Yesterday I mentioned extracting BLOB data from Manifest.db, which would be a painful process to do manually. Thankfully, Adrian Leong (@Cheeky4n6Monkey) wrote a python script to automate BLOB extractions from SQLite databases. It is a fairly simple script and will work on any SQLite databases, not just the Manifest.db.
The Manifest.db is a SQLite database storing information about the iTunes backup. When opened with DB Browser for SQLite, switch to the Browse Data tab to preview the contents of the tables.
In the above photo, you can see the table’s contents on the left side. When you see BLOB as the content, you will likely want to export the data to view in another application. To see the content in SQLite, on the right side, change the Mode to Binary. This will show you the BLOB content, which in this case is an embedded binary plist. (Welcome to iOS and macOS! You will quickly get used to seeing embedded binary plists, double embedded plists, and so on. It is plist Inception!)
To export the binary plist, click on Export and save the file to a new location. Change the file extension to plist and open with your plist viewer of choice. (On macOS, you can view these natively or use Xcode. On Windows, try Paul Sanderson’s BPList Viewer.)
The exported plist will include file information and dates, depending on which binary plist you exported. The highlighted item “LastStatusChange” is actually a date value of Unix Epoch. If you see a number starting with 14 or 15, count on it being a Unix Epoch date.
In the above example, the Unix Epoch value “1527733038” has been converted to a human-readable date. EpochConverter.com is a great, free resource for converting date values and allows batch conversions of dates. Other popular conversion tools are Dcode, DateDecode, Unix Timestamp, and my personal favorite epochalypse.py.
Scenario: You receive an iOS device and don’t have access to commercial tools to acquire the device. The custodian is cooperative and willing to give you any credentials necessary for the collection. What do you do?
My advice – create an iTunes backup. Preferably, create an encrypted iTunes backup. This allows you to grab more information from the device, such as account passwords, health, and HomeKit data. If the user has previously encrypted iTunes backups, you will be prompted for the user’s previous password. If the user has never encrypted backups, you will be prompted to create a password. IMPORTANT NOTE: This iTunes password will stay with the device. Do not lose this password!
Now that you have successfully backed up the device, how do you view the data? iBackupBot is an simple solution and has a free full-version trial for both Windows and Mac computers. You can modify backups with iBackupBot, so it is highly recommended that you make a duplicate copy of your iTunes backup first. Below are some of the items that you can see in an iTunes backup.
From here, you can export the SQLite databases and plists and view their contents in your application of choice. In another post, I will show you how to write basic SQLite queries to put meaning behind the databases.