| Author Name |
|
Pasquale Stirparo, @pstirparo |
| Submission Title |
|
Mac OS X: iOS device backup locations |
| Artifact Description |
|
Num. 1 is the main directory inside a Mac containing iOS device backups
Num. 2 is a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings).
Num. 3 is a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used.
Num. 4 is a binary file that stores the descriptions of all the other files in the backup directory. It contains a record for each element in the backup.
Num. 5 It’s a plist file in binary format and it stores information about the completion of the backup |
| File Locations |
|
1) iOS device backups directory
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*
2) iOS device backup information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist
3) iOS device backup apps information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist
4) iOS device backup files information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd
5) iOS device backup status information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist |
| Research Links |
|
https://github.com/pstirparo/mac4n6
http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location
https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4 |
| Any Other Information |
|
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere. |