First part of the article covered the techniques to read iTunes backups. Second part of the article disclosed the procedure to extract protection class keys from the Backup Keybag and covered the techniques & the tools to decrypt the protected backup files and the encrypted backups.
The videos listed in this article demonstrates the iOS 5 backup analysis techniques in a more detailed fashion.
Note: Demos are captured on Mac OS X Lion 10.6 running with iTunes 10.6. iPhone 4 GSM with iOS 5.0.1 is used in the video.
Video transcript is available here.
Forensic investigation on the backup files would allow examiners to gain access to the entire contents of its host phone until the point that the backup took place. It is also quite possible that the seized system might contain older copies of the backup files or other iPhone backups with a wealth of information.
To view the list of available backups on a system, open iTunes and navigate to Edit->Preferences (on windows) or iTunes->Preferences (on Mac) menu and choose Devices tab. It displays the list of backups as shown in the screenshot below.
iTunes also provides an option to delete the backup files. To delete an existing iPhone backup, in the Devices Preferences window (shown in the above screenshot) select a backup and click on Delete Backup… button. If a backup is deleted from a system, examiners can use data recovery or carving tools to recover the deleted files from the system hard disk. It is easy to recover the deleted files from the computer when compared with iPhone.
The iPhone stores a lot of user data in the backup files. The following table list out the common sources of potential evidence that can be analyzed in an investigation.
Along with the files listed in the above table, the iPhone backup also contains third party application files. Sensitive information stored in the third party application files may also provide possible evidence for the investigation.
Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows to log into the application without supplying the username and password.
More details about Facebook plist hijacking are documented at – soopz blog
Forensic analysis of backups does not compromise the contents on a live device. So forensic examiners prefer analyzing the backups to collect the evidence though it is not possible to recover the deleted iPhone data.
I wrote this article for infosecinstitute. Take a look at the web application security course offered by infosecinstitute.
Soumik
May 17, 2013 at 7:38 pm
sudo ARCHFLAGS=’-arch i386 -arch x86_64′ easy_install pycrypto
This fails and gives runtime error autoconf failed on MAC OS X 10.8.2 and python version 2.7
Soumik
May 17, 2013 at 7:40 pm
Other ways to install pycrypto also fails. When downloading, automatically pycrypto 2.6 tar.gz gets selected as best match. How to solve this to go ahead with the process?
satishb3
May 17, 2013 at 8:16 pm
Just try sudo easy_install pycrypto. It shows some warnings but works well.