Wednesday, 28 May 2014

iPhone Backup Forensics - Manifest.mbdb



When I think of iPhones, I remember my own iPhone 3g, 3gs, 4 and whilst I didn't own a 5C or 5S, my girlfriend and my sister owned them respectively, so I have used them. I've used Ipad's and Macbooks and I understand why people love iPhones - so do I. I think they're much better phones than androids, however, when need to do forensics on an iPhone backup, it's slightly time consuming.

As ever, I like to speed up processes. I like scripting, I like automation, and iPhone backups are crying out for some sort of automation forensic-wise. But fear not! It exists! But, let me tell you why it's needed. An iPhone backup is stored in the following locations:


  • Windows XP: %HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}
  • Windows Vista/7/8: %HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID} or %APPDATA%\Apple Computer\MobileSync\Backup\{UDID} 
  • OS X: ~/Library/Application Support/MobileSync/Backup/{UDID}


The UDID is a 'Unique Identifier' and having worked as an app tester, a developer can provide you with an app they're developing that will only work on your UDID - but the important thing to take away, is that it's unique. Looking inside an iPhone backup, you'll see that it is full of files with funny looking names. These names are SHA-1 hashes and don't make much sense on their own, however, included in the backup are four important files:


  • Info.plist 
  • Manifest.mbdb
  • Manifest.plist
  • Status.plist


The Manifest.mbdb file is of great importance. Essentially, this file lists every file included in the backup, in plain-text. The downside, is that you have to manually convert each line to a SHA-1 hash. For example: HomeDomain-Library/Safari/Bookmarks.db would become F0EC7DF5C552FCA6871EDA5621AB225CB5EFEDA4 as a SHA-1 hash. Then we'd have to look through the files, but do you see how that would get annoying? Having to get a string and SHA-1 hash it? I created a python script with a batch file to help quickly turn the string into a SHA-1, which works, but I still wanted the process to be faster. You can download my script here.https://github.com/smc13/otherTools and look for shaConverter.

As I mentioned, I wanted a quicker, more efficient way of getting all strings converted to a SHA-1 hash. As mentioned above, the Manifest.mbdb contains all the files in the backup. After a quick search, I found the following tool: 'iPhone Backup Browser'. This tool can be found here and is created by a guy called Rene. What we're interested in, is the mbdbdump.exe file.

Once you export the Manifest.mbdb file into the same directory as the mbdbdump.exe, all you need to do is run this simple command: mbdbdump.exe > mbdbDump.doc (or .txt, or .csv etc). Once this is done, you'll see data in the following format:

record 7 (mbdb offset 6)
  key    25f31bdb3de9bdead048a0090097d5c1091296d2
  domain CameraRollDomain
  path   Media/DCIM
  mode   dir (488)
  time   28/02/2013 10:04:26
  data   41E8 00000000 0000003F 000001F5 000001F5 512F2BAA 512F2BAA 50CE9157 0000000000000000 04 00

We can verify the hash if we want by taking the domain (CameraRollDomain) adding a '-' and then appending Media/DCIM on the end, so it looks like this: CameraRollDomain-Media/DCIM and you guessed it, we get the same SHA-1 hash (see picture below)


(The software being used in picture is called 'Text Checksum' by Benoit Ferace and can be downloaded from the Windows Store)


So there we have it. There's no need to look in the Manifest.mbdb file and manually convert every string, just export the file and dump its contents. Happy investigating!



No comments:

Post a Comment