If you find that the user restored from iCloud, consider pulling cloud data if you are legally capable of extracting that form of evidence. I wanted to be sure the SetupState didn’t change. First, I wiped and set up via iTunes and then I also forced a restore of a backup via iTunes. It is worth noting that I am testing on an iOS 12.1.x device and I restored from iTunes in 2 ways to obtain these results. If the user setup the iPhone using iTunes, the will show: If the user selected to restore a backup from iCloud, the will show: This plist stores the SetupState of the device which will tell you how the device was setup by the user. Once your backup or image is loaded into your tool, you need to locate the following file: /Library/Preferences/. Now let’s get to that file you care about. Note: Some commercial tools HATE this format and will not support it. From here, you can load the unlocked backup into iBackupBot or your tool(s) of choice (iExplorer, etc.). If you peek inside that directory, you will find the backup with the date it was unlocked.Ĩ. The original backup remains and the unlocked version is called BackupUnlock. Enter the password and the backup will be unlocked! The top portion shown below is how the backup directory will look. Select the locked backup (you know it’s locked because the option is to “unlock” it.ħ. Launch AnyTrans and it will show you if you have locked backups.Ħ.To use this, you must know the password or crack it (refer to other blog posts in my archives.) I stumbled upon AnyTrans during my updates and it’s pretty sweet. If you aren’t using a commercial tool or one that supports decrypting the backup, you may have to get crafty.Create an encrypted backup with a password you will remember (yep, people forget all of the time!).Make sure you Trust the computer on the iPhone.Launch iTunes on your forensic workstation.If you are trying to do this for free follow the steps below.Ĭreating and parsing an encrypted iOS backup for FREE: Make sure your analytical tool of choice will decrypt the data. Without encryption, I cannot guarantee that all of the files I plan to discuss in upcoming blogs will exist. If you have the ability to get a full file system dump, even better. So here goes!įirst, you should be obtaining an encrypted backup at a minimum. In many cases, it matters if the user synced from iCloud, started from scratch or restored from iTunes. This is a file that I am asked about a few times a week. To kick this one off, I am going to simply discuss a file that stores information on how an iOS device was setup. If I have the time, I may try to blog about my speaking events as well (think Keynotes and SANS Some blogs may be short and sweet, but this way when someone says, “how can I do X” I will point them to my blog. In 2019 – I am going to write down what I talk about in webcasts. Will a webcast hold up in course? Do you have time to watch all of them? Seriously, I am curious about the impact so please let me know. This made me realize that I should write down everything I put into a webcast. I would stumble upon a webcast, but didn’t have time to watch it, so I looked in another direction. I’ve realized just how important it is to blog vs just do a webcast when I was completing my course updates.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |