#3 – iTunes Backups

comment 1
Digital Forensics / iOS Artifacts

Scenario: You receive an iOS device and don’t have access to commercial tools to acquire the device. The custodian is cooperative and willing to give you any credentials necessary for the collection. What do you do?

My advice – create an iTunes backup. Preferably, create an encrypted iTunes backup. This allows you to grab more information from the device, such as account passwords, health, and HomeKit data. If the user has previously encrypted iTunes backups, you will be prompted for the user’s previous password. If the user has never encrypted backups, you will be prompted to create a password. IMPORTANT NOTE: This iTunes password will stay with the device. Do not lose this password!

iTunes Backups

Now that you have successfully backed up the device, how do you view the data? iBackupBot is an simple solution and has a free full-version trial for both Windows and Mac computers. You can modify backups with iBackupBot, so it is highly recommended that you make a duplicate copy of your iTunes backup first. Below are some of the items that you can see in an iTunes backup.

System Information about the iOS Device
Screen Shot 2018-06-17 at 21.42.30
Multimedia and System Databases
Screen Shot 2018-06-17 at 22.46.57
System Log and Crash Report

From here, you can export the SQLite databases and plists and view their contents in your application of choice. In another post, I will show you how to write basic SQLite queries to put meaning behind the databases.

1 Comment

  1. Pingback: Week 25 – 2018 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s