Forensic analysis of iPhone backup directory

One common approach to iPhone forensics is to analyze the backup directory. There is a difference between syncing an iPhone and backing it up. Basically, syncing makes sure files on your computer and iPhone are in sync and does backup some key information. However, a backup will make copies of SMS, Call Logs, application data, etc. Fora forensic analyst, the backup information can be very important, especially if you do not have access to the iPhone directly.

Backup data location iTunes backups of the iPhone (and iPod, iTouch, etc.) are stored in the following directories:

• Windows XP:  C:\Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
• Windows Vista: C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
• Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/

Backup folder files Inside the backup folder, you will fine 3 plist files (plaintext, not binary encoded) and many .mdbackup files

• Status.plist – status of last sync
• Manifest,plist – list of all files backed up, modification time and hash signature
• Info.plist – information about the iPhone
• *.mdbackup – the name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file

The Info.plist has detailed information about the iPhone (name, ICCID, IMEI, phone number, firmware version, iTunes file and version info, etc.) and can thus tie a physical device to the backup directory. The Manifest.plist is important as it ensures data integrity between the backup files and the iPhone. Using this information, an examiner can manually construct important information during an investigation. Commercial forensic products that analyze iPhone backup directory Of course, time is precious and manually decoding this information is better left to forensic tools. A good examiner will understand the process, the information and, if needed, should be able to perform these steps manually. However, using a tool you trust is a great way to access the information quickly. Here is a alphabetical list (likely incomplete but I will update) of forensic tools which state they analyze the iPhone backup directory:

• Device Seizure – Paraben
• Mac Lock Pick – SubRosaSoft
• MDBackupExtract – BlackBag Tech
• WOLF – Sixth Legion

My complete analysis of iPhone forensic software will be availabe soon so please sign up for your copy now. This report will analyze all available iPhone forensic tools, perform an acqusition and compare results. It will include screen shots, pitfalls and other information key to making a good choice for iPhone forensic software.