iLeapp module not finding any artifacts

I did an unencrypted backup of an iphone using iTunes and then used native iLeapp and was able to find artifacts in it such as wifi networks used, bluetooth used and safari bookmarks.

When I used that same backup file in Autopsy 4.19.3 with iLeapp module itself, the module output indicates that nothing was found when searching the for the artifact files. I combined that with the ‘recent activity’ module to hopefully at least see the bookmarks but no joy.

I think I’m either doing the ingest wrong or the module is broken?

When I started my autopsy case I pointed directly to the folder on disk where the backup from iTunes is (C:\Users\my-username\AppData\Roaming\Apple Computer\MobileSync\Backup\foldername).

Can anybody shed light on this? Am I doing something wrong? From the docs it appears that autopsy is supposed to process the backup into tsv files and then using a config file to map that to autopsy artifacts, but it really appears that the module isn’t finding anything.

Thanks.

Ileapp in Autopsy will not process iTunes backups at this time. That is why you are not seeing anything get processed. When you use iLeapp GUI it auto detects if you are using a type of fs or iTunes, since Autopsy uses the command line program of iLeapp and picks the type based on the data source type you are using. Code can be added to allow it to do the iTunes backup and I plan to do so when time permits.

Hi Mark, thanks for the information. What type of capture will the command line version allow for? Would I need to do an image with something like Axiom first? Just not sure what my options are in regards to this.

Thanks.