Scenario: A user connects an iPhone to a Windows 7 computer. The computer prompts the user with options of how to view the contents, sync contents, etc. The user chooses to view the files, browses to the DCIM folder, and begins to copy the photos to the computer. A few minutes into the file copy, iTunes opens on the computer and interrupts the connection to begin creating a backup. The user stops the iTunes backup, […]
Yesterday I mentioned extracting BLOB data from Manifest.db, which would be a painful process to do manually. Thankfully, Adrian Leong (@Cheeky4n6Monkey) wrote a python script to automate BLOB extractions from SQLite databases. It is a fairly simple script and will work on any SQLite databases, not just the Manifest.db. An example of the script is below: python sqlite-blob-dumper.py targetdb.sqlite tablename outputdir Test it out. Let him know what you think or submit a pull request […]
The Manifest.db is a SQLite database storing information about the iTunes backup. When opened with DB Browser for SQLite, switch to the Browse Data tab to preview the contents of the tables. In the above photo, you can see the table’s contents on the left side. When you see BLOB as the content, you will likely want to export the data to view in another application. To see the content in SQLite, on the right […]
The Manifest.plist is another file in the root of the iTunes backup folder. Like the other plists, this one lists the device name, serial number, and Unique Device ID. Some of the additional values included are identifying if the backup is encrypted, syncing to iCloud, if there is a passcode set on the device (different from backup encryption), WiFi sync capabilities, and any accessibility features enabled. A note about the com.apple.mobile.wireless_lockdown. This is not indicating […]
Yesterday I mentioned there were a few plists and a database in the root of the backup folder. I explained the Info.plist, but today wanted to explain the Status.plist. In some scenarios, you will only have a limited amount of time with a device, and you want to ensure you have everything you need. This plist is a quick way to check. The Status.plist will display if a backup has fully completed, if it is a […]
Ideally, your workstation should be free of previous user and client data when you begin your collections. This is not always possible when you are at a client site and requested to image multiple devices. If you can, image the devices to an encrypted external drive or an encrypted file/partition. The big caveat to this is when you are using iTunes as your collection method, which saves the backups to its default location. On Windows, […]
Recap of the SANS DFIR Summit and FOR585 Training.