by Selena Ley
There are numerous reasons why it's important to analyze iPhone / iPod Touch backup files. This list below is not meant to be an exhaustive list but as forensic examiners, sometimes you need to fall back on the backup files because:
- the iPhone / Touch is a mini-computer. The original evidence may be deleted from the iPhone / Touch and you don't have a method to conduct a traditional forensic exam for deleted on the device.
- the iPhone / Touch is locked and you need to get into the actual device.
- you're conducting an exam on a computer and come across some iPhone backup files and the device was not delivered for examination.
By utilizing the backup files, we may be able to gather additional information that we didn't have before. So how are these backup files generated on the computer? Well, when the device is first connected to a computer, iTunes will automatically create a backup. If the device is locked with a user pass-code, iTunes will require the user to enter the pass-code before the contents is backed up. From there on, each time the device is connected to the same computer in the same user account, iTunes will not require the user to enter in the password.
After the initial backup is completed, then each time the device is connected, the iTunes settings will dictate what information will be synchronized. By default, iTunes will automatically sync the device to the computer unless the user chooses not to do so. Below is a screenshot of the iTunes sync settings in version 9.0.2. Note that different versions may have different tabs.
iTunes v9 Devices Tab
Now, when the user has selected the "Disable automatic syncing for all iPhones and iPods", then the next time the user connects the device the program will not automatically sync the information onto the computer. So what types of information can be sync'd? Contacts, Emails, Internet Bookmarks, Pictures, etc. Click here for a detailed list of items that can be synchronized using iTunes.
The user may still elect to run a backup process to push the contents of the iPhone/Touch to the computer. To do so, the user will need to right on the device name within iTunes and select "backup".
iTunes v9 “Back Up” Option for iPhone and iPod Touch
Locating Backup Files
If you suspect that a computer may contain iPhone or iPod backup files but you are unsure where to look, you can use these methods to quickly determine if they exist on the suspect computer.
- Search for Backup Files - A quick method is to run a search for the file extension "mddata" and/or "mdbackup". The results are the backup files generated using iTunes.
- Manually Navigate to the folder
By default, iTunes will place the backup files to the following path: Windows XP: Documents & Settings\
Understanding the Backup Files
When the device is first connected to iTunes and it was never previously connected, iTunes will generate a 40 character alphanumeric identifier for the device. This identifier, also known as the UDID (Unique Device Identifier), is also the subfolder name designated for this device within the Backup folder. Once that folder is created, then each time the device is connected to the computer, it will recognize that folder and will only update that folder. (For those that are interested - if you scan the registry, the device's serial number and the UDID is an actual subkey within the HARDWARE registry file.) Depending upon the iTunes settings, if the user chooses to sync the device with the computer, then the first time the iPhone/Touch is connected, it will create a backup of the contents of the device.
When a backup is first created, a subfolder is first created where the name is an alpha-numeric GUID value assigned to the apple device. Each time your device is connected to iTunes and a sync or backup process is kicked off, the contents of this folder may be updated. If there are any deltas, then the existing files will be updated and/or new ones created (such as in the case where you install a new app on your device). Note that if automatic sync is turned OFF in iTunes, then when the iPhone/Touch is connected, the sync progress may not actually update any files. However, if the user chooses to force a backup of the device, then the contents of the folder will be updated for any deltas. This is why you will see files within the UDID folder that may have differing modification timestamps. If the user upgraded the firmware version, then a full backup may be issued as part of the upgrade process. In that case, then all the files are re-written.
Within this UDID folder are files with four types of file extensions:
So what's so important about these files?
- If you don't have the iPhone but you have the backup files, you need to determine the make/model/serial# as well as phone number of the device.
- Some of the default parsing tools may NOT handle all the different kinds of apps that can be installed on an iPhone/Touch. (I have a simple example below about Skype backup files.)
- As always, you should always validate your software.
The plist files are informational files where the content is written using XML. On a Windows machine, it can easily be viewed using Internet Explorer or any text editor. On a Mac OS machine, you can use the default viewer by highlighting the file and pressing the spacebar. There are a lot of free and commercial tools. I've included a link to a tool called iPod Robot in the Reference section.
There are 3 main plist files generated as part of the backup process – Info.plist, Status.plist, and Manifest.plist.
If you are triaging a case, the most important plist file is the Info.plist file since it contains basic information about the device, including the serial #, user assigned device name, and phone number in the case of an iPhone — perhaps key items in a case. If you have an iPhone/Touch that you suspect may have been connected to this computer, then you can verify that by using the serial number. The Info.plist will also indicate the last date/time when the device was backed up onto the computer.
The Status.plist file indicates the status of the previous sync process or backup. If the sync or backup process completed successfully, then the content would indicate the following:
If the previous sync process failed, it will note this and you can review attempt to review the other folders within the “Apple Computer” folder.
The Manifest.plist file is created by iTunes. The Data element within this file is an actual binary plist file of the backup files along with the digital signature. Generally this file is not of forensic significance.
The mdbackup files will contain the meat of your data. The filename itself is an alphanumeric hex value. There are plenty of free and commercial tools available that will parse these files for you. However, it's important to understand how to view the contents and parse them if there are no tools available.
If you view just the first few bytes of each file, you will notice that it gives a description of the contents of the file as well as the file format. For example, the following is a sample mdbackup file that indicates which picture the user chose as the background for the device. If you know the JPEG header format and carve from the header, you will get the picture.
JPEG Picture from mdbackup file example
Some files such as the Contacts or Address Book entries are stored as a SQLite database. The database itself is embedded within that file and while you can view the contents of the file, it's easier to read using a SQLite parser. The following screenshots of the mdbackup file relating to the Contacts stored on the device as well as the carved SQLite database as viewed using SQLite Browser.
Hex view and Database views of SQLite data for Contacts
Other mdbackup files that may store preferences and other information, such as wireless access points and Cookies, are in XML format. These can be easily viewed using any editor or you can strip the first few bytes of data so that the XML can be parsed properly using your web browser. The following is a sample mdbackup file relating to web browser Cookies:
mdbackup file for Cookies
.mddata and .mdinfo Files
In the newer firmware versions for the iPhone/Touch, the .mdbackup files are replaced with the .mddata and .mdinfo files. More specifically, when the user upgrades from version 1.x (which coincides with the .mdbackup files) to any higher version, the file extensions will differ. Unlike the mdbackup files where the entire file contains both the metadata as well as the file content, the new firmware version will create two files – one with the mddata extension and the other with the mdinfo extension. The .mdinfo and .mddata act as a pair and therefore, they have the same file name but different file extensions.
The .mdinfo will contain the metadata info about the file such as what category or type of information (i.e., Address Book, SMS, Call History, etc). The .mddata will contain the actual content for that file. Note that in firmware 3.x, the user has the ability to encrypt their data if the user chooses this option in iTunes. Should the user select this, then the user will need to select a password in iTunes. This password is different from the user's pass-code on the device. If encryption is selected, then the .mddata files will be encrypted whereas the .mdinfo files will be stored in plain text. Note that each time the user switches between encrypted and unencrypted, iTunes will force a backup of the device. This will cause all the files to be rewritten.
Below is a screenshot of the .mddata file for the AddressBook in firmware 3.1.2 unencrypted and then with encryption turned on.
mddata AddressBook Unencrypted
mddata AddressBook Encrypted
Although there are a lot of free and commercial parsers to parse the backup files, it is important to note that some will not handle apps that the user may install. This may require you to take a look at the .mddata and .mdinfo file in order to determine how to parse it. For example, I installed Skype on my device and ran a full backup. I ran a search for “Skype” across the .mdinfo files and then viewed the .mddata file for the actual data. Viewing the .mddata file, I was able to locate my skype account (blurred out in the picture).
mddata showing Skype Information
PLIST file showing Skype Information
Bypassing the Passcode and Other Considerations
If an iPhone/Touch is locked with a user passcode, there are some avenues we can explore to get to the data. One option is to send the device to Apple with a search warrant to unlock the device. Another option is if the computer was seized, then determine if the device was once connected to the computer and issue a backup. (Remember the Info.plist file!) This will force the contents of the device to be backed up to the computer, and you can parse the contents. Please note that if the passcode has changed since the last time of the sync, then this option will not work. If the backup was generated before the security feature was enabled on the device, it will also not work. There are other options available to bypass the passcode such as Zdziarski’s method.
Some other considerations you might also consider are:
- If a Mac was also seized with the iPhone/Touch, determine if Time Machine was enabled. If so, then there may be older copies of the data that may be of value. This may be helpful if you are looking for older versions of files relating to the SMS database, Call History, etc.
- If a Vista box was also seized with the iPhone/Touch, then consider going after the shadow copies. Like Time Machine, if it's enabled then there may be older versions of the file that you can target for deleted content.
- If you only have the iPhone, then remember you can determine the phone number by popping out the SIM Card and analyzing the card.
- The user has the option to delete backup files via iTunes. If this is chosen, then it will delete the subfolder within MobileSync\Backup folder. In that case, you can try to recover files and/or carve based on header signatures. Some useful ones include bplist00 as well as SQLite.