Articles
Now Reading
Logical acquisition of iOS devices with libmobiledevice
0

Logical acquisition of iOS devices with libmobiledevice

Nowadays logical acquisition is the most common type of data extraction from iOS devices during digital forensic investigations. There are a great number of commercial forensic tools capable of doing it. But we would like to show you how to use open source tool for such extraction. There is a cross-platform protocol library called libmobiledevice which can help a digital forensic examiner to communicate with an iOS device and extract data from it via the backup procedure. What is more, the library can unpack the backup to allow the examiner to browse its contents with his or her favorite file manager.

Let’s see how to use libmobiledevice for iOS forensics.

Of course, the first step is downloading the tool. If you use Mac or Linux workstation you can use GitHub. If you prefer Windows – here are the pre-compiled binaries.

Also, you can use Santoku Linux with libmobiledevice pre-installed.

For this example we’ll use the Windows version.

So, unpack the downloaded archive, open cmd.exe and change directory (use cd) to the one you got after unpacking, in our case it’s imobiledevice-1.2.0-r3.

Let’s start from idevice_id.exe and get the Unique Device Identifier (UDID) of the iOS device (don’t forget to plug it to your forensic workstation):

idevice_id.exe -l

We use -l flag to get all the iOS devices connected to our workstation, but in our case it’s just one device,  so the output is: a1151e2a3e3a3919d115da3a61fbb8c995a18963.

Now we can use the device UDID and ideviceinfo.exe to extract a lot of important information about the device:

ideviceinfo.exe -u a1151e2a3e3a3919d115da3a61fbb8c995a18963

Here are the most important parts of the output from the digital forensic point of view:

BluetoothAddress: 8c:00:6d:88:66:93

DeviceName: Oleg’s iPhone

EthernetAddress: 8c:00:6d:88:66:95
FirmwareVersion: iBoot-1940.10.58

InternationalMobileEquipmentIdentity: 013664008370650
InternationalMobileSubscriberIdentity: 250994202332589
MLBSerialNumber: DQ534252G73F294A
ModelNumber: MD128

PhoneNumber: +7 (9**) ***-**-**
ProductType: iPhone3,2
ProductVersion: 7.1.2

SerialNumber: DX3LLQWWDP0N

TimeZone: Europe/Moscow

WiFiAddress: 8c:00:6d:88:66:94

We got a lot of valuable information about the iOS-device, and it’s high time to perform the acquisition. From ideviceinfo.exe output we know that our iPhone is running iOS 7.1.2, so to acquire it we should use idevicebackup2.exe (idevicebackup.exe is used for devices running up to and including iOS 3):

idevicebackup2.exe backup C:\Users\Olly\Desktop\iPhone_logical

After the backup operation is completed we get a directory named after te device UDID, in our case a1151e2a3e3a3919d115da3a61fbb8c995a18963, with the backup files:

backup_weare4n6

These files can be examined with your favorite digital forensic suite – we usually use Belkasoft Evidence Center for it.

If you prefer manual examinations, idevicebackup2.exe can help you to unpack the extracted backup:

idevicebackup2.exe unback C:\Users\Olly\Desktop\iPhone_logical

Now we have another directory – _unback_ – with directory structure browsable with any file manager:

unpacked_backup_weare4n6

As you can see, libmobiledevice library is quite powerful tool for iOS forensics, especially if you prefer using Linux forensic workstation. Its ability to unpack iOS devices backups is also a very important feature for the examiners who prefer performing brief manual analysis of extracted data.

 

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics