Acquiring iOS 10 Devices with BlackLight

This post is no longer applicable due to new software releases. Please see the new post regarding iOS here.

 

As you may be aware, Apple has announced that iOS 10 will be arriving later this year, but the public beta was released earlier this month (July). Several enthusiasts have already downloaded and installed the iOS 10 beta.

With this version, Apple has changed the format in which iOS creates backups. The change inherently presents an obstacle for most forensic software tools, including BlackLight and Mobilyze. In this blog entry we are going to demonstrate a workaround for obtaining data from iOS 10 devices.

Performing an iTunes Backup

The first step is to perform a backup of the iOS device using iTunes. The computer performing the backup should be running the latest version of iTunes (12.4.1.6). Otherwise iTunes may not recognize the device.

 Attach the iOS device to the computer running iTunes and select Trust on the device.

iOS10_01

A further notification regarding trust establishment may appear on the computer running iTunes.

iOS10_02-1

Once trust has been established, the iOS device appears in iTunes. At this point the examiner should see an icon representing the device in the upper left corner of iTunes.

iOS10_03

Select the device icon, and under Backups select Back Up Now.

Once the backup has been completed, eject the iOS 10 device and close iTunes.

Navigating to the MobileSync/Backup Folder

The iTunes backup we just created can be found in the MobileSync/Backup folder, and is saved with the UDID (Unique Device Identifier) for the iOS 10 device.

On a Mac navigate to:
/Users/<username>/Library/ApplicationSupport/MobileSync/Backup

On Windows navigate to:
Users<username>AppDataRoamingApple ComputerMobileSyncBackup

Locate and copy the backup folder that was just created for the iOS device using iTunes. Save the folder to a location that is easy to access.

iOS10_04

Examining the Backup

Examiners familiar with iOS backups will notice that the structure has changed with iOS 10. Rather than a listing of files, there are now several folders that have two-digit alphanumeric names.

iOS10_05

At the end of this folder structure there are four files that we must remove from the backup.

iOS10_06

To some these files are a familiar part of iOS backups. They are:
- Info.plist
- Manifest.plist
- Manifest.db
- Status.plist

Copy these four files to another folder for safe keeping. Then, after making sure the four files have been removed from the backup folder, add the backup folder into BlackLight. To do so, use the [Add Folder...] menu option.

iOS10_07

BlackLight will parse some files contained in the backup. In particular, pictures and videos will be parsed. Files that are contained within a database or .plist file will not be parsed.

iOS10_09

Parsing Files Contained in a Database or .Plist

The name of each file contained within the backup is actually a SHA1 of the file's path on the device. It can be calculated by using the Terminal application and running the following command:

printf 'HomeDomain-Library/SMS/sms.db' | openssl sha1

Running the above command will provide the name of the SMS.db file that is contained in the iOS backup. In our example it's 3d07d7e5fb2ce288813306e4d46395e047a3d28.

iOS10_10

Now let's return to our iTunes backup folder. Each subfolder is named for the first two digits of the SHA1 file name. So, for the SMS.db file in our example the parent folder is 3d.

iOS10_11
Locate the SHA1 file name that was just revealed using the Terminal command: 3d07d7e5fb2ce288813306e4d46395e047a3d28Export this file to a new folder, and name that folder SMS. Once the file is saved in the SMS folder, rename the file from 3d07d7e5fb2ce288813306e4d46395e047a3d28 to sms.db.

Add the new SMS folder containing the sms.db file to BlackLight.

BlackLight parses the SMS database and displays the contents correctly in the 'Messages' subview.

iOS10_12

Examining the Manifest Database

One of the files we copied and removed from the backup folder was Manifest.db. This file contains a listing of all the files on the iOS device, including the SHA1 name, friendly name, relevant paths and an embedded .plist file with other information such as created dates and times.

Copy the Manifest.db file and place it in a folder, then add that folder to the BlackLight case.

iOS10_13

iOS10_14

Once Manifest.db has been added to the BlackLight case, the examiner can locate items that are relevant to the case by using the built-in find command. To do so, select the [Edit] menu and choose [Find], or type Command-F (Mac) or Control-F (Windows).

At BlackBag Technologies, we're endeavoring to update our software to work with iOS 10 as soon as possible. However, it most likely will not occur until after iOS 10's “Golden Master” release, since the above process is subject to change by Apple at any time.

As for now, though, this workaround should help. If you have further questions, reach out to us for assistance.

Carpe Datum!
Leave a Reply

Sorry, you must be logged in to post a comment.