Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  • iOS Built-in Backup
  • libimobiledevice
  • Install
  • Extract the Backup
  • Extract Data to a Readable Format
  1. Checking iOS Devices

Extract Data for Further Analysis

PreviousEnable and Check App Privacy ReportNextAnalyzing Extracted Data

Last updated 3 years ago

iOS Built-in Backup

  • Windows:

  • macOS:

libimobiledevice

is a cross-platform software library that allows to interact with iOS devices. It can be used to perform a backup of the iPhone data, which may provide interesting data for a forensic analysis.

Unlike other solutions presented in this guide, this backup will extract all the user data from the different applications and thus contains a lot of private information from the user (photos, messages etc.). Be mindful of what you do with it, and make sure the device owner consent to this extraction and to what is done with the data.

Install

libimobiledevice has packages for OpenSUSE, Fedora, Debian and Ubuntu Linux distributions, just do apt install libimobiledevice (or equivalent package manager).

On MAC OS, the easiest way is to install the , and then install libimobiledevice with it with brew install ideviceinstaller

There is currently no easy way to install libimobiledevice on Windows, you will have to .

Extract the Backup

Once libimobiledevice is installed, connect your iphone to your computer and accept the notification asking if your phone should trust the computer connected.

You can then check if the device is correctly connected with the computer with idevice_id -l :

> idevice_id -l
6ff8a10037495eaf054018ed79fbf0e7e3c5bc2f

You can then do a backup of the system with the command idevicebackup2 backup -d FOLDER.

Extract Data to a Readable Format

First you need to download it and install it :

$ git clone https://github.com/inflex/ideviceunback.git
$ make

You can now extract the files from the backup :

./ideviceunback -v -i path/to/backup -o output/path

The data extracted by libimobile device are not in a readable format, to convert them into data as they are on the phone, you have to use another tool like .

https://support.apple.com/guide/itunes/itns3280/windows
https://support.apple.com/guide/iphone/iph3ecf67d29/ios
libimobiledevice
HomeBrew package manager
manually compile it on your system
ideviceunback
backup process