SlideShare a Scribd company logo

iPhone Forensics Archive Data Decoded

H
hrgeeks

How to pull data from an iPhone backup archive on a PC, including full text of SMS and MMS images, passwords and usernames for apps, etc.

TechnologyNews & Politics
1 of 30
Download to read offline
iPhone Forensics, sans iPhone Adam Crosby (adam@uptill3.com) March 14, 2010 Saturday, March 20, 2010
Background Info Saturday, March 20, 2010
iTunes Sync What happens when you plug in... Saturday, March 20, 2010
OS Image ✤ The OS image for an iPhone is NOT backed up on each sync ✤ The image is only backed up when the phone software is upgrade ✤ The image only changes between major versions - no ‘patches’ for iPhone OS. ✤ Does not contain ANY user apps or data Saturday, March 20, 2010
Apps / User Data ✤ Initial sync with iTunes creates an archive on the computer of all of the user apps/data from the phone ✤ The files contained in the archive are all obfuscated ✤ Virtually none of the files or data are encrypted (!) ✤ Files are updated in place with every sync of the phone ✤ This archive is used to recover the phone if needed Saturday, March 20, 2010
Obfuscated Information Saturday, March 20, 2010
That’s a lot of files... And none of those names are meaningful. The Archive Is Located At: ~/Library/Application Support/MobileSync/Backup/<phone Id>/ Saturday, March 20, 2010
What kind of Data? A whole bunch of different kinds Saturday, March 20, 2010
‘plist’ --> Apple Property List • iPhone uses 3 main ‘standard’ plist files • Info.plist, Manifest.plist, and Status.plist • Info.plist is by far the most interesting (more later) • These are plaintext XML documents • Easily read, not always easy to decipher • May contain substantial Base64 encoded <data> chunks • Open with text editor, or plistlib in Python 2.5+ (yay!) Info.plist example Saturday, March 20, 2010
‘mdinfo’ --> Apple bplist files • Special kind of plist - ‘binary packed’ • Luckily, Apple provides an easy to use OS X utility called plutil • plutil -convert xml1 <filename> • Converts the bplist file into a standard plist in place (so copy it out of the live archive folder before digging in. • Many of the bplist files have Base64 encoded <data> property values that are themselves bplists • The SMS db bplist file is like this. • Just unencode it and run it through plutil again to get the embedded plist data out Saturday, March 20, 2010
‘mddata’ --> The goods ✤ The mddata files are simply renamed copies of whatever the original source file described by the mdinfo file was. There are images, databases, text chunks, and application specific stuff (such as MOBI ebooks). ✤ No formatting changes - you can open the PNGs/JPGs as-is and look at the pictures ✤ Any other tools (such as sqlite3) can open files of the correct type in place as well ✤ ‘file *.mddata’ in the archive will give a great listing of each file and it’s actual data type Saturday, March 20, 2010
File Names Saturday, March 20, 2010
Crazy file names (learn to love SHA1) ✤ iPhone OS storage is broken into something called ‘Domains’ ✤ Each file has a file name, path, and a particular storage domain ✤ Two primary domains are ‘HomeDomain’ and ‘MediaDomain’ ✤ The filenames of the mddata and mdinfo files are a SHA1 hash of the full path of the files on-handset location and the domain it is located in. ✤ Filenames do not appear to change, but worst case scenario is iterating over mdinfo files to find the actual file name you need Saturday, March 20, 2010
Embedded b64 bplist Decoded <data> Domain Path printf(‘MediaDomain-Library/SMS/Parts/98/02/15874-4.jpg’) | shasum 39cf2a2aaa3dd7d72243e3d638217ccc15ad2575 Saturday, March 20, 2010
So what’s in there? Saturday, March 20, 2010
Info.plist - All about the phone ✤ This is an unencoded, standard Apple Property List file (XML text) ✤ It contains a wealth of useful information about the phone: ✤ ICC-ID - “Integrated Circuit Card ID”, the hardware serial number of the installed SIM card ✤ IMEI - “International Mobile Equiment Identity”, the hardware serial number of the handset’s baseband proc [*] ✤ Phone Number - Duh. ✤ Serial Number - The iPhone’s serial number (this shows in iTunes) ✤ Product Type - What kind of iPhone (‘iPhone2,1’ = 8GB 3GS, ‘iPhone1,2’ = 8GB 3G, etc.) ✤ Product Version - What iPhone OS revision (3.1.3, 3.1.2, etc.) ✤ Data of Last backup - Duh. ✤ iPhone preferences plist (base64 encoded embedded plist) ✤ Misc. other stuff (encoded / binary application specific data) Saturday, March 20, 2010
A note about IMEI and ICC-ID ✤ ICC-ID is burned into the SIM ✤ IMEI is burned into the phone ✤ It is illegal (and technically difficult) to change either the ICC-ID or the IMEI ✤ The ICC-ID identifies which network/carrier sold the SIM ✤ The IMEI can be used to uniquely identify a given handset, and is used by carriers to disable stolen handsets, even if a new SIM is swapped in. ✤ Neither the IMEI nor the ICC-ID is tied to the subscriber account at the GSM protocol level (that would be the IMSI, which is NOT recorded anywhere but in the SIM) ✤ ATT or other carriers and Apple may be able to collaborate with LE to determine a subscribers identity via ICC-ID, IMEI and Apple ID, as the information does exist Saturday, March 20, 2010
Delicious Databases Saturday, March 20, 2010
SQLite - Apple loves it, so should you ✤ Open Source, file-based database engine ✤ Apple uses it extensively across their platforms and application ranges - most iPhone devs know it as ‘CoreData’ ✤ Simple relational database, supports most of SQL-92 ✤ sqlite3 is the OS X built in CLI to access SQLite database files ✤ In the CLI, the ‘.schema’ command shows database and table schemas Saturday, March 20, 2010
3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata (also known as HomeDomain-Library/SMS/sms.db) ✤ SQLite database ✤ Contains full SMS records (including full text) for phone, since owner originally created an iPhone account (my DB goes back to 2007) ✤ Updated in place during sync - deleted messages are removed, new messages are inserted ✤ Does NOT contain MMS info (although receipt of an MMS is indicated) ✤ Simple data structure for messages table Saturday, March 20, 2010
Important fields SMS message table schema Saturday, March 20, 2010
SMS Message DB Notes ✤ Address is either source or destination phone number, in 11-digit intl. format (18885551212) ✤ Time is in UNIX epoch format (# of seconds since 1/1/70 0:00 UTC) ✤ Easy to convert - ‘date -r 1268603160’ yields “Sun Mar 14 17:46:00 EDT 2010” ✤ Flags field is used to indicate a number of things (these are all trial/error, not documented): ✤ ‘2’ = Message recieved from ‘address’ ✤ ‘3’ = Message sent from handset to ‘address’ ✤ ’33’ = Message send failure (SMS never sent) ✤ ’35’ = Message send failure (SMS never sent) (I think this also indicates a retry) ✤ ‘129’ = Message deleted (but still appears as a row - no contents though) ✤ ‘131’ = Unknown - no address / etc. ✤ ‘Text’ field is sometimes a plist - this typically indicates an MMS was recieved. MMS text/image information is stored separately (in mddata files outside of the SQLite db). ✤ The other fields appear unused or static (or not of great interest...) Saturday, March 20, 2010
6639cb6a02f32e0203851f25465ffb89ca8ae3fa.mddata (also known as AppDomain-com.facebook.Facebook-Documents/friends.db) ✤ 3rd Party Application example ✤ SQLite database (hey, everybody uses it - thanks CoreData!) ✤ Contains Facebook Friends List and a tiny bit of extra info ✤ Facebook UID ✤ www.facebook.com/profile.php?id=<fbid> ✤ Direct URL to facebook profile picture (no login needed!) ✤ Friends phone numbers, as listed in their profile Saturday, March 20, 2010
Facebook App table schema Saturday, March 20, 2010
What else is there? Saturday, March 20, 2010
Other identified databases Filename Purpose 992df473bbb9e132f4b3b6e4d33f72171e97bc7a.mddata Voicemail List ff1324e6b949111b2fb449ecddb50c89c3699a78.mddata Call log 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata SMS Data 740b7eaf93d6ea5d305e88bb349c8e9643f48c3b.mddata Notes’ App data 31bb7ba8914766d4ba40d6dfb6113c8b614be442.mddata Sync’d Address book 6639cb6a02f32e0203851f25465ffb89ca8ae3fa.mddata Facebook App data 970922f2258c5a5a6d449f85b186315a1b9614e9.mddata Flightstats Info 5ad81c93601ac423bc635c7936963ae13177147b.mddata Daily Burn food logger Saturday, March 20, 2010
Other items to look for ✤ App developers assume these files are on the phone, away from prying eyes (or interested users...) ✤ Passwords and other account details stored in plaintext ✤ At least Tweetie and Dailyburn store passwords in plaintext ✤ (See 87f665a66ead44fd5592fa427c4def228098fdda.mddata for Tweetie’s twitter account information in bplist format) ✤ Cookies for some apps embedded browsers (see: Facebook) are stored in bplist files (for easier session hijacking, yay!) Saturday, March 20, 2010
What’s next? ✤ Time to start trolling through the app store for ‘service’ apps - GMail, GReader, MySpace, etc. to look for more apps that store their user creds in plaintext ✤ Scripting out data extraction for interesting stuff (like finding out hot numbers - who is called / calls the most, and do they have a Facebook picture?) ✤ Integrating a scrape of the address book with the other data tables to give ‘friendly names’ to each phone number ✤ Release existing tools open source via 757Labs Saturday, March 20, 2010
Thanks / Credits ✤ 757 Labs for hosting! ✤ ‘dsp’ on LiveJournal for finally figuring out how the sha1’s are generated for file names ✤ Apple, for making CoreData so attractive for developers. SQLite makes trolling through data easy :) ✤ Damon Durand, for some initial work on the meaning of SMS flags Saturday, March 20, 2010
¿Preguntas? Saturday, March 20, 2010

Recommended

Odoo 14 Calendar
Odoo 14 CalendarOdoo 14 Calendar
Odoo 14 CalendarCeline George
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
High performance queues with Cassandra
High performance queues with CassandraHigh performance queues with Cassandra
High performance queues with CassandraMikalai Alimenkou
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Fluent Bit: Log Forwarding at Scale
Fluent Bit: Log Forwarding at ScaleFluent Bit: Log Forwarding at Scale
Fluent Bit: Log Forwarding at ScaleEduardo Silva Pereira
 

Recommended

Odoo 14 Calendar
Odoo 14 CalendarOdoo 14 Calendar
Odoo 14 CalendarCeline George
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
High performance queues with Cassandra
High performance queues with CassandraHigh performance queues with Cassandra
High performance queues with CassandraMikalai Alimenkou
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Fluent Bit: Log Forwarding at Scale
Fluent Bit: Log Forwarding at ScaleFluent Bit: Log Forwarding at Scale
Fluent Bit: Log Forwarding at ScaleEduardo Silva Pereira
 
Distributed Transaction in Microservice
Distributed Transaction in MicroserviceDistributed Transaction in Microservice
Distributed Transaction in MicroserviceNghia Minh
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Oracle SQL Developer for the DBA
Oracle SQL Developer for the DBAOracle SQL Developer for the DBA
Oracle SQL Developer for the DBAJeff Smith
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuningJugal Shah
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
Build 2017 SQL Server in Dev Ops
Build 2017 SQL Server in Dev OpsBuild 2017 SQL Server in Dev Ops
Build 2017 SQL Server in Dev OpsTravis Wright
 
Kafka 101
Kafka 101Kafka 101
Kafka 101Clement Demonchy
 
Overview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxOverview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxAjayKumar73315
 
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...RootedCON
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Monitor và tối ưu sql server
Monitor và tối ưu sql serverMonitor và tối ưu sql server
Monitor và tối ưu sql serverHuân Bùi Đình
 
iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupVincent Ohprecio
 
Writing Docs Like a Boss
Writing Docs Like a BossWriting Docs Like a Boss
Writing Docs Like a Bossspmckeown
 

More Related Content

What's hot

Distributed Transaction in Microservice
Distributed Transaction in MicroserviceDistributed Transaction in Microservice
Distributed Transaction in MicroserviceNghia Minh
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Oracle SQL Developer for the DBA
Oracle SQL Developer for the DBAOracle SQL Developer for the DBA
Oracle SQL Developer for the DBAJeff Smith
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuningJugal Shah
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
Build 2017 SQL Server in Dev Ops
Build 2017 SQL Server in Dev OpsBuild 2017 SQL Server in Dev Ops
Build 2017 SQL Server in Dev OpsTravis Wright
 
Overview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxOverview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxAjayKumar73315
 
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...RootedCON
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Monitor và tối ưu sql server
Monitor và tối ưu sql serverMonitor và tối ưu sql server
Monitor và tối ưu sql serverHuân Bùi Đình
 

What's hot (20)

Distributed Transaction in Microservice
Distributed Transaction in MicroserviceDistributed Transaction in Microservice
Distributed Transaction in Microservice
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Oracle SQL Developer for the DBA
Oracle SQL Developer for the DBAOracle SQL Developer for the DBA
Oracle SQL Developer for the DBA
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
Build 2017 SQL Server in Dev Ops
Build 2017 SQL Server in Dev OpsBuild 2017 SQL Server in Dev Ops
Build 2017 SQL Server in Dev Ops
 
Kafka 101
Kafka 101Kafka 101
Kafka 101
 
Overview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptxOverview of Vulnerability Scanning.pptx
Overview of Vulnerability Scanning.pptx
 
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
Jose Miguel Holguin & Marc Salinas - Taller de análisis de memoria RAM en sis...
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Monitor và tối ưu sql server
Monitor và tối ưu sql serverMonitor và tối ưu sql server
Monitor và tối ưu sql server
 

Viewers also liked

iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupVincent Ohprecio
 
Writing Docs Like a Boss
Writing Docs Like a BossWriting Docs Like a Boss
Writing Docs Like a Bossspmckeown
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationVincent Ohprecio
 
Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014ITInnovationDayNL
 
Documentation Training for Supervisors by SHRM
Documentation Training for Supervisors by SHRMDocumentation Training for Supervisors by SHRM
Documentation Training for Supervisors by SHRMAtlantic Training, LLC.
 
iPhone Backup Analyzer 2 - presentation [ITA]
iPhone Backup Analyzer 2 - presentation [ITA]iPhone Backup Analyzer 2 - presentation [ITA]
iPhone Backup Analyzer 2 - presentation [ITA]piccimario
 
Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Satish b
 
Vishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Badgujar
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...
From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...
From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...Sonnet Ireland
 
The Kamma of Listening
The Kamma of ListeningThe Kamma of Listening
The Kamma of ListeningOH TEIK BIN
 
UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).
UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).
UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).Pierrot Caron
 
LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).
LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).
LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).Pierrot Caron
 
Digital Marketing Case Discussion - Alpenlibbe
Digital Marketing Case Discussion - AlpenlibbeDigital Marketing Case Discussion - Alpenlibbe
Digital Marketing Case Discussion - AlpenlibbeDigital Vidya
 
Start-up weekend business life. Рабочая тетрадь. 18.11.14
Start-up weekend business life. Рабочая тетрадь. 18.11.14Start-up weekend business life. Рабочая тетрадь. 18.11.14
Start-up weekend business life. Рабочая тетрадь. 18.11.14Oleg Afanasyev
 
Gravitation and orbit
Gravitation and orbitGravitation and orbit
Gravitation and orbitcaitlinforan
 

Viewers also liked (20)

iPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes BackupiPhone Forensics Without iPhone using iTunes Backup
iPhone Forensics Without iPhone using iTunes Backup
 
Writing Docs Like a Boss
Writing Docs Like a BossWriting Docs Like a Boss
Writing Docs Like a Boss
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset VisualizationForensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
 
Mobile JavaScript
Mobile JavaScriptMobile JavaScript
Mobile JavaScript
 
Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014Keynote Joe Reid IT Innovation Day 2014
Keynote Joe Reid IT Innovation Day 2014
 
Documentation Training for Supervisors by SHRM
Documentation Training for Supervisors by SHRMDocumentation Training for Supervisors by SHRM
Documentation Training for Supervisors by SHRM
 
iPhone Backup Analyzer 2 - presentation [ITA]
iPhone Backup Analyzer 2 - presentation [ITA]iPhone Backup Analyzer 2 - presentation [ITA]
iPhone Backup Analyzer 2 - presentation [ITA]
 
Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)Forensic analysis of iPhone backups (iOS 5)
Forensic analysis of iPhone backups (iOS 5)
 
Vishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM SpyingVishwadeep Presentation On NSA PRISM Spying
Vishwadeep Presentation On NSA PRISM Spying
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...
From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...
From Gov Docs to Fun Docs: Using Government Information to Enhance your Libra...
 
The Kamma of Listening
The Kamma of ListeningThe Kamma of Listening
The Kamma of Listening
 
UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).
UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).
UCEM~LEÇON 362 – Cet instant saint, je voudrais Te le donner.(…).
 
LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).
LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).
LEÇON 365 – Cet instant saint, je voudrais Te le donner.(…).
 
Digital Marketing Case Discussion - Alpenlibbe
Digital Marketing Case Discussion - AlpenlibbeDigital Marketing Case Discussion - Alpenlibbe
Digital Marketing Case Discussion - Alpenlibbe
 
Start-up weekend business life. Рабочая тетрадь. 18.11.14
Start-up weekend business life. Рабочая тетрадь. 18.11.14Start-up weekend business life. Рабочая тетрадь. 18.11.14
Start-up weekend business life. Рабочая тетрадь. 18.11.14
 
Gravitation and orbit
Gravitation and orbitGravitation and orbit
Gravitation and orbit
 
Library spaces
Library spacesLibrary spaces
Library spaces
 

Similar to iPhone Forensics Archive Data Decoded

Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Reality Net System Solutions
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk
 
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...Blancco
 
Osttopst
OsttopstOsttopst
Osttopstwacliff
 
Files in Operating system
Files in Operating system Files in Operating system
Files in Operating system Preethi T G
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsEC-Council
 
Digital Forensics Research & Examination
Digital Forensics Research & ExaminationDigital Forensics Research & Examination
Digital Forensics Research & ExaminationforensicEmailAnalysis
 
Behind The Code // by Exness
Behind The Code // by ExnessBehind The Code // by Exness
Behind The Code // by ExnessMaxim Gaponov
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_finalKazuki Omo
 
ADLUG 2012: Linking Linked Data
ADLUG 2012: Linking Linked DataADLUG 2012: Linking Linked Data
ADLUG 2012: Linking Linked DataAndrea Gazzarini
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
Defcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using FocaDefcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using FocaChema Alonso
 
Metadata Security: MetaShield Protector
Metadata Security: MetaShield ProtectorMetadata Security: MetaShield Protector
Metadata Security: MetaShield ProtectorChema Alonso
 
Methods and Instruments for the new Digital Forensics Environments
Methods and Instruments for the new Digital Forensics EnvironmentsMethods and Instruments for the new Digital Forensics Environments
Methods and Instruments for the new Digital Forensics Environmentspiccimario
 
Computer Fundamentals and Basics of Computer
Computer Fundamentals and Basics of ComputerComputer Fundamentals and Basics of Computer
Computer Fundamentals and Basics of ComputerSuman Mia
 
Mobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationMobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationJames Dabbagian
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 

Similar to iPhone Forensics Archive Data Decoded (20)

Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
 
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
What One Digital Forensics Expert Found on Hundreds of Hard Drives, iPhones a...
 
Osttopst
OsttopstOsttopst
Osttopst
 
Files in Operating system
Files in Operating system Files in Operating system
Files in Operating system
 
Hacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & SolutionsHacker Halted 2014 - EMM Limits & Solutions
Hacker Halted 2014 - EMM Limits & Solutions
 
Digital Forensics Research & Examination
Digital Forensics Research & ExaminationDigital Forensics Research & Examination
Digital Forensics Research & Examination
 
Unit 1
Unit 1Unit 1
Unit 1
 
Behind The Code // by Exness
Behind The Code // by ExnessBehind The Code // by Exness
Behind The Code // by Exness
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Information track presentation_final
Information track presentation_finalInformation track presentation_final
Information track presentation_final
 
ADLUG 2012: Linking Linked Data
ADLUG 2012: Linking Linked DataADLUG 2012: Linking Linked Data
ADLUG 2012: Linking Linked Data
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
Protocol buffers
Protocol buffersProtocol buffers
Protocol buffers
 
Defcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using FocaDefcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using Foca
 
Metadata Security: MetaShield Protector
Metadata Security: MetaShield ProtectorMetadata Security: MetaShield Protector
Metadata Security: MetaShield Protector
 
Methods and Instruments for the new Digital Forensics Environments
Methods and Instruments for the new Digital Forensics EnvironmentsMethods and Instruments for the new Digital Forensics Environments
Methods and Instruments for the new Digital Forensics Environments
 
Computer Fundamentals and Basics of Computer
Computer Fundamentals and Basics of ComputerComputer Fundamentals and Basics of Computer
Computer Fundamentals and Basics of Computer
 
Mobile Phone Examiner Plus Information
Mobile Phone Examiner Plus InformationMobile Phone Examiner Plus Information
Mobile Phone Examiner Plus Information
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

iPhone Forensics Archive Data Decoded

  • 1. iPhone Forensics, sans iPhone Adam Crosby (adam@uptill3.com) March 14, 2010 Saturday, March 20, 2010
  • 3. iTunes Sync What happens when you plug in... Saturday, March 20, 2010
  • 4. OS Image ✤ The OS image for an iPhone is NOT backed up on each sync ✤ The image is only backed up when the phone software is upgrade ✤ The image only changes between major versions - no ‘patches’ for iPhone OS. ✤ Does not contain ANY user apps or data Saturday, March 20, 2010
  • 5. Apps / User Data ✤ Initial sync with iTunes creates an archive on the computer of all of the user apps/data from the phone ✤ The files contained in the archive are all obfuscated ✤ Virtually none of the files or data are encrypted (!) ✤ Files are updated in place with every sync of the phone ✤ This archive is used to recover the phone if needed Saturday, March 20, 2010
  • 7. That’s a lot of files... And none of those names are meaningful. The Archive Is Located At: ~/Library/Application Support/MobileSync/Backup/<phone Id>/ Saturday, March 20, 2010
  • 8. What kind of Data? A whole bunch of different kinds Saturday, March 20, 2010
  • 9. ‘plist’ --> Apple Property List • iPhone uses 3 main ‘standard’ plist files • Info.plist, Manifest.plist, and Status.plist • Info.plist is by far the most interesting (more later) • These are plaintext XML documents • Easily read, not always easy to decipher • May contain substantial Base64 encoded <data> chunks • Open with text editor, or plistlib in Python 2.5+ (yay!) Info.plist example Saturday, March 20, 2010
  • 10. ‘mdinfo’ --> Apple bplist files • Special kind of plist - ‘binary packed’ • Luckily, Apple provides an easy to use OS X utility called plutil • plutil -convert xml1 <filename> • Converts the bplist file into a standard plist in place (so copy it out of the live archive folder before digging in. • Many of the bplist files have Base64 encoded <data> property values that are themselves bplists • The SMS db bplist file is like this. • Just unencode it and run it through plutil again to get the embedded plist data out Saturday, March 20, 2010
  • 11. ‘mddata’ --> The goods ✤ The mddata files are simply renamed copies of whatever the original source file described by the mdinfo file was. There are images, databases, text chunks, and application specific stuff (such as MOBI ebooks). ✤ No formatting changes - you can open the PNGs/JPGs as-is and look at the pictures ✤ Any other tools (such as sqlite3) can open files of the correct type in place as well ✤ ‘file *.mddata’ in the archive will give a great listing of each file and it’s actual data type Saturday, March 20, 2010
  • 13. Crazy file names (learn to love SHA1) ✤ iPhone OS storage is broken into something called ‘Domains’ ✤ Each file has a file name, path, and a particular storage domain ✤ Two primary domains are ‘HomeDomain’ and ‘MediaDomain’ ✤ The filenames of the mddata and mdinfo files are a SHA1 hash of the full path of the files on-handset location and the domain it is located in. ✤ Filenames do not appear to change, but worst case scenario is iterating over mdinfo files to find the actual file name you need Saturday, March 20, 2010
  • 14. Embedded b64 bplist Decoded <data> Domain Path printf(‘MediaDomain-Library/SMS/Parts/98/02/15874-4.jpg’) | shasum 39cf2a2aaa3dd7d72243e3d638217ccc15ad2575 Saturday, March 20, 2010
  • 15. So what’s in there? Saturday, March 20, 2010
  • 16. Info.plist - All about the phone ✤ This is an unencoded, standard Apple Property List file (XML text) ✤ It contains a wealth of useful information about the phone: ✤ ICC-ID - “Integrated Circuit Card ID”, the hardware serial number of the installed SIM card ✤ IMEI - “International Mobile Equiment Identity”, the hardware serial number of the handset’s baseband proc [*] ✤ Phone Number - Duh. ✤ Serial Number - The iPhone’s serial number (this shows in iTunes) ✤ Product Type - What kind of iPhone (‘iPhone2,1’ = 8GB 3GS, ‘iPhone1,2’ = 8GB 3G, etc.) ✤ Product Version - What iPhone OS revision (3.1.3, 3.1.2, etc.) ✤ Data of Last backup - Duh. ✤ iPhone preferences plist (base64 encoded embedded plist) ✤ Misc. other stuff (encoded / binary application specific data) Saturday, March 20, 2010
  • 17. A note about IMEI and ICC-ID ✤ ICC-ID is burned into the SIM ✤ IMEI is burned into the phone ✤ It is illegal (and technically difficult) to change either the ICC-ID or the IMEI ✤ The ICC-ID identifies which network/carrier sold the SIM ✤ The IMEI can be used to uniquely identify a given handset, and is used by carriers to disable stolen handsets, even if a new SIM is swapped in. ✤ Neither the IMEI nor the ICC-ID is tied to the subscriber account at the GSM protocol level (that would be the IMSI, which is NOT recorded anywhere but in the SIM) ✤ ATT or other carriers and Apple may be able to collaborate with LE to determine a subscribers identity via ICC-ID, IMEI and Apple ID, as the information does exist Saturday, March 20, 2010
  • 19. SQLite - Apple loves it, so should you ✤ Open Source, file-based database engine ✤ Apple uses it extensively across their platforms and application ranges - most iPhone devs know it as ‘CoreData’ ✤ Simple relational database, supports most of SQL-92 ✤ sqlite3 is the OS X built in CLI to access SQLite database files ✤ In the CLI, the ‘.schema’ command shows database and table schemas Saturday, March 20, 2010
  • 20. 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata (also known as HomeDomain-Library/SMS/sms.db) ✤ SQLite database ✤ Contains full SMS records (including full text) for phone, since owner originally created an iPhone account (my DB goes back to 2007) ✤ Updated in place during sync - deleted messages are removed, new messages are inserted ✤ Does NOT contain MMS info (although receipt of an MMS is indicated) ✤ Simple data structure for messages table Saturday, March 20, 2010
  • 21. Important fields SMS message table schema Saturday, March 20, 2010
  • 22. SMS Message DB Notes ✤ Address is either source or destination phone number, in 11-digit intl. format (18885551212) ✤ Time is in UNIX epoch format (# of seconds since 1/1/70 0:00 UTC) ✤ Easy to convert - ‘date -r 1268603160’ yields “Sun Mar 14 17:46:00 EDT 2010” ✤ Flags field is used to indicate a number of things (these are all trial/error, not documented): ✤ ‘2’ = Message recieved from ‘address’ ✤ ‘3’ = Message sent from handset to ‘address’ ✤ ’33’ = Message send failure (SMS never sent) ✤ ’35’ = Message send failure (SMS never sent) (I think this also indicates a retry) ✤ ‘129’ = Message deleted (but still appears as a row - no contents though) ✤ ‘131’ = Unknown - no address / etc. ✤ ‘Text’ field is sometimes a plist - this typically indicates an MMS was recieved. MMS text/image information is stored separately (in mddata files outside of the SQLite db). ✤ The other fields appear unused or static (or not of great interest...) Saturday, March 20, 2010
  • 23. 6639cb6a02f32e0203851f25465ffb89ca8ae3fa.mddata (also known as AppDomain-com.facebook.Facebook-Documents/friends.db) ✤ 3rd Party Application example ✤ SQLite database (hey, everybody uses it - thanks CoreData!) ✤ Contains Facebook Friends List and a tiny bit of extra info ✤ Facebook UID ✤ www.facebook.com/profile.php?id=<fbid> ✤ Direct URL to facebook profile picture (no login needed!) ✤ Friends phone numbers, as listed in their profile Saturday, March 20, 2010
  • 24. Facebook App table schema Saturday, March 20, 2010
  • 25. What else is there? Saturday, March 20, 2010
  • 26. Other identified databases Filename Purpose 992df473bbb9e132f4b3b6e4d33f72171e97bc7a.mddata Voicemail List ff1324e6b949111b2fb449ecddb50c89c3699a78.mddata Call log 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata SMS Data 740b7eaf93d6ea5d305e88bb349c8e9643f48c3b.mddata Notes’ App data 31bb7ba8914766d4ba40d6dfb6113c8b614be442.mddata Sync’d Address book 6639cb6a02f32e0203851f25465ffb89ca8ae3fa.mddata Facebook App data 970922f2258c5a5a6d449f85b186315a1b9614e9.mddata Flightstats Info 5ad81c93601ac423bc635c7936963ae13177147b.mddata Daily Burn food logger Saturday, March 20, 2010
  • 27. Other items to look for ✤ App developers assume these files are on the phone, away from prying eyes (or interested users...) ✤ Passwords and other account details stored in plaintext ✤ At least Tweetie and Dailyburn store passwords in plaintext ✤ (See 87f665a66ead44fd5592fa427c4def228098fdda.mddata for Tweetie’s twitter account information in bplist format) ✤ Cookies for some apps embedded browsers (see: Facebook) are stored in bplist files (for easier session hijacking, yay!) Saturday, March 20, 2010
  • 28. What’s next? ✤ Time to start trolling through the app store for ‘service’ apps - GMail, GReader, MySpace, etc. to look for more apps that store their user creds in plaintext ✤ Scripting out data extraction for interesting stuff (like finding out hot numbers - who is called / calls the most, and do they have a Facebook picture?) ✤ Integrating a scrape of the address book with the other data tables to give ‘friendly names’ to each phone number ✤ Release existing tools open source via 757Labs Saturday, March 20, 2010
  • 29. Thanks / Credits ✤ 757 Labs for hosting! ✤ ‘dsp’ on LiveJournal for finally figuring out how the sha1’s are generated for file names ✤ Apple, for making CoreData so attractive for developers. SQLite makes trolling through data easy :) ✤ Damon Durand, for some initial work on the meaning of SMS flags Saturday, March 20, 2010