SANS Digital Forensics and Incident Response Blog: Daily Archives: Sep 29, 2008

Indirect iPhone Forensics

In a case I recently worked, I came across relevant SMS messages which had been sent and received using an iPhone. Interestingly, I wasn't actually examining the iPhone, but only the subject's MacBook Pro. What I discovered and subsequently researched, is that virtually all of the iPhone's current data contents, as well as quite a bit of archival data, appear to be extractable from the .mdbackup files that are stored on the PC or Mac to which the iPhone is synched.

On Windows, .mdbackup files are stored in their user's profile folder, under ''Application Data\\Apple Computer\\MobileSync\\Backup'. On the Mac, they're stored in the user's home directory, under ''Library/Application Support/MobileSync/Backup'. While I've only worked with the one instance on a Mac, I believe that the file format is identical between both platforms. The .mdbackup file contains, presumably among other things, one or more sqlite database files. These can be

... Continue reading Indirect iPhone Forensics