Ordinarily, my digital forensic activities occur in circumstances where there is no chance whatsoever of my work product seeing the light of day. Instead, I am confirming (and anticipating) other people’s work. However, that may be about to change with a specific matter, so I want to have my ducks in a row as much as possible.
I have never had much luck ingesting data from iOS iTunes backups using Autopsy. In fact, it seems my success rate has regressed as of late, but that may be the product of the particular iOS versions I have been working with. I am comfortable with the general aspects of iOS mobilesync backups, and I have my favorite (mostly Python) utilities for accessing iOS backups that I have a very good success rate, but what I don’t have experience with is generating data outputs outside of Autopsy for the purpose of its ingestion into an Autopsy case.
Any pointers that you can provide on the topic of ingesting text messages from iOS backups is greatly appreciated, especially if it pertains to parsing texts from backups into a format compatible with Autopsy. I don’t have the datasets in front of me, but I believe they include backups of iOS 9.3 and 10.2.
You can just ingest them and look around but that will probably not yield much unless you know what everything is named. At this point Autopsy does not support running iLeapp with an iTunes backup, I hope to add this soon. The only possible option is to try and use the third party module that parses iTunes backups Autopsy-Plugins/iTunes_Backup at master · markmckinnon/Autopsy-Plugins (github.com) This also may not work if the backup is not in the directory “Apple Computer/MobileSync/Backup” If you try using that plugin and it does not work then DM me and I can try and help with the plugin.
Thanks for the response, Mark. You confirmed what I suspected, and I ended up using iLeap and couple additional python packages to analyze the iOS backups, which is my normal approach.
I’m keeping my fingers crossed that my work on this project will not be subject to third-party scrutiny, which affords me the luxury of adopting an analytical approach that is a bit more fast and loose compared to many of you (I am consultant that advises clients with respect to sensitive, non-criminal investigations).
Is there a widely accepted best practice for incorporating results from external, non-Autopsy sources, such as iLeap, or is the best approach to just point Autopsy to the folder containing the output for ingestion?