The iPhone stores a lot of user data in the backup files. The following table lists the common sources of potential evidence that can be analyzed in an investigation.

File Name Description
AddressBook.sqlitedb Contact information and personal data like name, email address, birthday, organization, etc…
AddressBookImages.sqlitedb Images associated with saved contacts
Calendar.sqlitedb Calendar details and events information
Call_history.db Incoming and outgoing call logs including phone numbers and
time stamps
Sms.db Text and multimedia messages along with their timestamps
Voicemail.db Voicemail messages
Sfari/Bookmarks.db Saved URL addresses
Safari/History.plist User’s internet browsing history
Notes.sqlite Apple Notes application data
Maps/History.plist It keeps track of location searches
Maps/Bookmarks.plist Saved location searches
consolidated.db Stores GPS tracking data
En_GB-dynamic-text.dat Keyboard cache
com.apple.accountsettings.plist Maintains data about all email accounts that are configured on the Apple Email application
com.apple.network.identification.plist Wireless network data including IP address, router IP address, SSID and timestamps


In addition to the files listed above, the iPhone backup system also contains third party application files. Sensitive information stored in the third party application files may also provide possible evidence for an investigation.

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics

Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows a user to log into the application without supplying the username and password.
More details about Facebook plist hijacking are documented at: http://blog.scoopz.com/2012/04/11/how-to-hack-facebook-dropbox-linkedin-and-other-ios-apps-using-a-plist-extracted-from-ios-backups/

Forensic analysis of backup files does not compromise the content on a live device. As a result of this, forensic examiners tend to prefer analyzing backup files to collect evidence even though it is not possible to recover the deleted iPhone data.