Difference between revisions of "ITunes Backup"

From The iPhone Wiki
Jump to: navigation, search
m (iBooks Data 2: typo)
m (Location BPList: correct typo (dcit-->dict))
 
(10 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
{{lowercase}}
 
{{lowercase}}
The following description is to describe the '''backup system of [[iTunes]]''', which is often used for forensic analysis of iDevices. This description is for the format used in the latest iTunes 10.5.3 - older versions are slightly different (see [[Understanding iPhone Backup Files|old article]]). The description is only for non-encrypted backups.
+
The following description is to describe the '''backup system of [[iTunes]]''', which is often used for forensic analysis of iDevices. This description is for the format used in iTunes 10.5.3 an newer - older versions are slightly different (see [[Understanding iPhone Backup Files]]). The description is for non-encrypted backups only.
   
On the iDevice there is a file <code>/System/Library/Backup/Domains.plist</code> which determines what files to backup. There is a differentiation between "domains" and relative files.
+
On the iDevice the file <code>/System/Library/Backup/Domains.plist</code> determines what files to backup. There is a differentiation between "domains" and relative files.
   
In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder has a name made of 20 bytes in hex numbers (lower case) for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.
+
In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder name corresponds to the [[UDID]] of the device for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.
   
 
In each backup, there are four files with infos, which are described later:
 
In each backup, there are four files with infos, which are described later:
Line 16: Line 16:
 
SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28
 
SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28
 
It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.
 
It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.
  +
  +
The data itself is encrypted with AES-256 CBC.
   
 
===iTunes backup location===
 
===iTunes backup location===
*Windows XP: <code>%HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\</code>
+
*Windows XP: <code>%HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}</code>
*Windows Vista / Windows 7: <code>%HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\</code>
+
*Windows Vista/7/8: <code>%HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID}</code> or <code>%APPDATA%\Apple Computer\MobileSync\Backup\{UDID}</code>
*OS X: <code>~/Library/Application Support/MobileSync/Backup/</code>
+
*OS X: <code>~/Library/Application Support/MobileSync/Backup/{UDID}</code>
   
 
=== Info.plist ===
 
=== Info.plist ===
Line 85: Line 87:
 
*1.2 (dict):
 
*1.2 (dict):
 
**BKBookmark (array of dict):
 
**BKBookmark (array of dict):
***[x] dict:
+
***[0] dict:
 
****bookDatabaseKey (string)
 
****bookDatabaseKey (string)
 
****date (integer)
 
****date (integer)
Line 120: Line 122:
 
***index (integer): 32
 
***index (integer): 32
 
***tagName (string): div
 
***tagName (string): div
**[1] dcit
+
**[1] dict
 
***index (integer): 3
 
***index (integer): 3
 
***tagName (string): p
 
***tagName (string): p
Line 183: Line 185:
 
6 bytes: 'mbdb\5\0'
 
6 bytes: 'mbdb\5\0'
 
==== Record (variable size) ====
 
==== Record (variable size) ====
string Domain
+
string Domain Backup domain (one of
  +
"AppDomain-com.some.user.installed.app",
string Path
 
  +
"CameraRollDomain",
  +
"DatabaseDomain"
  +
"HomeDomain",
  +
"KeychainDomain",
  +
"ManagedPreferencesDomain",
  +
"MediaDomain",
  +
"MobileDeviceDomain",
  +
"RootDomain",
  +
"SystemPreferencesDomain",
  +
"WirelessDomain",
  +
... others?
  +
string Path
 
string LinkTarget absolute path
 
string LinkTarget absolute path
string DataHash SHA-1, some files only
+
string DataHash SHA-1 of file contents, actual file objects only
string unknown always N/A
+
string encryptionKey Encryption key for encrypted backups
uint16 Mode file mode: Axxx symbolic link
+
uint16 Mode Unix file permissions. See /usr/include/stat.h and stat(2)
4xxx directory
+
file mode: 0xAxxx symbolic link (aka S_IFLNK or 00120000)
8xxx regular file
+
0x4xxx directory (aka S_IFDIR or 0040000)
meaning of xxx is unknown, corresponds to the Mode field in the old backup data
+
0x8xxx regular file (aka S_IFREG or 0100000)
  +
Mask out ~ 0xf000 (aka S_IFMT) for file permissions
uint32 unknown always 0
 
  +
uint32 ctime time of last change of status
uint32 Time3
 
uint32 unknown
+
uint32 inode inode number
uint32 UserId
+
uint32 uid owner
uint32 GroupId mostly 501 for apps
+
uint32 gid group
uint32 Time1 relative to Unix epoch (time_t)
+
uint32 mtime time of last modification
uint32 Time2 Time1 or Time2 is the former ModificationTime
+
uint32 atime time of last access
uint64 FileLength always 0 for link or directory
+
uint64 length file size (always 0 for link or directory)
uint8 Flag 0 if special (link, directory), otherwise unknown
+
uint8 protectionclass unknown
 
uint8 PropertyCount number of properties following
 
uint8 PropertyCount number of properties following
 
Property is a couple of strings:
 
Property is a couple of strings:
Line 206: Line 220:
 
string value can be a string or aa binary content
 
string value can be a string or aa binary content
 
All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).
 
All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).
  +
  +
To determine the actual filename corresponding to a record (this will be the actual file in the mobile backup directory), calculate a sha-1 checksum of the Domain and Path seperated by '-' as follows:
  +
SHA1(<Domain>-<Path>)
  +
  +
It is possible to modify files in a mobile backup by understanding this structure as well. If you change the file contents, update the DataHash and length
   
 
=== Manifest.plist ===
 
=== Manifest.plist ===
Line 289: Line 308:
 
|-
 
|-
 
|HomeDomain
 
|HomeDomain
|Library/SMS/sms.db
+
|[[Messages#Serialization|Library/SMS/sms.db]]
 
|3d0d7e5fb2ce288813306e4d4636395e047a3d28
 
|3d0d7e5fb2ce288813306e4d4636395e047a3d28
 
|-
 
|-
Line 297: Line 316:
 
|-
 
|-
 
|HomeDomain
 
|HomeDomain
|Library/Notes/notes.sqlite
+
|[[Notes|Library/Notes/notes.sqlite]]
 
|ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
 
|ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
 
|-
 
|-
 
|WirelessDomain
 
|WirelessDomain
|Library/CallHistory/call_history.db
+
|[[Call History Database|Library/CallHistory/call_history.db]]
 
|2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca
 
|2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca
 
|}
 
|}
Line 307: Line 326:
 
== References ==
 
== References ==
 
*[[:/System/Library/Backup]]
 
*[[:/System/Library/Backup]]
*[[Backup the iPhone Flash for restore without iTunes]]
 
 
*[[Understanding iPhone Backup Files]]
 
*[[Understanding iPhone Backup Files]]
 
*[http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf iPhone 3GS Forensics]
 
*[http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf iPhone 3GS Forensics]
Line 313: Line 331:
 
*[http://stackoverflow.com/questions/6569004/how-to-parse-the-manifest-mbdb-file-in-an-ios-5-0-beta-2-without-manifest-mbdx SHA-1 hash generation]
 
*[http://stackoverflow.com/questions/6569004/how-to-parse-the-manifest-mbdb-file-in-an-ios-5-0-beta-2-without-manifest-mbdx SHA-1 hash generation]
 
*[http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat description of mbdx and mbdb files]
 
*[http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat description of mbdx and mbdb files]
  +
  +
[[Category:File Formats]]

Latest revision as of 06:40, 26 September 2016

The following description is to describe the backup system of iTunes, which is often used for forensic analysis of iDevices. This description is for the format used in iTunes 10.5.3 an newer - older versions are slightly different (see Understanding iPhone Backup Files). The description is for non-encrypted backups only.

On the iDevice the file /System/Library/Backup/Domains.plist determines what files to backup. There is a differentiation between "domains" and relative files.

In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder name corresponds to the UDID of the device for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.

In each backup, there are four files with infos, which are described later:

  • Info.plist
  • Manifest.mdbd
  • Manifest.plist
  • Status.plist

There are also the files themselves, but with a new file name.

The file names are made by a SHA-1 hash of their name, together with their path and domain. Between the domain and the path there is a dash. Example:

SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28

It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.

The data itself is encrypted with AES-256 CBC.

iTunes backup location

  • Windows XP: %HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\{UDID}
  • Windows Vista/7/8: %HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID} or %APPDATA%\Apple Computer\MobileSync\Backup\{UDID}
  • OS X: ~/Library/Application Support/MobileSync/Backup/{UDID}

Info.plist

This is a plaintext plist that contains the following dict:

  • Build Version (string): 9A406 (iOS build version of the device that was backed up)
  • Device Name (string): (name of the device that was backed up)
  • Display Name (string): (name of the device that was backed up)
  • GUID (string): unknown 16-byte GUID without any dashes
  • ICCID (string)
  • IMEI (string)
  • Last Backup Date (date): format "yyyy-mm-ddThh:mm:ssZ"
  • Phone Number (string)
  • Product Type (string): iPhone4,1
  • Product Version (string): 5.0.1
  • Serial Number (string)
  • Sync Settings (dict):
    • Calendar Day Limit (integer): 30
    • Calendars Collections: (array of dict, 1 element):
      • AMSCollectionDisplayName (string): Calendar
      • AMSCollectionFiltered (bool): false
      • AMSCollectionName (string): Calendar
      • AMSCollectionReadOnly (bool): false
    • Data Class Info: (array of dict, 5 elements)
      • [0] dict:
        • kAMSDataClassEnabled (bool): false
        • kAMSDataClassName (string): com.apple.Bookmarks
        • kAMSDataClassReset (bool): false
      • [1] dict:
        • kAMSDataClassEnabled (bool): false
        • kAMSDataClassName (string): com.apple.Calendars
        • kAMSDataClassReset (bool): false
      • [2] dict:
        • kAMSDataClassEnabled (bool): false
        • kAMSDataClassName (string): com.apple.Accounts
        • kAMSDataClassReset (bool): false
      • [3] dict:
        • kAMSDataClassEnabled (bool): false
        • kAMSDataClassName (string): com.apple.MailAccounts
        • kAMSDataClassReset (bool): false
      • [4] dict:
        • kAMSDataClassEnabled (bool): true
        • kAMSDataClassName (string): com.apple.Notes
        • kAMSDataClassReset (bool): false
    • New Record Calendar Name (string): Home
    • iTunes User ID (string): (8-byte hex code)
  • Target Identifier (string): 20-byte hex code
  • Terget Type (string): Device
  • Unique Identifier (string): same 20-byte hex code
  • iBooks Data 2 (data): (base-64 encoded blob, see below)
  • iTunes Files (dict):
    • IC-Info.siv (data): (base-64 encoded blob, see below)
    • PhotosFolderAlbums (data): (base-64 encoded blob, see below)
    • PhotosFolderName (data): (base-64 encoded blob, see below)
    • PhotosFolderPrefs (data): (base-64 encoded blob, see below)
    • ShowMarketing (data): (empty)
    • iTunesPrefs (data): (base-64 encoded blob, see below)
    • iTunesPrefs.plist (data): (base-64 encoded blob, see below)
  • iTunes Settings (dict):
    • LibraryApplications (array of string): The array of string contains the identification string of each application, for example com.apple.store.caseprogram
  • iTunes Version (string): 10.5.3

iBooks Data 2

This blob is actually another plist (dict):

  • 1.2 (dict):
    • BKBookmark (array of dict):
      • [0] dict:
        • bookDatabaseKey (string)
        • date (integer)
        • deletedFlag (bool)
        • highlightColor (integer)
        • lastModification (integer)
        • locationBPlist (data): (base-64 encoded blob, see below)
        • ordinal (integer)
        • serverSyncUniqueId (string): Reading Location
        • type (integer): 1
  • CollectionsData-1.2 (dict):
    • BKCollection (array of 2 dict):
      • [0] dict:
        • databaseKeys (array): (empty)
        • lastModification_Since1970 (integer)
        • ServerSyncUniqueId (string): Pdfs_Collenction_ID
        • sortKey (integer): -2
        • title (string): PDFs
      • [1] dict:
        • databaseKeys (array): (empty)
        • lastModification_Since1970 (integer)
        • ServerSyncUniqueId (string): Pdfs_Collenction_ID
        • sortKey (integer): -1
        • title (string): Books
    • rolling_version (integer): 17
Location BPList

This is actually a binary plist with the following content (dict): (example):

  • class (string): BKEpubLocation
  • endOffset (real): 0,0
  • endPath (array of dict):
    • [0] dict
      • id (string): seeAlsoSection
      • index (integer): 32
      • tagName (string): div
    • [1] dict
      • index (integer): 3
      • tagName (string): p
  • startOffset (real): 0.0
  • startPath (array of dict):
    • [0] dict:
      • id (string): seeAlsoSection
      • index (integer): 32
      • tagName (string): div
    • [1] dict:
      • index (integer): 3
      • tagName (string): p
  • super (dict):
    • class (string): BKLocation
    • ordinal (integer): 3

IC-Info.siv

binary file, content unknown

PhotosFolderAlbums

frpd binary file. Starts with 0x66 0x72 0x70 0x64 ('frpd'). Then only very few bytes and the content is mostly zero. Then at 0x68 and 0x26C, 0x470, 0x674, etc. there are folder names (in unicode, starting with the name length).

PhotosFolderName

A 0x200 byte long file, starting with the text "Pictures" (in unicode) and the name length before it. Rest filled with zeroes.

iTunesPrefs

This is another frpd file. It contains names of computers found on the network, like iPodPrefs below.

iTunesPrefs.plist

plist with this content (dict):

  • ApplicationIDs (array of string): list of applications (like com.apple.iBooks
  • AudiobookPlaylistIDs (array): (empty)
  • AudioTrackIDs (array): (empty)
  • BookTrackIDs (array of integer): (signed long integer values)
  • LibraryBookTrackIDs (array of integer): (signed long integer values)
  • MoviePlaylistIDs (array): (empty)
  • MovieTrackIDs (array): (empty)
  • MusicAlbumIDs (array): (empty)
  • MusicArtistIDs (array): (empty)
  • MusicGenreNames (array): (empty)
  • MusicPlaylistIDs (array of integer): (signed long integer values)
  • MusicTrackIDs (array): (empty)
  • PodcastChannelIDs (array): (empty)
  • PodcastPlaylistIDs (array): (empty)
  • PodcastTrackIDs (array of integer): (signed long integer values)
  • RingtoneTrackIDs (array): (empty)
  • TVShowAlbumIDs (array): (empty)
  • TVShowNames (array): (empty)
  • TVShowPlaylistIDs (array): (empty)
  • TVShowTrackIDs (array): (empty)
  • iPodPrefs (data): (base-64 encoded blob, see below)
  • iTunesUChannelIDs (array): (empty)
  • iTunesUPlaylistIDs (array): (empty)
  • iTunesUTrackIDs (array): (empty)
iPodPrefs

frpd file, content unknown, but it contains server names on the network it was sync'd to, like iTunesPrefs above.

Manifest.mbdb

Binary file containing many text strings. Probably a database of file names in the backup. Format (from here):

Header

6 bytes: 'mbdb\5\0'

Record (variable size)

string Domain        Backup domain (one of
                       "AppDomain-com.some.user.installed.app",
                       "CameraRollDomain",
                       "DatabaseDomain"
                       "HomeDomain",
                       "KeychainDomain",
                       "ManagedPreferencesDomain",
                       "MediaDomain",
                       "MobileDeviceDomain",
                       "RootDomain",
                       "SystemPreferencesDomain",
                       "WirelessDomain",
                       ... others?
string Path              
string LinkTarget    absolute path
string DataHash      SHA-1 of file contents, actual file objects only
string encryptionKey      Encryption key for encrypted backups
uint16 Mode           Unix file permissions. See /usr/include/stat.h  and stat(2)
                               file mode: 0xAxxx symbolic link (aka S_IFLNK or 00120000)
                                0x4xxx directory (aka S_IFDIR or 0040000)
                                0x8xxx regular file (aka S_IFREG or 0100000)
                               Mask out ~ 0xf000 (aka S_IFMT) for file permissions
uint32 inode         inode number
uint32 uid             owner    
uint32 gid             group
uint32 mtime        time of last modification
uint32 atime         time of last access
uint32 ctime         time of last change of status
uint64 length        file size (always 0 for link or directory)
uint8  protectionclass         unknown
uint8  PropertyCount number of properties following

Property is a couple of strings:

string name
string value         can be a string or aa binary content

All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).

To determine the actual filename corresponding to a record (this will be the actual file in the mobile backup directory), calculate a sha-1 checksum of the Domain and Path seperated by '-' as follows:

       SHA1(<Domain>-<Path>)

It is possible to modify files in a mobile backup by understanding this structure as well. If you change the file contents, update the DataHash and length

Manifest.plist

Binary plist with the following content (dict):

  • Applications (dict):
    • com.apple.iBooks (dict)
      • CFBundleIdentifier (string): com.apple.iBooks
      • CFBundleVersion (string): 804
      • Path (string): /private/var/mobile/Applications/[GUID]/iBooks.app
    • etc. for other apps
  • BackupKeyBag (data): (base-64 encoded blob, see below)
  • Date (date): yyyy-mm-ddThh:mm:ssZ
  • IsEncrypted (bool): false
  • Lockdown (dict):
    • BuildVersion (string): 9A406
    • DeviceName (string)
    • ProductType (string): iPhone4,1
    • ProductVersion (string): 5.0.1
    • SerialNumber (string)
    • UniqueDeviceID (string): 20-byte hex
    • com.apple.Accessibility (dict):
      • InvertDisplayEnabledByiTunes (bool): false
      • MonoAudioEnabledByiTunes (bool): false
      • VoiceOverTouchEnabledByiTunes (bool): false
      • ZoomTouchEnabledByiTunes (bool): false
    • com.apple.MobileDeviceCrashCopy (dict):
      • ShouldPrompt (bool): false
      • ShouldSubmit (bool): false
    • com.apple.TerminalFlashr (dict): (empty)
    • com.apple.iTunes.backup (dict):
      • LastBackupComputerName (string)
      • LastBackupComputerType (string): PC
    • com.apple.itunesstored (dict):
      • AccountAvailableServiceTypes (integer): 0
      • AccountKind (integer): 0
      • AccountServiceTypes (integer): 0
      • AccountSocialEnabled (bool): false
      • AccountStoreFront (string): (unknown text string)
      • AccountURLBagType (string): production
      • AppleID (string)
      • CreditDisplayString (string): (empty string)
      • DSPersonID (integer)
      • TempStorefront (string): (unknown text string)
    • com.apple.mobile.data_sync (dict):
      • Bookmarks (dict):
        • AccountNames (array of string, 1 element): iCloud
        • Sources (array of string, 1 element): iCloud
      • Calendars (dict):
        • AccountNames (array of string, 1 element): iCloud
        • Sources (array of string, 1 element): iCloud
      • Contacts (dict):
        • AccountNames (array of string, 1 element): iCloud
        • Sources (array of string, 1 element): iCloud
    • com.apple.mobile.iTunes.accessories (dict): (empty)
    • com.apple.mobile.wireless_lockdown (dict): (empty)
  • SystemDomainsVersion (string): 12.0
  • Version (string): 9.0
  • WasPasscodeSet (bool): false

BackupKeyBag

Binary file in the following format:

  • 4-byte block identifier
  • 4-byte block length (most significant byte first), length 4 means total block length of 0xC bytes.
  • data

First block is "VERS" with a version number of 3. There are a lot of block types: VERS, TYPE, UUID, HMCK, WRAP, SALT, ITER, UUID, CLAS, WRAP, KTYP, WPKY, etc.

Status.plist

Binary plist with the following content (dict):

  • BackupState (string): new
  • Date (date): "yyyy-mm-ddThh:mm:ssZ"
  • IsFullBackup (bool): false
  • SnapshotState (string): finished
  • UUID (string)
  • Version (string): 2.4

Files

Here is a list of commonly used files:

domain path and file name SHA-1 backup file name
HomeDomain Library/SMS/sms.db 3d0d7e5fb2ce288813306e4d4636395e047a3d28
HomeDomain Library/AddressBook/AddressBook.sqlitedb 31bb7ba8914766d4ba40d6dfb6113c8b614be442
HomeDomain Library/Notes/notes.sqlite ca3bc056d4da0bbf88b5fb3be254f3b7147e639c
WirelessDomain Library/CallHistory/call_history.db 2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca

References