First part of the article covered the techniques to read iTunes backups. Second part of the article disclosed the procedure to extract protection class keys from the Backup Keybag and covered the techniques & the tools to decrypt the protected backup files and the encrypted backups.
The videos listed in this article demonstrates the iOS 5 backup analysis techniques in a more detailed fashion.
Note: Demos are captured on Mac OS X Lion 10.6 running with iTunes 10.6. iPhone 4 GSM with iOS 5.0.1 is used in the video.
Video transcript is available here.
Forensic investigation on the backup files would allow examiners to gain access to the entire contents of its host phone until the point that the backup took place. It is also quite possible that the seized system might contain older copies of the backup files or other iPhone backups with a wealth of information.
To view the list of available backups on a system, open iTunes and navigate to Edit->Preferences (on windows) or iTunes->Preferences (on Mac) menu and choose Devices tab. It displays the list of backups as shown in the screenshot below.
iTunes also provides an option to delete the backup files. To delete an existing iPhone backup, in the Devices Preferences window (shown in the above screenshot) select a backup and click on Delete Backup… button. If a backup is deleted from a system, examiners can use data recovery or carving tools to recover the deleted files from the system hard disk. It is easy to recover the deleted files from the computer when compared with iPhone.
The iPhone stores a lot of user data in the backup files. The following table list out the common sources of potential evidence that can be analyzed in an investigation.
Along with the files listed in the above table, the iPhone backup also contains third party application files. Sensitive information stored in the third party application files may also provide possible evidence for the investigation.
Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows to log into the application without supplying the username and password.
More details about Facebook plist hijacking are documented at – soopz blog
Forensic analysis of backups does not compromise the contents on a live device. So forensic examiners prefer analyzing the backups to collect the evidence though it is not possible to recover the deleted iPhone data.