iPhone Forensics – Analysis of iOS 5 backups : Video

June 29

First part of the article covered the techniques to read iTunes backups. Second part of the article disclosed the procedure to extract protection class keys from the Backup Keybag and covered the techniques & the tools to decrypt the protected backup files and the encrypted backups.

The videos listed in this article demonstrates the iOS 5 backup analysis techniques in a more detailed fashion.

Note: Demos are captured on Mac OS X Lion 10.6 running with iTunes 10.6. iPhone 4 GSM with iOS 5.0.1 is used in the video. 

Video transcript is available here.

Forensic investigation on the backup files would allow examiners to gain access to the entire contents of its host phone until the point that the backup took place. It is also quite possible that the seized system might contain older copies of the backup files or other iPhone backups with a wealth of information.

To view the list of available backups on a system, open iTunes and navigate to Edit->Preferences (on windows) or  iTunes->Preferences (on Mac) menu and choose Devices tab. It displays the list of backups as shown in the screenshot below.


Delete iPhone backup

iTunes also provides an option to delete the backup files. To delete an existing iPhone backup, in the Devices Preferences window (shown in the above screenshot) select a backup and click on Delete Backup… button. If a backup is deleted from a system, examiners can use data recovery or carving tools to recover the deleted files from the system hard disk. It is easy to recover the deleted files from the computer when compared with iPhone.

The iPhone stores a lot of user data in the backup files. The following table list out the common sources of potential evidence that can be analyzed in an investigation.

iPhone forensics data acquistion

Along with the files listed in the above table, the iPhone backup also contains third party application files. Sensitive information stored in the third party application files may also provide possible evidence for the investigation.

Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows to log into the application without supplying the username and password.
More details about Facebook plist hijacking are documented at – soopz blog

Forensic analysis of backups does not compromise the contents on a live device. So forensic examiners prefer analyzing the backups to collect the evidence though it is not possible to recover the deleted iPhone data.

I wrote this article for infosecinstitute. Take a look at the web application security course offered by infosecinstitute.


Posted by on June 29, 2012 in iPhone


Tags: , , , ,

6 responses to “iPhone Forensics – Analysis of iOS 5 backups : Video

  1. Soumik

    May 17, 2013 at 7:38 pm

    sudo ARCHFLAGS=’-arch i386 -arch x86_64′ easy_install pycrypto

    This fails and gives runtime error autoconf failed on MAC OS X 10.8.2 and python version 2.7

  2. Soumik

    May 17, 2013 at 7:40 pm

    Other ways to install pycrypto also fails. When downloading, automatically pycrypto 2.6 tar.gz gets selected as best match. How to solve this to go ahead with the process?

    • satishb3

      May 17, 2013 at 8:16 pm

      Just try sudo easy_install pycrypto. It shows some warnings but works well.

  3. Andrian

    December 31, 2015 at 2:03 am

    can u help me with a iphone 4s lockscreen passcode? my son change it and dont want to restore the iphone because it will erase my email account password. tell me how to find the passcode and what program to use in windows 7
    many thanks Andrian

    • satishb3

      January 2, 2016 at 1:17 pm

      There is no way to bypass passcode for iPhone 4s.