Book Image

iOS Forensics Cookbook

By : Bhanu Birani, Mayank Birani
Book Image

iOS Forensics Cookbook

By: Bhanu Birani, Mayank Birani

Overview of this book

Mobile device forensics is a branch of digital forensics that involves the recovery of evidence or data in a digital format from a device without affecting its integrity. With the growing popularity of iOS-based Apple devices, iOS forensics has developed immense importance. To cater to the need, this book deals with tasks such as the encryption and decryption of files, various ways to integrate techniques withsocial media, and ways to grab the user events and actions on the iOS app. Using practical examples, we’ll start with the analysis keychain and raw disk decryption, social media integration, and getting accustomed to analytics tools. You’ll also learn how to distribute the iOS apps without releasing them to Apple’s App Store. Moving on, the book covers test flights and hockey app integration, the crash reporting system, recovery tools, and their features. By the end of the book, using the aforementioned techniques, you will be able to successfully analyze iOS-based devices forensically.
Table of Contents (13 chapters)

Encrypting and decrypting tools


Another backup format came into the picture using the Manifest file with the extension .abdb. To retrieve these backups, find the file in the backup folder.

The Manifests uses a proper binary format. Nowadays, in open source, plenty of scripts are available to parse the data.

How to do it...

  1. A sample for the Python script to read the Manifest is as follows:

    #!/usr/bin/env python
    import sys
    import shutil
    import os
    import errno
    
    def mkdir_p(path):
    try:
    os.makedirs(path)
    except OSError as exc: # Python >2.5
    if exc.errno == errno.EEXIST:
    pass
    else: raise
    
    def getint(data, offset, intsize):
    """Retrieve an int (big-endian) and new offset from the current offset"""
    value = 0
    while intsize > 0:
    value = (value<<8) + ord(data[offset])
    offset = offset + 1
    intsize = intsize - 1
    return value, offset
    
    def getstring(data, offset):
    """Retrieve a string and new offset from the current offset into the data"""
    if data[offset] == chr(0xFF) and data[offset+1] == chr(0xFF...