MDBackup Extract is a Mac-only forensic tool from BlackBag Technologies (makers of Macintosh Forensic Suite and MacQuisition Boot Disk) that analyzes data from the iTunes mobile sync backup directory. The tool is currently in Beta and production information is limited. Since this is a Mac-only utility, you must copy the backup directory from a Windows computer to a Mac for analysis.

The program was delivered to me via email and by simply downloading it, Mac OS X recognized it as an application, confirmed I wished to run an downloaded from the Internet and then was up and running. Presumably the first release of this product will have some activation component.

When the application starts, you must select the iPhone backup folder from your computer.

Figure 1.1. MDBackup No Results

The first time I selected the backup folder, I miss-clicked and did not select the correct folder. The application accepted this folder but did not produce any results. After realizing my mistake, I selected the full backup folder and then was prompted to select an Extraction folder for the results. Less than a minute later, the files were extracted and ready for analysis.

The main application window shows the results of the extraction and allows you to analyze the information.

Figure 1.2. MDBackup Extraction Folder

If you look at the resulting folder on the Mac, you will find the application stores each extracted file in the Extraction directory and creates a subfolder called Original_Files which allow you to open/analyze the extracted files and still retain an original copy. If you click on Device Info, the main Info.plist file with the core phone information is presented.

Figure 1.3. MDBackup Device Info

You can click on the Thumbnails button and the application will make a copy of all image files, create thumbnails and then write an HTML file (and open in Preview) which will allow you to quickly scan the images recovered. More information is provided when you hover over a picture and if you click on it, you can see the full picture.

Figure 1.4. MDBackup Pictures

You can easily search for any keyword and click the Search button (unfortunately you cannot simply hit Return) and it pops up in a new window.

Figure 1.5. MDBackup Search Results

The application is file type aware and will run the appropriate viewer when you double-click on a row. I found the built-in SQLite viewer a very nice touch.

Figure 1.6. MDBackup SQLite Viewer

For certain data types (SMS, Call Log, Address Book, Address Book Images, Notes and Calendar), you can click on the Smart Report button and the application will save the important fields to a file and convert the time to GMT. While the formatting of the text report makes it a little difficult to follow in most text editors, this is still a nice feature. Since the utility extracted the files to the file system, it allowed for a thorough analysis of the SQLite, Plist and other files resulting it a fair amount of information being extracted. However, all media files were missed (songs, video, podcasts, etc.). Nearly 200 files were extracted including over 150 Plist and XML configuration files. There are some usability issues I came across. For instance, I did not find any way to open an existing acquisition which meant each time I wanted to verify something, I had to re-run the acquisition process. While this process was very fast it still was a bit cumbersome to run multiple times.

The following are the results from the MDBackupExtract tests.

MDBackup Extract shows promise as an iPhone forensic tool for analyzing the backup directory. The native file and data viewers are fast and the search is effective. With some additional usability tweaks, the application could be a strong tool for consideration. The following ranking establishes MDBackup Extract’s overall rating of 2.2 on the four criteria established at the beginning of this white paper.

Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry. Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.

viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.

Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.

One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including: