Tuesday, January 29, 2013

Backtrack Forensics: iPhone Analyzer

Menu: Forensics -> Digital Forensics
Directory: /pentest/forensics/iphoneanalyzer
Official Website: http://sourceforge.net/projects/iphoneanalyzer/
License: GNU GPL v3

iPhone analyzer is a tool which can gather lots of data from iPhone backup files. Features:
  • iPhone Backup Browsing
  • Native file viewing (plist, sqlite, etc)
  • Searching including regular expressions
  • ssh access for jailbroken phones (beta)
  • Reports
  • Restore files
  • Recover backups
  • View all iPhone photos
  • examine address book, sms and loads of others
  • find and recover passwords
  • Export files to local filesystem
  • Online and offline mapping
  • Geo track where a device has been
  • IOS5 and earlier versions supported
  • IOS6 is only partially supported (several known problems) - at the time of this writing
Usage:

We can find the iPhone backup files in the following directory:

Windows (prior to Vista):
%user home%\Application Data\Apple Computer\MobileSync\Backup
Windows (Vista and later):
%user home%\AppData\Roaming\Apple Computer\MobileSync\Backup
MAC OS X:
%user home%/Library/Application Support/MobileSync/Backup/

Under this older there will be a 40 character long hex string, which contains the files. I simply copied the backups to a thumb drive, and inserted it to Backtrack. We can open the backups, with selecting:
File -> Open: New Backup Directory


Once the backup is opened, we will see the info.pslist details in the middle. At the top it will show the most relevant information, and at the bottom we can see the full raw content.


On the right side we will see the manifest.pslist contents.


On the left side we have two things: access to the file system, where we can navigate and bookmarks, which takes us to some useful files, like address book, messages, etc...


Once we open a file, it will create a new tab for it, where we can view it. We can close the tab by clicking on "x". We have different views for a file as can be seen in the bottom tabs associated with the file. These can change based on the type of the file we opened.



Bookmarks:


There a very useful part, called "Concepts", which are accessible from the bookmarks. It will gather time, location and name information from the iPhone, and display it on a map. We can select, what information we want to see (call, addressbook entry, image metadata) and it will update the other cells accordingly.


A good guide about the tool: http://www.crypticbit.com/files/ipa_user_guide.pdf

No comments: