Acquiring iPhone Data - iTunes Backup Method

This is the first article in the iPhone series. This article will focus on the acquisition of data from an iPhone, subsequent articles will focus on analysis of geo-location data native to the iphone and third party navigation applications such as TomTom, Magallan, and MotionX.

The iTunes Backup method described below is the simplest and most effective way to extract all of the logical data available from an iPhone. This method will give you 90% of the data available with the exception of deleted data, iPod data (videos, songs, protected media), emails, and photo's synced from a computer to the phone.

The process below has been outlined using a Mac. All but the "Parsing the Backup Files" section can be preformed on a PC. An iTunes Backup can be acquired with a PC and later parsed using a Mac.

System Prerequisites

System/Device Preparation

Disable Auto Sync

  1. Launch iTunes
  2. Select Preferences for the itunes menu
  3. Go to the Devices tab
  4. Check ‘Disable automatic syncing for iPhones and iPods’

 

Navigate to the following directory and ensure it is empty.

  • /Users/YOUR USER NAME/Library/Application Support/MobileSync/Backup/

 

 

Ensure the device is in Airplane mode

  1. Power on the Device
  2. Touch the settings button

    3. 4

  3. Turn Airplane Mode On

Creating a Backup

Plug in the Device

  1. The device will appear under the “Devices” list in the left pane.
  2. Place the curser over the words “Serial Number” and click once to get the UDID.  

The UDID is important to note. Once you preform the backup, a folder will be created in the MobileSync/Backup/ directory named the UDID of the device.

  • Right click on the device and choose ‘Back up’

  • Backing up “Device Name” will appear in the information window.

  • The device itself should display a message “Sync in Progress”

 

Once completed it is safe to disconnect the device.

 

Navigate to the following directory and ensure the backup folder was created with the UDID of the device.

    • /Users/YOUR USER NAME/Library/Application Support/MobileSync/Backup/

Inside the UDID named folded there will be pairs of files with the same name but different extensions .mddata and .mdinfo

The file names appear to have a SHA1 hash value but they are not. Apple uses a proprietary algorithm to generate the hash value of the file which includes using specific hardware items in the device. It is unique but can not be verified by running sha1deep or other checksum application. Following the backup steps described above on a different machine with the same device will yield the same hash value file names.

The .mddata and .mdinfo pair basically splits the a file up into a resource and data folk. The .mddata file contains the actual data and the .mdinfo contains metadata information about the name, type, and original path.

 

Parsing the Backup Files

In Terminal type the following at the command prompt.

    • mdhelper -extract

Note: There is no need to change into the MobileSync/Backup directory. As a default, mdhepler will automatically run against that directory.

terminal icon

The Device name will appear as well as the number of files recovered.

mdhelper

The directory “Recovered iPhone Files” will be created on the Desktop. The name will always be “Recovered iPhone Files” even if the device is an iPod Touch.

A pseudo native file structure of the device has been recreated. If there was more than one UDID named backup file in the MobileSync/Backup directory there will be multiple directories in the “Recovered iPhone Files” directory.

mdhelper

Navigate to the MobileSync/Backup directory. Right Click and copy the following files.

    1. info.plist
    2. manifest.plist
    3. Status.plist

Paste these files into the directory name after the device in the “Recovered iPhone Files” directory.

info plist copy