The Association of Digital Forensics, Security and Law (ADFSL)


Apple’s™ iPhone™ is one of the widest selling mobile on the market, thanks to its simple and user-friendly interface and ever growing pool of available high quality applications for both personal and business use. The increasing use of the iPhone leads forensics practitioners towards the need for tools to access and analyze the information stored in the device. This research aims at describing the process to forensically analyze a logical backup of an iPhone made by the Apple iTunes™ utility, understanding the backup’s structure, and creating a simple tool to automate the process of decoding and analyzing the data. In our research of the iPhone backup we identified data of forensic value such as e-mail messages, text and multimedia messages, calendar events, browsing history, GPRS locations, contacts, call history and voicemail recordings can be retrieved using this method of iPhone acquisition.


[1] Mona Bader and Ibrahim Baggili. iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility. Small Scale Digital Device Forensics Journal, 4(1), September 2010.

[2] Understanding file permissions on Unix: a brief tutorial. URL http://www.dartmouth.edu/ rc/help/faq/permissions.html. Retrieved February, 2011.

[3] MBDB and MBDX Format. URL http://code.google.com/p/iphonebackupbrowser/wiki/Mbdb MbdxFormat. Retrieved February, 2011.

[4] SQLite Wikipedia article. URL http://en.wikipedia.org/wiki/SQLite. Retrieved February, 2011.

[5] Plist Wikipedia article. URL http://en.wikipedia.org/wiki/Property\s\do5(l)ist. Retrieved February, 2011.

[6] Mac OS X Reference Library: Keychain Services Concepts, a. URL http://developer.apple.com/library/mac/#documentation/ Security /Conceptual/keychainServConcepts/02concepts/concepts.h tml. Retrieved February, 2011.

[7] Peeking Inside Keychain Secrets, b. URL http://blog.crackpassword.com/2010/08/peeking-insidekeychain-secrets/. Blog post retrieved February, 2011.

[8] Cracking Blackberry Backup Passwords. URL http://blog.crackpassword.com/2010/09/.

[9] Exchangeable image file format for digital still cameras: Exif version 2.2. Technical report, Japan Electronics and Information Technology Industries Association - Technical Standardization Committee on AV & IT Storage Systems and Equipment, April 2002. Retrieved March, 2011, from http://exif.org/Exif2- 2.PDF.

[10] Cfdate reference on mac os x developer library. URL http://developer.apple.com/library/mac/documentation/C oreFoundation/Reference/CFDateRef/Reference/reference. html. Retrieved on March, 2011.




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.