Difference between revisions of "IOS"

From Forensics Wiki
Jump to: navigation, search
(Extraction)
(File System)
Line 9: Line 9:
  
 
== File System ==
 
== File System ==
iOS runs a cut down version of OSX and as a result the file system looks very much the same.
+
iOS runs a cut down version of OSX and as a result the file system looks very much the same (HFS+)
  
 
A majority of the useful information is stored in /private/var2/mobile/
 
A majority of the useful information is stored in /private/var2/mobile/
There is other useful information stored in the keychains and db folders.
+
However there is other useful information stored in the keychains and db folders.
  
 +
iOS uses sqlite and plist files to store information.
  
 
'''/private/var2/mobile'''
 
'''/private/var2/mobile'''
Line 27: Line 28:
 
- Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed
 
- Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed
 
- SMS - sms.db, which may include deleted SMS messages
 
- SMS - sms.db, which may include deleted SMS messages
- Notes
+
- Notes - notes.sqlite, which may include deleted notes
 
- Voicemail
 
- Voicemail
 
- Spotlight - Spotlight database may contain text messages that have since been deleted.
 
- Spotlight - Spotlight database may contain text messages that have since been deleted.

Revision as of 18:44, 9 September 2011

Contents

iOS

iOS (pronounced i-O.S) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).

The current version of iOS is 4.3.5 however it is expected that iOS 5 be released some time in September/October 2011.



File System

iOS runs a cut down version of OSX and as a result the file system looks very much the same (HFS+)

A majority of the useful information is stored in /private/var2/mobile/ However there is other useful information stored in the keychains and db folders.

iOS uses sqlite and plist files to store information.

/private/var2/mobile

This contains three folders: Applications, Library and Media

Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.

Library contains the most useful information: - Address Book - Calendar - Safari - favorites, open tabs, web history - Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed - SMS - sms.db, which may include deleted SMS messages - Notes - notes.sqlite, which may include deleted notes - Voicemail - Spotlight - Spotlight database may contain text messages that have since been deleted.

Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken


Extraction

There are several tools available to extract information out of iOS operating systems:

  • Cellebrite UFED and Physical Analyzer
  • Aceso
  • Oxygen Forensic Suite [[1]]
  • XRY
  • Lantern [[2]]
  • Blacklight [[3]]

Links

Database Parsing Tools - [[4]]