iPhone Forensics Tools

The primary purpose of these scripts is to facilitate the extraction of digital evidence from files found iPhone file systems. Because there are numerous ways to obtain files from iPhones (backups, forensic hardware/software, direct USB access to the “sandbox” location), no attempt is made to automate the discovery of the target files themselves. Instead, the tools present simplified methods for extracting data from the target files, including the address book, call history, SMS, and consolidated databases, as well as obtaining GPS and Apple Store user information from photos, videos, and music files.

I’ll list them in name order and briefly describe them:

  1. iphone_ab
    iphone_ab is a tool to parse the iPhone address book, which is stored in a SQLite file called AddressBook.db.  The tool links two tables to produce a simple output containing first and last name, phone number/email address, record creation date and record modification date.  There is much more data that can be mined from the database, but this is the basic data that interest most investigators.
  2. iphone_ch
    iphone_ch is a tool to parse the iPhone call history, which is stored in a SQLite file called call_history.db.  The tool reads the ‘call’ table and reports the date, call type, phone number, and call duration of each record.  Unixepoch time is converted to local time and call flags are interpreted (Incoming, Outgoing, etc.).
  3. iphone_cs
    iphone_cs is a tool to parse the iPhone consolidated.db, which is a SQLite file that stores gps data used by apps.  Experimentation shows that one table in particular, the CellLocationLocal table, records the location of the iPhone handset when it runs apps that use location data.  Don’t think location data is restricted to mapping apps–I have seen dictionary apps that ask to use your location.  Now, why is that?  In a word: advertising.  iphone_cs will parse the CellLocation, CellLocationLocal, and WifiLocation tables for GPS data and allow the data to be formatted for mapping tools like gpsbabel or websites likeGPSVisualizer.com.
  4. iphone_images
    iphone_images is a tool that will search a path for images and videos (identified by mime type) and provide the EXIF data by use of the excellent exiftool.  Alternatively, files containing GPS data can be parsed to export data suitable for mapping.  Finally, videos purchased through the Apple Store can be sifted for the Apple Store user name and real name of the purchaser.
  5. iphone_music
    iphone_music is a tool that will search a path for audio files, particularly those in the ‘iTunes Control/’ folder (though not restricted to these files).  iTunes uses random filenames for music it transfers to an iPhone or iPod.  The tool, at its most basic level, reveals the song name, album, and artist to help owners identify their device by its content (think recovered stolen device).  The tool can also produce rich metadata, again, thanks to exiftool, as well as single out those songs purchased through the Apple Store and report Apple Store credentials like iphone_images.
  6. iphone_sms
    iphone_sms is a tool to parse the iPhone SMS database, located in a file called sms.db.  The tool reads the message table and reports the date, message type (sent, received, etc.), phone number, and text message in each record.  Unixepoch time is converted to local time and message flags are interpreted (Sent SMS/MMS, Received MMS , etc.).

All of the tools, written for BASH, attempt to follow the Unix principal of make one tool to do one thing and do it well.  They each have a variety of options that can be read by invoking help, e.g., ‘iphone_sms -h’.  The database tools do not find the target database for you, since your iPhone data may come from a variety of sources (iPhone images, backups, etc.).  Output for all files is to stdout (the screen) but may be redirected to a file.  For example, to redirect the mapping data from iphone images and videos, the command ‘iphone_images -m /private/var/mobile/Media > images_gps.txt’ could be used.

Download in here :  iphone_tools_20110726.tar.gz

 

Or Read More In Here

 

Advertisements

5 Comments

  1. I believe this really is one of the most vital information for me personally. And i am glad reading your article. But should remark on few general things, The web page style is ideal, the articles really is excellent : D. Good job, cheers

  2. Real informative and superb structure of subject material , now that’s user friendly (:.

  3. A very informationrmative post and lots of really honest and forthright comments made! This definitely got me thinking a whole lot about this concern so cheers a whole lot for dropping!

  4. Amazing article thank you!

  5. Howdy very nice site!! Guy .. Excellent .. Wonderful .. I will bookmark your site and take the feeds additionally…I’m glad to seek out a lot of helpful info right here in the post, we’d like work out more strategies in this regard, thank you for sharing.


Sorry, the comment form is closed at this time.

Comments RSS