Last computers and computer usernames backed up to from iTunesPrefs iTunesPrefs.plistiPodPrefs iTunes Settings Keys in the iTunes Settings The data in iTunes Settings is very interesting and something I have not researched too much into.Receiving an iPhone on your desk with a passcode on it could mean a total halt on your investigation (unless you have access to a GrayKey device ).
However, there is an alternative What if your suspect has backed up their device to their desktop which you have an image of Then youre in business, because even on encrypted iOS backups, theres still a ton of artifacts that we can parse out, and even more on unencrypted backups The research I performed here is what I base my iTunesBackupAnalyzer script off of. Devices Used iPhone X iOS 12.1.2 iPhone 6s iOS 12.1.2 Windows Host MacBook Pro for backups Making the Backup iTunes backups are created when a user plugs in their iDevice and iTunes is launched, creating the backup automatically. A user can skip this, or engage the backup manually by pressing the Back Up Now button. Another important aspect of the iTunes backup is the ability to encrypt the contents. Well talk later about the data you can still get from encrypted backups, but for now were going to focus on unencrypted backups. Another artifact to note is that we can see the Latest Backup date right in the iTunes menu. Unfortunately, I did not figure out what identifiers are used to make the hash, but its persistent, as in the same device, renamed, and backed up to another computer with a different Apple ID will have the same SHA-1 hash folder name as the original backup, this is called its Unique Identifier. Per Device Backup Folder In the root of the per device backup folder, we have a ton of folders all named with two characters, ranging from 00 to ff, each containing files with no extension, named from a fileID which well talk about later. Accompanying these files are the Info.plist, Manifest.plist, Status.plist, and the Manifest.db. If you dont know what plists are, theyre very similar to XML files, read more about them on Apples Official Documentation. Easypower with crackThe three plist files are not encrypted when encryption is set on a backup, which is great for an examiner because there is a ton of useful data Info.plist The Info.plist houses a lot of artifacts about a backup. Heres a picture of the overview of the Info.plist: High Level of Info.plist As you can see, the time of the Last Backup Date matches with the time shown on the iTunes Backup Menu. Theres many more artifacts to be seen in the Info.plist. Under Applications we can see all of the apps that were installed via the App Store (note that some sideloaded apps may not appear here). Plist Editor Pro Full Name OfApplications in the Info.plist Each application contains three data values: ApplicationSINF, PlaceholderIcon, iTunesMetadata ApplicationSINF Binary view of the ApplicationSINF for Proton Mail App Looking at the binary, we can see the full name of the Apple ID associated with the specific app install. The name persists even when the previous Apple ID has been signed out, and a new Apple ID is signed. Whatever Apple ID is used to download an app, the full name associated with the Apple ID will stay in the ApplicationSinf, unless its deleted and redownloaded with a different AppleID. This was tested and confirmed by signing out of my own Apple ID and signing in with a new one, installing an app, backing the phone up, and checking the ApplicationSINF: Full Name of another Apple ID after new sign in and install Theres a bunch of other data present in the ApplicationSINF, however I am unable to make sense out of the rest of it. PlaceholderIcon Like the name suggests, this holds the application icon for the specific app: PlaceholderIcon for Proton Mail iTunesMetadata The iTunesMetadata is actually a nested plist inside of the Info.plist: iTunesMetadata nested plist for Proton Mail We can see a variety of interesting artifacts about each specific app such as: itemName App Name artistName Publisher Name AppleID Apple ID of purchaser purchaseDate Date of purchase bundleVersion App Version More Its important to note that some sideloaded apps may not have the ApplicationSINF, PlaceholderIcon, iTunesMetadata keys Installed Applications Back in the root of the Info.plist, theres another array named Installed Applications: Installed Applications array in the Info.plist You may ask yourself, why bother looking at this data when everything we needed and more was in the Applications dictionary This array can actually store apps that were not found in the Applications dictionary An example would be sideloaded apps through Cydia Impactor, or the popular sideloading site Ignition. In my script to parse this out, I make sure to check the data between these two pieces of data just to ensure that they are really the same (so far they have been in my test cases). The iTunesPrefs is a binary frpd file that contains the last computers and computer user that the specific iOS device has been backed up to. While the iTunesPrefs.plist is a nested plist that contains (for my testing) empty arrays, and the same copy of the binary frpd iTunesPrefs renamed as iPodPrefs. In my devices, I have noticed that it starts to overwrite after 3 computers, however, Ive seen another backup where 4 recently used computers have been kept on disk.
0 Comments
Leave a Reply. |
AuthorShannon ArchivesCategories |