Ipa User Guide

IPHONE ANALYZER USER GUIDE

FORENSICALLY EXAMINING AN IPHONE OR IOS DEVICE CONTENTS

Collecting Data ........................................................................................................................................................ 2

Learning About the Device ..................................................................................................................................... 2

Opening the backup............................................................................................................................................ 3

Info.plist .............................................................................................................................................................. 4

Manifest.Plist ...................................................................................................................................................... 5

Navigating the Device ............................................................................................................................................. 5

Finding Your Way Around The Application ......................................................................................................... 6

Bookmarks .......................................................................................................................................................... 7

File System .......................................................................................................................................................... 7

Files ..................................................................................................................................................................... 8

Exploring COncepts ................................................................................................................................................. 9

File Formats ............................................................................................................................................................ 9

PLists ................................................................................................................................................................... 9

SQLIte................................................................................................................................................................ 10

Special Views ........................................................................................................................................................ 11

COLLECTING DATA

The first challenge is to get a copy of the devices data which can be held in a way that assures it hasn’t been tampered with. The method we recommend is to use iTunes or a 3rd party application to make a device backup.

If you use iTunes the default locations for the backup will be:

Windows (prior to Vista): <user home>\Application Data\Apple Computer\MobileSync\Backup

Windows (Vista and Windows 7): <user home>\AppData\Roaming\Apple Computer\MobileSync\Backup

MacOS: /Library/Application Support/MobileSync/Backup/

Inside that directory you will find one or more backup directories. Each backup will have its own directory, which consists of 40 hex digits:

At this point it is important to backup the selected folder and store it somewhere it cannot be tampered with. It may also be beneficial to take a hash of the directory so you can demonstrate it has not been changed. LEARNING ABOUT THE DEVICE

If you look inside the backup directory you will see a long list of files (once again with filenames 40 hex digits long). Each of these represents a file from the IOS device, but packaged up in a non-readable format by iTunes.

The exceptions are a few files at the bottom of the list called Info.plist, Manifest (with various extensions) and Status.plist. These tell us something about the device, about the backup and about the files contained within it. These files are only partially human readable and also change between different IOS versions so we will use IPhone Analzyer to examine these.

OPENING THE BACKUP

Run iPhone Analzyer and select the File menu. If the file is where iTunes put it, you will find the file listed under “Open: Default iTunes location”, however if you have moved it or are accessing it from a different device or user account then you will need to locate it manually using “Open: new backup directory”.

Once you select this a file browser will appear. Simply navigate until you find the backup directory you want to open, and select “Open”. Remember the backup directory will have be 40 hex digits long.

Once you have down this the backup will open, and more options will become available.

INFO.PLIST

On the right of the screen you will see the “Phone Information” appear. This is all extracted from Info.plist.

At the top you will see most important information extracted for you. This includes the date the backup was made, the phone number, the serial number and the device name.

Under this is the raw contents of the Info.Plist file. It is shown in a tree view which is described more fully in the PLists section on page 9.

Using this view it should be possible to see all the data from the Info.plist file and not just the content that the application decides is most relevant.

Other information that you may find useful includes:

 A list of library and synced applications

 IMEI number

 ITunes files such as IC-Info.sidb, IC-info.sidv and

iTunesPrefs. NOTE: You can open files such as IC_Info.sidb even though they are embedded within another file simply by right clicking on them and choosing to Open them as a new file

MANIFEST.PLIST

On the far right hand side of the screen is the Manifest from the backup.

This is only one of the Manifest files, with others existing on some versions of the IOS operating system. However the others don’t provide much human readable content as they simply let us associate the encoded files with their original filename, which is something iPhone

...