Artifacts

Posts Tagged ‘iOS’


Mac OS X: iOS device backup locations

Posted by:  /  Tags: , , , , ,

Author Name
Pasquale Stirparo, @pstirparo
Submission Title
Mac OS X: iOS device backup locations
Artifact Description
Num. 1 is the main directory inside a Mac containing iOS device backups


Num. 2 is a plist file in plain text. It stores data about the backed up device (such as device name, GUID, ICCID, IMEI, Product type, iOS version, serial numbers, UDID etc.) and the iTunes software used to create the backup (iTunes version number, iTunes settings).


Num. 3 is a plist file in plain text and it describes the content of the backup. Inside this file we can find the list of applications installed on the backed up device. For every application there are the name and the particular version. Inside the file there is also the date the backup was made, the backup type (encrypted vs. unencrypted) and some information about the iDevice and the iTunes software used.


Num. 4 is a binary file that stores the descriptions of all the other files in the backup directory. It contains a record for each element in the backup.


Num. 5 It’s a plist file in binary format and it stores information about the completion of the backup
File Locations
1) iOS device backups directory
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*


2) iOS device backup information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/info.plist


3) iOS device backup apps information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.plist


4) iOS device backup files information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Manifest.mdbd


5) iOS device backup status information
– %%users.homedir%%/Library/Application Support/MobileSync/Backup/*/Status.plist
Research Links
https://github.com/pstirparo/mac4n6


http://forensicswiki.org/wiki/Mac_OS_X_10.9_-_Artifacts_Location


https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=4
Any Other Information
These artefacts are collected under the ma4n6 project, aiming at being single point of collection for OSX artifacts from where such locations are later shared via:
– yaml library
– ForensicsWiki.org
– ForensicsArtifacts.com
So that the effort is made only once, and the output reused everywhere.