#8 – iTunes Backup Manifest.db

The Manifest.db is a SQLite database storing information about the iTunes backup. When opened with DB Browser for SQLite, switch to the Browse Data tab to preview the contents of the tables.

Manifest.db.png
Manifest.db

In the above photo, you can see the table’s contents on the left side. When you see BLOB as the content, you will likely want to export the data to view in another application. To see the content in SQLite, on the right side, change the Mode to Binary. This will show you the BLOB content, which in this case is an embedded binary plist. (Welcome to iOS and macOS! You will quickly get used to seeing embedded binary plists, double embedded plists, and so on. It is plist Inception!)

To export the binary plist, click on Export and save the file to a new location. Change the file extension to plist and open with your plist viewer of choice. (On macOS, you can view these natively or use Xcode. On Windows, try Paul Sanderson’s BPList Viewer.)

Screen Shot 2018-06-23 at 23.05.01.png
Exported Binary Plist

The exported plist will include file information and dates, depending on which binary plist you exported. The highlighted item “LastStatusChange” is actually a date value of Unix Epoch. If you see a number starting with 14 or 15, count on it being a Unix Epoch date.

epochconverter
Unix Epoch Converter

In the above example, the Unix Epoch value “1527733038” has been converted to a human-readable date. EpochConverter.com is a great, free resource for converting date values and allows batch conversions of dates. Other popular conversion tools are Dcode, DateDecode, Unix Timestamp, and my personal favorite epochalypse.py.

#7 – iTunes Backup Manifest.plist

The Manifest.plist is another file in the root of the iTunes backup folder.

Manifest.plist_Screenshot.png
Manifest.plist

Like the other plists, this one lists the device name, serial number, and Unique Device ID. Some of the additional values included are identifying if the backup is encrypted, syncing to iCloud, if there is a passcode set on the device (different from backup encryption), WiFi sync capabilities, and any accessibility features enabled.

A note about the com.apple.mobile.wireless_lockdown. This is not indicating whether or not the device has WiFi enabled. This key shows whether iTunes can be synced over WiFi.

Screen Shot 2018-06-22 at 21.36.44
iTunes Sync Options

Also note (unrelated to the Manifest.plist), if you want to prevent the phone from automatically syncing when it is plugged into your computer, uncheck the box “Automatically sync when this iPhone is connected.”

#6 – iTunes Backup Status.plist

Yesterday I mentioned there were a few plists and a database in the root of the backup folder. I explained the Info.plist, but today wanted to explain the Status.plist.

Status.plist_Screenshot.png
Status.plist

In some scenarios, you will only have a limited amount of time with a device, and you want to ensure you have everything you need. This plist is a quick way to check. The Status.plist will display if a backup has fully completed, if it is a full backup, and the date the backup was created.

What does it mean when IsFullBackup is NO? In Day #3’s post, I mentioned there were options to encrypt an iTunes backup. When this is not selected (i.e. you do not encrypt the backup), the IsFullBackup will be set to NO. When you do choose to encrypt the backup, the IsFullBackup will be set to YES.

 

#5 – iTunes Backups Continued

Ideally, your workstation should be free of previous user and client data when you begin your collections. This is not always possible when you are at a client site and requested to image multiple devices. If you can, image the devices to an encrypted external drive or an encrypted file/partition. The big caveat to this is when you are using iTunes as your collection method, which saves the backups to its default location. On Windows, that location is: \Users\[username]\AppData\Roaming\Apple Computer\MobileSync\Backup\. On Mac, that location is: /Users/[username]/Library/Application Support/MobileSync/Backup/. Essentially, if you search for “MobileSync” or Info.plist on either OS, you will locate the iTunes backups.

Each iTunes backup per device will be named by its unique identifier. The backup will contain a numerical string of subfolders, an Info.plist, Manifest.db, Manifest.plist, Status.plist.

Screen Shot 2018-06-20 at 20.48.12
iTunes Backup Folder

The data will not be collated if you perform iTunes backups with multiple devices. Each backup will be associated with its own unique identifier. The easiest way to find whose data belongs to which unique identifier is to open the Info.plist file.

Info.plist_Screenshot.png
iTunes Backup Info.plist

Items included are:

  • Device Name
  • IMEI Number
  • Last Backup Date
  • Phone Number
  • Type of Phone
  • iOS Version
  • Unique Identifier
  • iTunes Version

This is where you can associate the Unique Identifier backup folder name with a specific user’s device. It is helpful, especially when you have multiple phone backups on one computer.

In another post, I will explain the Status.plist, Manifest.plist, and Manifest.db.

#4 – Taking a Step Back

A few people have reached out asking how I got into forensics, so before I dive too deeply into tech posts (and following up on yesterday’s iTunes Backup post), I figured I should stop to answer this.

As a child of the 80s, I grew up with the best TV shows – my favorites being Thundercats, Laverne & Shirley, MacGyver, and Inspector Gadget. The last two really drew me to puzzles, investigations, and keeping me curious. On top of that, my Dad had an old computer that I primarily used to play Avoid the Noid and figure out basic DOS commands when no one was looking. My parents really had their work cut out for them.

It wasn’t until high school that I really tried to figure out my path. My interests had shifted a bit to serial killers and their mentality. This was thanks to my fascination of the True Crime section at the library (365.1523 books) and Silence of the Lambs. The likely choice was to pursue a Psychology degree with the eventual goal of Forensic Psychology. Well, life happened, and I failed out of college with a whopping 0.3 GPA in my final semester.

Now in the predicament of figuring out my life, I started researching local tech schools. (My Dad insisted that I move in with him to get my life straightened out.) One local college was offering Forensic Science as a major – sweet! Organic Chem and Biology were my favorite subjects, so this seemed right up my alley. We learned all about crime scenes, photography, law, arson, ballistics, fingerprinting, serology, etc. It was incredible. After graduating, however, I quickly realized I needed more than an A.A.S. degree to get a decent job.

So, I went to a third college for my B.S. degree in Computer Forensics. I loved the classes! We had basic programming (in Visual Basic — shoot me), more law courses, file system analysis, network analysis, and hands-on data recovery. Our capstone was taking SANS FOR508 (back when it was mainly forensics 10 years ago) and earning the GCFA certification.

My first official digital forensics role came a couple months after graduation. It was a bit unorthodox, but I sent out paper résumés to companies (regardless if they were actively hiring) and promised to follow up with them the following week. It worked! One company, who was not hiring, decided to take a chance on me. I’ve since moved on from that company, worked a few other places, and am now a Director at my current location.

My advice to anyone starting out: TRY. FAIL. TRY AGAIN. Failure doesn’t mean you stop. Failure means you reevaluate the situation, make adjustments, and continue moving forward.

#3 – iTunes Backups

Scenario: You receive an iOS device and don’t have access to commercial tools to acquire the device. The custodian is cooperative and willing to give you any credentials necessary for the collection. What do you do?

My advice – create an iTunes backup. Preferably, create an encrypted iTunes backup. This allows you to grab more information from the device, such as account passwords, health, and HomeKit data. If the user has previously encrypted iTunes backups, you will be prompted for the user’s previous password. If the user has never encrypted backups, you will be prompted to create a password. IMPORTANT NOTE: This iTunes password will stay with the device. Do not lose this password!

iTunes Backups

Now that you have successfully backed up the device, how do you view the data? iBackupBot is an simple solution and has a free full-version trial for both Windows and Mac computers. You can modify backups with iBackupBot, so it is highly recommended that you make a duplicate copy of your iTunes backup first. Below are some of the items that you can see in an iTunes backup.

iBackupBot
System Information about the iOS Device
Screen Shot 2018-06-17 at 21.42.30
Multimedia and System Databases
Screen Shot 2018-06-17 at 22.46.57
System Log and Crash Report

From here, you can export the SQLite databases and plists and view their contents in your application of choice. In another post, I will show you how to write basic SQLite queries to put meaning behind the databases.

#2 – SANS DFIR Summit

Another year, another SANS DFIR Summit come and gone. What a whirlwind! If you have never been to the DFIR Summit in Austin, TX, I would highly recommend it. This year seemed to have more new people attending than ever before. (I don’t have the official counts, so I don’t know for certain.)

The presentation slides have been posted if you’d like to review them. In roughly 2-3 months, the videos should also be posted to YouTube. A few highlights:

  • #DFIRFIT or Bust – I loved this talk the most. Take a look at the slides to see why. 😉
  • Event Trace Logs – Nicole has been researching these for quite some time, and her presentation goes into awesome detail about these logs. If you’ve never examined ETLs, you really should.
  • mac_apt – macOS forensics is my jam. Yogesh’s mac_apt.py pulls [almost] all the things for forensic analysis. Obviously it requires some thought in your analysis to put together a timeline of events, but this script will be a great start in simplifying your efforts.
  • DNSplice – Shelly loves her DNS logs! Her python script helps put extra meaning behind the data.
  • Forensic 4:Cast Awards – Lee puts a lot of thought and love behind these awards, as evidenced by his 10 years of work on them. Congrats to all the winners and runner-ups!

After the conference, the DFIR Summit offers classroom training. This year I signed up for the FOR585 Advanced Smartphone Forensics course. Heather did a phenomenal job teaching the class and really made sure people understood the concepts. She even taught SQLite in a way that actually made sense! (I’ve struggled for years with SQLite queries, but now I can easily write basic queries, join tables, add case statements, and order columns.)

The final highlight of the DFIR Summit was the NetWars challenge. This year SANS added a Coin Slayer challenge where you could win a challenge coin from a particular course, assuming you answered all questions from all four levels correctly. There ended up being seven people who won Coin Slayer coins – two in Reverse-Engineering Malware and five in Smartphone Forensics. I happened to be one of the lucky ones to earn a Smartphone Forensics coin within the final three minutes of the competition.

IMG_2194

All in all, the DFIR Summit was more than worth it! If you get a chance to go, absolutely do it. The Summit will be held in Austin, TX next year July 25-26 (conference) and July 27-Aug 1 (training). Hope to see you there!

#1 – The Zeltser Challenge

It’s no secret that people have pushed for more community sharing in DFIR, assuming one’s company or role allows that sharing. A few years ago, David Cowen entered a daring experiment to write a daily blog. This was based on Lenny Zeltser’s challenge, lovingly termed “The Zeltser Challenge” among the community, in which one writes a blog post every day for a year. Matt Bromiley also embarked on the challenge. The goal of the challenge is to: 1) share with others and 2) push yourself to keep learning. Recently, David tweeted out a request to have others join in on the challenge, and well, here I am…

Are there any specific requests of topics you’d like to read? A few of the topics that I am considering over this next year are:

  • macOS Forensics
  • APFS Artifacts
  • Android Forensics
  • iOS Forensics
  • SQLite Analysis (a.k.a. forcing myself to learn SQLite)
  • Third-Party Application Forensics
  • OSINT (maybe?)

Here’s hoping all goes well!

 

DFIR Summit Family Reunion

“Reunited and it feels so good…” That lyric sums up my overall thoughts on the annual SANS DFIR (Digital Forensics and Incident Response) Summit experience in Austin, TX. Although, so does this song by Dual Core.

This conference is easily my favorite of the year. The talks are highly technical, but not to the point of overwhelming with your eyes glazing over. You can find the links to the presentations here. There were a surprising number of Mac Forensics talks this year (which I love!), open source and hardware talks (check out Brian Moran’s and Jessica Hyde’s Alexa badassery), workflow organization, and more. There really wasn’t anything that I did not find interesting, and that’s saying a lot.

The evenings provided an opportunity for networking and fun (so much fun). Honestly, the networking is worth its weight in gold. Each year I meet new people in the DFIR field and form lasting friendships (and many that are like close family). Being a naturally introverted person, for me to say that I actually enjoy the networking, that’s huge. We seriously have some truly incredible people in this industry.

Rather than uploading a bunch of photos from the talks and evenings, it’s likely easiest to just check my Twitter account: @4n6woman. Feel free to also follow me on there!

Hopefully next year I will see more new faces in Austin. It really is worth the trip!