If you don’t know what plists are, they’re very similar to XML files, read more about them on Apple’s Official Documentation. Accompanying these files are the ist, ist, ist, and the Manifest.db. In the root of the per device backup folder, we have a ton of folders all named with two characters, ranging from 00 to ff, each containing files with no extension, named from a fileID which we’ll talk about later. Unfortunately, I did not figure out what identifiers are used to make the hash, but it’s persistent, as in the same device, renamed, and backed up to another computer with a different Apple ID will have the same SHA-1 hash folder name as the original backup, this is called its Unique Identifier.
Once inside the backup folder, there’s a single folder per device backed up, named as a SHA-1 hash. The structure of the iTunes backup stays the same between Mac OS and Windows 10 machines, which is good for us. Windows 10: \Users\AppData\Roaming\Apple Computer\MobileSync\Backup Structure of the Raw Backup Naming conventions and folder/file layout Mac OS: /Users/Library/Application Support/MobileSync/Backup We made the backup to This Computer, so where does the backup actually get stored? ITunes Backup Menu Location of the Backup Another artifact to note is that we can see the Latest Backup date right in the iTunes menu. We’ll talk later about the data you can still get from encrypted backups, but for now we’re going to focus on unencrypted backups.
Another important aspect of the iTunes backup is the ability to encrypt the contents. A user can skip this, or engage the backup manually by pressing the “Back Up Now” button.
ITunes backups are created when a user plugs in their iDevice and iTunes is launched, creating the backup automatically. Windows Host & MacBook Pro for backups Making the Backup The research I performed here is what I base my iTunes_Backup_Analyzer script off of. However, there is an alternative! What if your suspect has backed up their device to their desktop which you have an image of? Then you’re in business, because even on encrypted iOS backups, there’s still a ton of artifacts that we can parse out, and even more on unencrypted backups! Receiving an iPhone on your desk with a passcode on it could mean a total halt on your investigation (unless you have access to a GrayKey device). IOS devices have always been tough to extract data from due to Apple’s hardened encryption methods to keep us out.
0 kommentar(er)
