When I think of iPhones, I remember my own iPhone 3g, 3gs, 4 and whilst I didn't own a 5C or 5S, my girlfriend and my sister owned them respectively, so I have used them. I've used Ipad's and Macbooks and I understand why people love iPhones - so do I. I think they're much better phones than androids, however, when need to do forensics on an iPhone backup, it's slightly time consuming.
As
ever, I like to speed up processes. I like scripting, I like
automation, and iPhone backups are crying out for some sort of
automation forensic-wise. But fear not! It exists! But, let me tell you
why it's needed. An iPhone backup is stored in the following locations:
- Windows XP: %HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}
- Windows Vista/7/8: %HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID} or %APPDATA%\Apple Computer\MobileSync\Backup\{UDID}
- OS X: ~/Library/Application Support/MobileSync/Backup/{UDID}
The
UDID is a 'Unique Identifier' and having worked as an app tester, a
developer can provide you with an app they're developing that will only
work on your UDID - but the important thing to take away, is that it's
unique. Looking inside an iPhone backup, you'll see that it is full of
files with funny looking names. These names are SHA-1 hashes and don't
make much sense on their own, however, included in the backup are four
important files:
- Info.plist
- Manifest.mbdb
- Manifest.plist
- Status.plist
The
Manifest.mbdb file is of great importance. Essentially, this file lists
every file included in the backup, in plain-text. The downside, is that
you have to manually convert each line to a SHA-1 hash. For example:
HomeDomain-Library/Safari/Bookmarks.db would
become F0EC7DF5C552FCA6871EDA5621AB225CB5EFEDA4 as a SHA-1 hash. Then
we'd have to look through the files, but do you see how that would get
annoying? Having to get a string and SHA-1 hash it? I created a python
script with a batch file to help quickly turn the string into a SHA-1,
which works, but I still wanted the process to be faster. You can
download my script here.https://github.com/smc13/otherTools and look for
shaConverter.
As I mentioned, I
wanted a quicker, more efficient way of getting all strings converted to
a SHA-1 hash. As mentioned above, the Manifest.mbdb contains all the
files in the backup. After a quick search, I found the following tool:
'iPhone Backup Browser'. This tool can be found here and is created by a guy called Rene. What we're interested in, is the mbdbdump.exe file.
Once
you export the Manifest.mbdb file into the same directory as the
mbdbdump.exe, all you need to do is run this simple command:
mbdbdump.exe > mbdbDump.doc (or .txt, or .csv etc). Once this is
done, you'll see data in the following format:
record 7 (mbdb
offset 6)
key
25f31bdb3de9bdead048a0090097d5c1091296d2
domain CameraRollDomain
path
Media/DCIM
mode
dir (488)
time
28/02/2013 10:04:26
data
41E8 00000000 0000003F 000001F5 000001F5 512F2BAA 512F2BAA 50CE9157
0000000000000000 04 00
We
can verify the hash if we want by taking the domain (CameraRollDomain)
adding a '-' and then appending Media/DCIM on the end, so it looks like
this: CameraRollDomain-Media/DCIM and you guessed it, we get the same
SHA-1 hash (see picture below)
(The software being used in picture is called 'Text Checksum' by Benoit Ferace and can be downloaded from the Windows Store)
So
there we have it. There's no need to look in the Manifest.mbdb file and
manually convert every string, just export the file and dump its
contents. Happy investigating!
No comments:
Post a Comment