Difference between pages "SuperFetch" and "IOS"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Initial stub)
 
(Extraction)
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
  
SuperFetch is a performance enhancement introduced in [[Microsoft]] [[Windows|Windows Vista]] to reduce the time necessary to launch applications. An expansion from the [[Prefetch]] files found in Windows XP, they record usage scenarios and load resources into memory before they are needed.  
+
iOS (pronounced i-O.S.) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).
  
Data from SuperFetch is gathered by the <tt>sysmain.dll</tt>, part of <tt>svchost.exe</tt>, and stored in a series of files in the <tt>%SystemRoot%\Prefetch</tt> directory. These files appear to start with the prefix <tt>Ag</tt> and have a <tt>.db</tt> extension. The format of these files is not known, but they are not actually databases[http://channel9.msdn.com/showpost.aspx?postid=242429].
+
The current version of iOS is 5.0, released on October 12, 2011.
  
The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [http://channel9.msdn.com/showpost.aspx?postid=242429].
+
 
 +
----
 +
 
 +
== File System ==
 +
iOS runs a reduced variant of [[Mac OS X|OSX]] and [[HFS|HFSX]] as a file system.
 +
 
 +
A majority of the useful information is stored in /private/var2/mobile/
 +
However there is other useful information stored in the keychains and db folders.
 +
 
 +
iOS uses sqlite and plist files to store information.
 +
 
 +
'''/private/var2/mobile'''
 +
 
 +
This contains three folders: Applications, Library and Media
 +
 
 +
Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.
 +
 
 +
Library contains the most useful information:
 +
- Address Book
 +
- Calendar
 +
- Safari - favorites, open tabs, web history
 +
- Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed
 +
- SMS - sms.db, which may include deleted SMS messages
 +
- Notes - notes.sqlite, which may include deleted notes
 +
- Voicemail
 +
- Spotlight - Spotlight database may contain text messages that have since been deleted.
 +
 
 +
Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken
 +
 
 +
== Extraction ==
 +
There are several tools available to extract information out of iOS operating systems (listed alphabetically):
 +
* Aceso by Radio Tactics [[http://www.radio-tactics.com/products/law/aceso-kiosk]]
 +
* Blacklight by Black Bag Technology [[https://www.blackbagtech.com/]]
 +
* Lantern by Katana Forensics [[http://katanaforensics.com/]]
 +
* [[Nuix Desktop]] and [[Proof Finder]] by [[Nuix]].
 +
* Oxygen Forensic Suite by Oxygen Software [[http://www.oxygen-forensic.com/en/]]
 +
* UFED and Physical Analyzer by Cellebrite [[http://www.cellebrite.com/]]
 +
* XRY by Micro Systemation [[http://www.msab.com/]]
  
 
== External Links ==
 
== External Links ==
* [http://channel9.msdn.com/showpost.aspx?postid=242429 Channel 9 Interview with Michael Fortin of Microsoft on SuperFetch]
+
* [http://linuxsleuthing.blogspot.com/2011/05/iphone-forensics-tools.html Database Parsing Tools]
* [http://www.informationweek.com/news/showArticle.jhtml?articleID=196902178 Microsoft Predicts The Future With Vista's SuperFetch] from Information Week
+
* [http://esec-lab.sogeti.com/post/Low-level-iOS-forensics Low-level iOS forensics]
 +
 
 +
[[Category:Operating systems]]

Revision as of 23:37, 21 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

iOS (pronounced i-O.S.) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).

The current version of iOS is 5.0, released on October 12, 2011.



File System

iOS runs a reduced variant of OSX and HFSX as a file system.

A majority of the useful information is stored in /private/var2/mobile/ However there is other useful information stored in the keychains and db folders.

iOS uses sqlite and plist files to store information.

/private/var2/mobile

This contains three folders: Applications, Library and Media

Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.

Library contains the most useful information: - Address Book - Calendar - Safari - favorites, open tabs, web history - Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed - SMS - sms.db, which may include deleted SMS messages - Notes - notes.sqlite, which may include deleted notes - Voicemail - Spotlight - Spotlight database may contain text messages that have since been deleted.

Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken

Extraction

There are several tools available to extract information out of iOS operating systems (listed alphabetically):

  • Aceso by Radio Tactics [[1]]
  • Blacklight by Black Bag Technology [[2]]
  • Lantern by Katana Forensics [[3]]
  • Nuix Desktop and Proof Finder by Nuix.
  • Oxygen Forensic Suite by Oxygen Software [[4]]
  • UFED and Physical Analyzer by Cellebrite [[5]]
  • XRY by Micro Systemation [[6]]

External Links