Digital forensics

iPhone Forensics—Analysis of iOS 5 backups: Video

[highlight color="blue"]Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available. [/highlight]

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

In the first part of this article, we covered techniques for reading iTunes backups. In the second part of this article, we disclosed the procedure to extract protection class keys from the Backup Keybag and covered the techniques and tools for decrypting the protected backup files and the encrypted backups.

The videos listed in this article will demonstrate the iOS 5 backup analysis techniques in a more detailed fashion.

Note: Demos are captured on Mac OS X Lion 10.6 running with iTunes 10.6. iPhone 4 GSM with iOS 5.0.1 is used in the video.

Decrypting the Encrypted iOS backups—Video:

Download [encrypted backup.mp4]

A transcript of the video is available at: http://securitylearn.files.wordpress.com/2012/06/analysis-of-ios-backups-video-transcript.docx

Forensic investigation of the backup files allows an examiner to gain access to the entire contents of his or her host phone up until the point when the backup firt took place. It is also quite possible that the seized system might contain older copies of the backup files or other iPhone backups which may contain an additional wealth of information.

To view the list of available backups on a system, open iTunes and navigate to the Edit->Preferences (on windows) or iTunes->Preferences (on Mac) menu and choose the Devices tab. The screenshot below displays an example list of backups.

iTunes also provides an option for deleting backup files. To delete an existing iPhone backup, in the Devices Preferences window (shown in the screenshot above) select a backup and click on the Delete Backup button. If a backup is deleted from a system, a forensic examiner can use data recovery or carving tools to recover the deleted files from the system hard disk. It is easy to recover the deleted files from the computer when compared with iPhone.

The iPhone stores a lot of user data in the backup files. The following table lists the common sources of potential evidence that can be analyzed in an investigation.

File Name Description

AddressBook.sqlitedb Contact information and personal data like name, email address, birthday, organization, etc...

AddressBookImages.sqlitedb Images associated with saved contacts

Calendar.sqlitedb Calendar details and events information

Call_history.db

Incoming and outgoing call logs including phone numbers and

time stamps

Sms.db Text and multimedia messages along with their timestamps

Voicemail.db Voicemail messages

Sfari/Bookmarks.db Saved URL addresses

Safari/History.plist User's internet browsing history

Notes.sqlite Apple Notes application data

Maps/History.plist It keeps track of location searches

Maps/Bookmarks.plist Saved location searches

consolidated.db Stores GPS tracking data

En_GB-dynamic-text.dat Keyboard cache

com.apple.accountsettings.plist Maintains data about all email accounts that are configured on the Apple Email application

com.apple.network.identification.plist Wireless network data including IP address, router IP address, SSID and timestamps

In addition to the files listed above, the iPhone backup system also contains third party application files. Sensitive information stored in the third party application files may also provide possible evidence for an investigation.

Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows a user to log into the application without supplying the username and password.

More details about Facebook plist hijacking are documented at: http://blog.scoopz.com/2012/04/11/how-to-hack-facebook-dropbox-linkedin-and-other-ios-apps-using-a-plist-extracted-from-ios-backups/

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Forensic analysis of backup files does not compromise the content on a live device. As a result of this, forensic examiners tend to prefer analyzing backup files to collect evidence even though it is not possible to recover the deleted iPhone data.

Posted: June 27, 2012

Satish B.

View Profile

Satish B (@satishb3) is an Information Security Professional with 6 years of experience in penetration testing of web applications and mobile applications. He is currently a security researcher at Infosec Institute.

Satish's blog is located at - http://www.securitylearn.net

Email: satishb3@securitylearn.net

iPhone Forensics—Analysis of iOS 5 backups: Video

Decrypting the Encrypted iOS backups—Video:

Learn Digital Forensics

Get certified and advance your career