Using Autopsy for iTunes/iOS backup parsing. Is there anything on the horizon for the parsing of an iOS tar file.
Do you mean to parse the backup file and map the hash named files to real paths? Or do you mean to parse more iOS files (Such as plists, app databases, etc.)?
We have an outdated iOS module that has never been released. We don’t have code for the backup file parsing.
I was looking to parse out a iOS backup made by iTunes and see the files and folders in autopsy
1 Like
Hi Doug,
Are you looking for something like the following?
iTunes Backup directory on a Windows machine
iTunes backup added into Autopsy as a datasource, from an image, so you can look at the directory structure and see the actual files named properly and in there proper directory that can then be searched, extracted, etc… like a normal image in Autopsy.
Kind regards.
Mark
Mark,
I got your plugin and thanks for creating it. I have full file system extraction from an iPhone that was provided to me in a zip format. I would like to mount the zip files and have Autopsy read the filesystem. With the new Autopsy 4.14 they have APFS support so it should be able to see newer iPhone extractions. My problem is now is that Autopsy will not ingest a zip file. I mounted the zip files in ftk imager and pointed Autopsy at the drive letter without success. I then created an e01 of the mounted ziped files without success…
So the question now is how do I get Autopsy to see a zip file from a APFS file system so I can process it in Autopsy.
Dear Doug,
Can you please try the following
- Create a copy of ZIP file.
- Extract the Content of this Copy of ZIP file to a Folder
- Add this Folder and a Logical Source in Autopsy
- Run few modules like, HASH, File Type Identification,Exif, Keyword Search,Ext Mismatch, Embedded File extractor etc.
This should parse your extracted folder like the above screens from [Mark_McKinnon] Reply.
Alternatively you can use Free itune Backup Viewer from http://www.imactools.com/iphonebackupviewer/
You will only get success if your itune backup is not encrypted.
Hope this helps , do let us know if this works.
Regards
i have to extract the zip file into a folder then autopsy parsed out the folder. I thought i could use a .zip files as my source and autopsy would open the zip and process the files within.
Hi
Autopsy support parsing zip files directly but for that you need to run embedded file extractor module during ingestion.
But i don’t know weather it would parse the database, plist and other app files to extract contacts , calls, sms, and other structured data generally stored in sqlite dbs .
I tried it by chanding a UFED ufdr file extension to zip, it parsed it fully and then I ran Android module which gave , contacts, calls, sms but did not parsed whatsapp and other dbs although they were available in the ufdr files as it was from a physical extraction.
Hope this helps.
Regards
I wanted to use a zip file as my evidence file but Autopsy only takes Data Source of e01, dd, raw, bin, vhd and vmdk.
unzip and use folder option.
Hi,
You can parse ZIP files in Autopsy, you just need to add them as logical file set See Here
Below is the screen shot which shows the parsed UFED UFDR file which is basically a zip archive.
Just don’t forget to run embedded file extractor module during ingestion.
Hope this helps,
Regards
1 Like
Darn, it didn’t work for me. I took a sample UDFR, renamed it to a ZIP, and added it as a Logical File, and then ran the Embedded File module during ingestion. Unfortunately, nothing showed up in the Results tree, especially for Call Log and Messages.
Is there any other way to import and parse an iTunes backup file?
Thanks.
how can i do forencis with android phone can some explain be briefly?
how to android phone in autopsy?
how to install python plugins?
how to download python plugins?
can some on tell me briefly?
how can i do forencis with android phone can some explain be briefly?
how to android phone in autopsy?
how to install python plugins?
how to download python plugins?
can some on tell me briefly?
in the case i also briefly to the otherone