Monday, May 12, 2014

Daily Blog #323: Sunday Funday 5/11/14 Winner!

Hello Reader,
      It's interesting to me what generates responses and what does not. I'll be honest I thought this weeks question was a bit easy since Hal really went into detail on it, but even with that I got very few responses. These aren't trick questions :) Give them a shot as my year of blogging is almost up and I don't know what I'll do after. With that said, returning Champion Darren Windham has stolen the win this week!

The Challenge:
1.Explain, with examples if possible, what you can recover from an encrypted iTunes backup on an OSX system from a iOS device. 
2. What could be done with the recoverable information

The Winning Answer:
 Darren Windham


1.        Even with an encrypted iTunes backup there are still plists (info, manifest, and status) related to the backups that are still readable that contain relevant data to an investigation.  Some artifacts that can be recovered include
·         Listing of applications installed
·         Hardware information (Device type, IOS Version, Serial Number, IEMI, Device name, Date of backup, phone number, iTunes version,  other preferences (embedded/nested plist)
·         Manifest.mbdb includes a list of the filenames, timestamps, MAC info, and SHA1
2.        This information can be used to show relevant data related to the case contained within the backup and may be able to assist in working with the owner to cooperate and provide the password depending on the case if it’s criminal, legal, or an internal HR type of investigation.  Some specific situations would be if you can show a chat or file sharing application was installed on the device it may contain relevant data to the case. 
While none of this may be considered a “smoking gun” for your investigation but it could aid in providing additional facts that may support additional investigation or provide additional findings relevant to the case.