SANS Digital Forensics and Incident Response Blog

Indirect iPhone Forensics

In a case I recently worked, I came across relevant SMS messages which had been sent and received using an iPhone. Interestingly, I wasn't actually examining the iPhone, but only the subject's MacBook Pro. What I discovered and subsequently researched, is that virtually all of the iPhone's current data contents, as well as quite a bit of archival data, appear to be extractable from the .mdbackup files that are stored on the PC or Mac to which the iPhone is synched.

On Windows, .mdbackup files are stored in their user's profile folder, under ?Application Data\Apple Computer\MobileSync\Backup'. On the Mac, they're stored in the user's home directory, under ?Library/Application Support/MobileSync/Backup'. While I've only worked with the one instance on a Mac, I believe that the file format is identical between both platforms. The .mdbackup file contains, presumably among other things, one or more sqlite database files. These can be extracted using a perl script, bkupextract.pl, which I found using Gooogle.

perl -w bkupextract.pl *mdbackup

The script will list out the names of all of the sqlite databases to STDERR as it extracts them to db files in the current directory. Once they're extracted, their contents can be dumped using sqlite3. The phone's SMS message store will likely be one of the more interesting pieces of evidence, so:

echo ".dump" | sqlite3.exe sms_01.db > sms_01_dump.txt

The output of this command will look something like the following:

BEGIN TRANSACTION;
CREATE TABLE _SqliteDatabaseProperties (key TEXT, value TEXT,
UNIQUE(key));
INSERT INTO "_SqliteDatabaseProperties" VALUES('_ClientVersion',
'2');

INSERT INTO "_SqliteDatabaseProperties" VALUES('_UniqueIdentifier',
'EE0A5BF3-9C22-455E-9FBC-7E733BDC6FDA');
CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT,
address TEXT, date INTEGER, text TEXT, flags INTEGER, replace INTEGER,
svc_center TEXT);
INSERT INTO "message" VALUES(3,'phone-number',integer-unix-date,
'message-text',3,0,NULL);
.
.
.
DELETE FROM sqlite_sequence;
INSERT INTO "sqlite_sequence" VALUES('message'
,122);
COMMIT;

The dates in the file are UNIX timestamps which can be easily translated into text using various web based utilities.

If you liked this article, want to add something to it, or simply want to call me on the carpet for some inaccuracy, please feel free to leave a comment.

John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.

2 Comments

Posted March 5, 2009 at 9:04 AM | Permalink | Reply

adriennex

This was very interesting. I found the files, but how do you run that script on a mac? Is there a script program?

Posted March 5, 2009 at 10:08 AM | Permalink | Reply

johnmccash

I didn't run it on a Mac. That said, sqlite and perl should be available for the Mac if they're not installed by default. Unfortunately, I don't have one to test with right now. ''" John