Difference between pages "IOS" and "Converting Binary Plists"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Extraction)
 
 
Line 1: Line 1:
{{expand}}
+
Binary plists are the files that Apple products use to store information. The easiest way to view them is to convert them to xml.
  
iOS (pronounced i-O.S.) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).
+
The program plutil is native to OSX (as of 10.2), however it is also included when iTunes is installed on a Windows PC.
  
The current version of iOS is 5.0, released on October 12, 2011.
+
plutil on a Windows PC is stored in:
  
 +
''Program Files (x86)\Common Files\Apple\Apple Application Support''
  
----
+
Which can be added to the PATH in Environmental variables so plutil can be run from anywhere
  
== File System ==
+
To convert Binary plists to XML run the command:
iOS runs a reduced variant of [[Mac OS X|OSX]] and [[HFS|HFSX]] as a file system.
+
'''plutil -convert xml1 file.plist'''
  
A majority of the useful information is stored in /private/var2/mobile/
 
However there is other useful information stored in the keychains and db folders.
 
  
iOS uses sqlite and plist files to store information.
 
  
'''/private/var2/mobile'''
 
  
This contains three folders: Applications, Library and Media
 
  
Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.
+
== Links ==
 
+
plutil man page - [[http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/plutil.1.html]]
Library contains the most useful information:
+
- Address Book
+
- Calendar
+
- Safari - favorites, open tabs, web history
+
- Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed
+
- SMS - sms.db, which may include deleted SMS messages
+
- Notes - notes.sqlite, which may include deleted notes
+
- Voicemail
+
- Spotlight - Spotlight database may contain text messages that have since been deleted.
+
 
+
Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken
+
 
+
== Extraction ==
+
There are several tools available to extract information out of iOS operating systems (listed alphabetically):
+
* Aceso by Radio Tactics [[http://www.radio-tactics.com/products/law/aceso-kiosk]]
+
* Blacklight by Black Bag Technology [[https://www.blackbagtech.com/]]
+
* Lantern by Katana Forensics [[http://katanaforensics.com/]]
+
* [[Nuix Desktop]] and [[Proof Finder]] by [[Nuix]].
+
* Oxygen Forensic Suite by Oxygen Software [[http://www.oxygen-forensic.com/en/]]
+
* UFED and Physical Analyzer by Cellebrite [[http://www.cellebrite.com/]]
+
* XRY by Micro Systemation [[http://www.msab.com/]]
+
 
+
== External Links ==
+
* [http://linuxsleuthing.blogspot.com/2011/05/iphone-forensics-tools.html Database Parsing Tools]
+
* [http://esec-lab.sogeti.com/post/Low-level-iOS-forensics Low-level iOS forensics]
+
 
+
[[Category:Operating systems]]
+

Revision as of 20:22, 9 September 2011

Binary plists are the files that Apple products use to store information. The easiest way to view them is to convert them to xml.

The program plutil is native to OSX (as of 10.2), however it is also included when iTunes is installed on a Windows PC.

plutil on a Windows PC is stored in:

Program Files (x86)\Common Files\Apple\Apple Application Support

Which can be added to the PATH in Environmental variables so plutil can be run from anywhere

To convert Binary plists to XML run the command: plutil -convert xml1 file.plist



Links

plutil man page - [[1]]