iPhone data extraction By Lee Reiber This document will give OPTIONS to processing and extracting the Apple iPhone. By OPTIONS I mean this is not the end all solution and I am sure not the ONLY solution,

scacchicgardenSoftware and s/w Development

Dec 13, 2013 (3 years and 4 months ago)

77 views

© 2007 Lee Reiber – Mobile Forensics Inc. 10751 W Overland Rd, STE A6, Boise Idaho 83709

Permission is granted to reproduce contents as long as no contents are altered and reference to copyright notice and
author is included

iPhone data extraction

By Lee Reiber



This document will give OPTIONS to processing and extracting the Apple iPhone. By
OPTIONS I mean this is not the end all solution and I am sure not the ONLY solution,
but a option I have researched and tested.

This solution does involve the examiner “parsing” through the data to recover readable
text. In the PC environment this is what the examiner will have to do. The MAC
environment is a different story. Throughout the document I will list software for both
the PC and MAC that supports the extraction of this data.

Media (photos, music, video) is obtainable with several pieces of commercial software
for both the PC and MAC. The scope of this document will not cover this software, but
will cover obtaining the sms, contacts, email, preferences, URLs, etc, that current
commercial software will not obtain. This will be accomplished using a copy or backup
of the iPhone’s data files.

Apple has allowed ALL data to be “Backed up” when the iPhone is connected to iTunes.
All we will be doing is exploiting this built in feature to allow the examiner the ability to
use the backup as evidence. This “Backup” is reminiscent of the Blackberry Desktop
Management tool’s backup database, but the structure is completely different of course.

Enjoy!

Processing steps:

￿ You must download the newest version of iTUNES software onto the machine
you will be extracting data from the iPHONE with. Also, an internet connection
is needed to complete the processing.

￿ Once iTunes is installed Clean out all files in iTUNES, my music folder, my
video folder and any windows address book folder. All the data must be removed
or moved or you will wind up with YOUR data on the iPHONE.

￿ Start iTunes and then attach the iPhone to your computer. iTunes will find the
device and you can then view the options of the device via the iTunes interface.
In each tab you will find options to sync contacts, music, videos etc. You have to
check at least one of the boxes to allow the information to sync (that is why we
cleaned out all the contacts right?). After checking, for example, the contact check
box , select the Sync button which is located at the bottom of the interface. The
device will sync and a msgbox will pop up indicating that a number of contacts
© 2007 Lee Reiber – Mobile Forensics Inc. 10751 W Overland Rd, STE A6, Boise Idaho 83709

Permission is granted to reproduce contents as long as no contents are altered and reference to copyright notice and
author is included

are going to be added to you computer. Since we cleaned them out select OK.
Once the sync completes and the data is backed up the work starts!

￿ Using your forensic software of choice, ( I used AccessData’s FTK), import the
backed up data that is now contained in a folder located here:

WINDOWS: C:\Documents and Settings\USER\Application Data\Apple
Computer\MobileSync\Backup\

MAC: ~/Library/Application Support/MobileSync/Backup.

You are now looking at many sqlite database files that are embedded into bplist files. If
using a MAC I have a great python module
http://www.uninnovate.com/2007/07/11/dear-
iphone-give-me-my-data/
that will extract sqlite DB file which can then be viewed in a
program that displays ALL the phone’s data very well (sqlitebrowser). But Alas, we are
talking about PCs today.

Back to FTK. Now you have just added the folder MobileSync and are viewing all the
files contained inside. The files will have a .mdbackup extension. These are the archived
files with bplist as a header. Bplist is a binary plist file. Plist files are property list files in
the Mac OS, NeXSTEP and GNUstep programming frameworks. These file are the files
that contain all the user and handset data. If you highlight an individual file you will be
able to view the contents in hex view also text view. 36 bytes from the start of the file
you will locate the files location in the phone’s directory tree. Example:















Location of the SMS data
file. This file holds all the
text that was exchanged via
the handset.

Below is an outgoing SMS




OSX-epoch based datetime.
1121611611
Converts to:
Sun Jul 17 2005 08:46:51 GMT
-0600 (Mountain Daylight


Time)


© 2007 Lee Reiber – Mobile Forensics Inc. 10751 W Overland Rd, STE A6, Boise Idaho 83709

Permission is granted to reproduce contents as long as no contents are altered and reference to copyright notice and
author is included


















￿ The examiner will have to parse through the data and copy out the evidence. I
was amazed at all of the data that is backed up. Bookmark the data and then
export the report. You have processed your first iPhone! Dates and times are
stored in OSX-epoch based datetime, convertible via date –r. That is MAC lingo!
The locations of these are readily located in the table structure. Please refer to
this blog located at
http://damon.durandfamily.org/archives/000487.html
. Some
great information and locations of data in these sqlite dbs. Here is a converter for
epoch
http://www.esqsoft.com/javascript_examples/date-to-epoch.htm


￿ I have listed all the files and their locations in relationship to the iPhone’s
directory structure. Also another program, iphonelist, is a windows program that
will show the directory structure of the iPhone while it is connected to the
examination computer. I am still in the testing stages of the program, but there is
promise.

iPhone storage and its key databases:

SMS. /var/root/Library/SMS/sms.db

Calendar. /var/root/Library/Calendar/Calendar.sqlitedb

Notes. /var/root/Library/Notes/notes.db
Call History. /var/root/Library/CallHistory/call_history.db
Location of the web
history of the Safari
module. This file holds all
sites visited via the
handset.

Screenshot of the data
contained in the history plist
file.
© 2007 Lee Reiber – Mobile Forensics Inc. 10751 W Overland Rd, STE A6, Boise Idaho 83709

Permission is granted to reproduce contents as long as no contents are altered and reference to copyright notice and
author is included


Address Book. /var/root/Library/AddressBook/AddressBook.sqlitedb and
/var/root/Library/AddressBook/AddressBookImages.sqlitedb

Keychain. /var/root/Library/Keychains/keychain-#.db. This is the area where the
passwords are located (user information) and is encrypted.

Voicemail. /var/root/Library/Voicemail/voicemail.db. Individual voicemails are stored
as 1.amr, 2.amr, etc.
custom greeting, it’s stored as Greeting.amr.

Photos –Photos taken: /var/root/Media/DCIM/100Apple.
Photos synced from iPhoto : /private/var/root/Media/Photos.

Safari You’ll find Safari bookmarks and history files in
/var/root/Library/Bookmarks.plist and History.plist.

Cookies are stored in /var/root/Library/Cookies/Cookies.plist.

Email The files are stored in: /var/root/Library/Mail
attachments are mime encoded stored in: /var/root/Library/Mail/(account
name)/INBOX.mbox/Messages)
“Envelope Index” folder is actually an sqlite db storing information about those
attachments.


Again, this is not the end all for iPhone processing. The examiner has to follow specific
instructions dealing with REMOVING data from the key areas described when using
iTunes because of the transfer of the computer’s data should it reside. In my testing, if I
removed the residual data from the areas on my forensic machine I did not add data to the
iPhone, only backed up the data from the device.



LEE REIBER is the lead instructor and owner of Mobile Forensics Inc. (MFI), a
training and consulting company in San Diego, Calif. MFI instructs law enforcement and
security personnel regarding processing physical and historical cellular evidence. MFI
has recently joined CellPhoneDetectives.com and now offers a cellular handset
processing service. Reiber is also a computer and cellphone forensic examiner for the
Boise (Idaho) Police Department.

Thanks to Karl Dunnagan for his review, content and comments.

All materials contained in this document are protected by United States copyright law .
You may not alter or remove any trademark, copyright or other notice from copies of the
content.