An Open Source iOS Backup Examination Tool

Last year, a team from the University of New Haven’s Cyber Forensics Research & Education Group / Lab introduced at the Association of Digital Forensics, Security and Law conference an open source iOS backup forensics examination tool.

From the abstract, authors Ibrahim Baggili, Shadi Al Awawdeh, Jason Moore write:

“This tool helps both researchers and practitioners alike in both understanding the backup structures of iOS devices and forensically examining iOS backups. The tool is currently capable of parsing device information, call history, voice messages, GPS locations, conversations, notes, images, address books, calendar entries, SMS messages, Aux locations, facebook data and e-mails. The tool consists of both a manual interface (where the user is able to manually examine the backup structures) and an automated examination interface (where the tool pulls out evidence from known files). Additionally, LiFE is designed so that the evidence located in files would retain its integrity. It is important to note that most of the evidence examined by LiFE is parsed from SQLite databases that are backed up by iTunes. LiFE also offers an extensibility option to the user, where an examiner can add new evidence SQLite files to the application that can be automatically parsed, and these known files are then automatically populated in the automated GUI’s toolbar with an icon added to the investigator’s liking.”

You can download the tool here.

Source: ADFSL

< Prev   Next >

Item of Interest

The language barrier between English-speaking investigators and Spanish-speaking witnesses is a growing problem. (Updated 28 February 2011)