The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "ITunes Backup"
(initial version) |
m (→Info.plist: typo) |
||
Line 63: | Line 63: | ||
****kAMSDataClassName (string): com.apple.Notes |
****kAMSDataClassName (string): com.apple.Notes |
||
****kAMSDataClassReset (bool): false |
****kAMSDataClassReset (bool): false |
||
− | **New |
+ | **New Record Calendar Name (string): Home |
**iTunes User ID (string): (8-byte hex code) |
**iTunes User ID (string): (8-byte hex code) |
||
*Target Identifier (string): 20-byte hex code |
*Target Identifier (string): 20-byte hex code |
Revision as of 23:50, 4 March 2012
The following description is to describe the backup system of iTunes, which is often used for forensic analysis of iDevices. This description is for the format used in the latest iTunes 10.5.3 - older versions are slightly different (see old article). The description is only for non-encrypted backups.
On the iDevice there is a file /System/Library/Backup/Domains.plist
which determines what files to backup. There is a differentiation between "domains" and relative files.
In the backup location (see below) there are all backups that iTunes has made so far. Every backup folder has a name made of 20 bytes in hex numbers (lower case) for a full backup. A differential backup has the same folder name, but appened with a dash and the ISO date of the backup (8 digit yyyymmdd) and a dash and the time in 24-hour format with seconds.
In each backup, there are four files with infos, which are described later:
- Info.plist
- Manifest.mdbd
- Manifest.plist
- Status.plist
There are also the files themselves, but with a new file name.
The file names are made by a SHA-1 hash of their name, together with their path and domain. Between the domain and the path there is a dash. Example:
SHA1('HomeDomain-Library/SMS/sms.db') = 3d0d7e5fb2ce288813306e4d4636395e047a3d28
It is not clear what would happen in case of hash collisions. Probably Apple assumes it won't happen.
Contents
iTunes backup location
- Windows XP:
%HOMEPATH%\Application Data\Apple Computer\MobileSync\Backup\
- Windows Vista / Windows 7:
%HOMEPATH%\AppData\Roaming\Apple Computer\MobileSync\Backup\
- OS X:
~/Library/Application Support/MobileSync/Backup/
Info.plist
This is a plaintext plist that contains the following dict:
- Build Version (string): 9A406 (iOS build version of the device that was backed up)
- Device Name (string): (name of the device that was backed up)
- Display Name (string): (name of the device that was backed up)
- GUID (string): unknown 16-byte GUID without any dashes
- ICCID (string)
- IMEI (string)
- Last Backup Date (date): format "yyyy-mm-ddThh:mm:ssZ"
- Phone Number (string)
- Product Type (string): iPhone4,1
- Product Version (string): 5.0.1
- Serial Number (string)
- Sync Settings (dict):
- Calendar Day Limit (integer): 30
- Calendars Collections: (array of dict, 1 element):
- AMSCollectionDisplayName (string): Calendar
- AMSCollectionFiltered (bool): false
- AMSCollectionName (string): Calendar
- AMSCollectionReadOnly (bool): false
- Data Class Info: (array of dict, 5 elements)
- [0] dict:
- kAMSDataClassEnabled (bool): false
- kAMSDataClassName (string): com.apple.Bookmarks
- kAMSDataClassReset (bool): false
- [1] dict:
- kAMSDataClassEnabled (bool): false
- kAMSDataClassName (string): com.apple.Calendars
- kAMSDataClassReset (bool): false
- [2] dict:
- kAMSDataClassEnabled (bool): false
- kAMSDataClassName (string): com.apple.Accounts
- kAMSDataClassReset (bool): false
- [3] dict:
- kAMSDataClassEnabled (bool): false
- kAMSDataClassName (string): com.apple.MailAccounts
- kAMSDataClassReset (bool): false
- [4] dict:
- kAMSDataClassEnabled (bool): true
- kAMSDataClassName (string): com.apple.Notes
- kAMSDataClassReset (bool): false
- [0] dict:
- New Record Calendar Name (string): Home
- iTunes User ID (string): (8-byte hex code)
- Target Identifier (string): 20-byte hex code
- Terget Type (string): Device
- Unique Identifier (string): same 20-byte hex code
- iBooks Data 2 (data): (base-64 encoded blob, see below)
- iTunes Files (dict):
- IC-Info.siv (data): (base-64 encoded blob, see below)
- PhotosFolderAlbums (data): (base-64 encoded blob, see below)
- PhotosFolderName (data): (base-64 encoded blob, see below)
- PhotosFolderPrefs (data): (base-64 encoded blob, see below)
- ShowMarketing (data): (empty)
- iTunesPrefs (data): (base-64 encoded blob, see below)
- iTunesPrefs.plist (data): (base-64 encoded blob, see below)
- iTunes Settings (dict):
- LibraryApplications (array of string): The array of string contains the identification string of each application, for example
com.apple.store.caseprogram
- LibraryApplications (array of string): The array of string contains the identification string of each application, for example
- iTunes Version (string): 10.5.3
iBooks Data 2
This blobk is actually another plist (dict):
- 1.2 (dict):
- BKBookmark (array of dict):
- [x] dict:
- bookDatabaseKey (string)
- date (integer)
- deletedFlag (bool)
- highlightColor (integer)
- lastModification (integer)
- locationBPlist (data): (base-64 encoded blob, see below)
- ordinal (integer)
- serverSyncUniqueId (string): Reading Location
- type (integer): 1
- [x] dict:
- BKBookmark (array of dict):
- CollectionsData-1.2 (dict):
- BKCollection (array of 2 dict):
- [0] dict:
- databaseKeys (array): (empty)
- lastModification_Since1970 (integer)
- ServerSyncUniqueId (string): Pdfs_Collenction_ID
- sortKey (integer): -2
- title (string): PDFs
- [1] dict:
- databaseKeys (array): (empty)
- lastModification_Since1970 (integer)
- ServerSyncUniqueId (string): Pdfs_Collenction_ID
- sortKey (integer): -1
- title (string): Books
- [0] dict:
- rolling_version (integer): 17
- BKCollection (array of 2 dict):
Location BPList
This is actually a binary plist with the following content (dict): (example):
- class (string): BKEpubLocation
- endOffset (real): 0,0
- endPath (array of dict):
- [0] dict
- id (string): seeAlsoSection
- index (integer): 32
- tagName (string): div
- [1] dcit
- index (integer): 3
- tagName (string): p
- [0] dict
- startOffset (real): 0.0
- startPath (array of dict):
- [0] dict:
- id (string): seeAlsoSection
- index (integer): 32
- tagName (string): div
- [1] dict:
- index (integer): 3
- tagName (string): p
- [0] dict:
- super (dict):
- class (string): BKLocation
- ordinal (integer): 3
IC-Info.siv
binary file, content unknown
PhotosFolderAlbums
frpd binary file. Starts with 0x66 0x72 0x70 0x64 ('frpd'). Then only very few bytes and the content is mostly zero. Then at 0x68 and 0x26C, 0x470, 0x674, etc. there are folder names (in unicode, starting with the name length).
PhotosFolderName
A 0x200 byte long file, starting with the text "Pictures" (in unicode) and the name length before it. Rest filled with zeroes.
iTunesPrefs
This is another frpd file. It contains names of computers found on the network, like iPodPrefs below.
iTunesPrefs.plist
plist with this content (dict):
- ApplicationIDs (array of string): list of applications (like
com.apple.iBooks
- AudiobookPlaylistIDs (array): (empty)
- AudioTrackIDs (array): (empty)
- BookTrackIDs (array of integer): (signed long integer values)
- LibraryBookTrackIDs (array of integer): (signed long integer values)
- MoviePlaylistIDs (array): (empty)
- MovieTrackIDs (array): (empty)
- MusicAlbumIDs (array): (empty)
- MusicArtistIDs (array): (empty)
- MusicGenreNames (array): (empty)
- MusicPlaylistIDs (array of integer): (signed long integer values)
- MusicTrackIDs (array): (empty)
- PodcastChannelIDs (array): (empty)
- PodcastPlaylistIDs (array): (empty)
- PodcastTrackIDs (array of integer): (signed long integer values)
- RingtoneTrackIDs (array): (empty)
- TVShowAlbumIDs (array): (empty)
- TVShowNames (array): (empty)
- TVShowPlaylistIDs (array): (empty)
- TVShowTrackIDs (array): (empty)
- iPodPrefs (data): (base-64 encoded blob, see below)
- iTunesUChannelIDs (array): (empty)
- iTunesUPlaylistIDs (array): (empty)
- iTunesUTrackIDs (array): (empty)
iPodPrefs
frpd file, content unknown, but it contains server names on the network it was sync'd to, like iTunesPrefs above.
Manifest.mbdb
Binary file containing many text strings. Probably a database of file names in the backup. Format (from here):
Header
6 bytes: 'mbdb\5\0'
Record (variable size)
string Domain string Path string LinkTarget absolute path string DataHash SHA-1, some files only string unknown always N/A uint16 Mode file mode: Axxx symbolic link 4xxx directory 8xxx regular file meaning of xxx is unknown, corresponds to the Mode field in the old backup data uint32 unknown always 0 uint32 unknown uint32 UserId uint32 GroupId mostly 501 for apps uint32 Time1 relative to Unix epoch (time_t) uint32 Time2 Time1 or Time2 is the former ModificationTime uint32 Time3 uint64 FileLength always 0 for link or directory uint8 Flag 0 if special (link, directory), otherwise unknown uint8 PropertyCount number of properties following
Property is a couple of strings:
string name string value can be a string or aa binary content
All values are big endian, strings are composed of a uint16 that contains the length or 0xffff for NULL, then the characters in UTF-8 with canonical decomposition (Unicode normalization form D).
Manifest.plist
Binary plist with the following content (dict):
- Applications (dict):
- com.apple.iBooks (dict)
- CFBundleIdentifier (string): com.apple.iBooks
- CFBundleVersion (string): 804
- Path (string): /private/var/mobile/Applications/[GUID]/iBooks.app
- etc. for other apps
- com.apple.iBooks (dict)
- BackupKeyBag (data): (base-64 encoded blob, see below)
- Date (date): yyyy-mm-ddThh:mm:ssZ
- IsEncrypted (bool): false
- Lockdown (dict):
- BuildVersion (string): 9A406
- DeviceName (string)
- ProductType (string): iPhone4,1
- ProductVersion (string): 5.0.1
- SerialNumber (string)
- UniqueDeviceID (string): 20-byte hex
- com.apple.Accessibility (dict):
- InvertDisplayEnabledByiTunes (bool): false
- MonoAudioEnabledByiTunes (bool): false
- VoiceOverTouchEnabledByiTunes (bool): false
- ZoomTouchEnabledByiTunes (bool): false
- com.apple.MobileDeviceCrashCopy (dict):
- ShouldPrompt (bool): false
- ShouldSubmit (bool): false
- com.apple.TerminalFlashr (dict): (empty)
- com.apple.iTunes.backup (dict):
- LastBackupComputerName (string)
- LastBackupComputerType (string): PC
- com.apple.itunesstored (dict):
- AccountAvailableServiceTypes (integer): 0
- AccountKind (integer): 0
- AccountServiceTypes (integer): 0
- AccountSocialEnabled (bool): false
- AccountStoreFront (string): (unknown text string)
- AccountURLBagType (string): production
- AppleID (string)
- CreditDisplayString (string): (empty string)
- DSPersonID (integer)
- TempStorefront (string): (unknown text string)
- com.apple.mobile.data_sync (dict):
- Bookmarks (dict):
- AccountNames (array of string, 1 element): iCloud
- Sources (array of string, 1 element): iCloud
- Calendars (dict):
- AccountNames (array of string, 1 element): iCloud
- Sources (array of string, 1 element): iCloud
- Contacts (dict):
- AccountNames (array of string, 1 element): iCloud
- Sources (array of string, 1 element): iCloud
- Bookmarks (dict):
- com.apple.mobile.iTunes.accessories (dict): (empty)
- com.apple.mobile.wireless_lockdown (dict): (empty)
- SystemDomainsVersion (string): 12.0
- Version (string): 9.0
- WasPasscodeSet (bool): false
BackupKeyBag
Binary file in the following format:
- 4-byte block identifier
- 4-byte block length (most significant byte first), length 4 means total block length of 0xC bytes.
- data
First block is "VERS" with a version number of 3. There are a lot of block types: VERS, TYPE, UUID, HMCK, WRAP, SALT, ITER, UUID, CLAS, WRAP, KTYP, WPKY, etc.
Status.plist
Binary plist with the following content (dict):
- BackupState (string): new
- Date (date): "yyyy-mm-ddThh:mm:ssZ"
- IsFullBackup (bool): false
- SnapshotState (string): finished
- UUID (string)
- Version (string): 2.4
Files
Here is a list of commonly used files:
domain | path and file name | SHA-1 backup file name |
---|---|---|
HomeDomain | Library/SMS/sms.db | 3d0d7e5fb2ce288813306e4d4636395e047a3d28 |
HomeDomain | Library/AddressBook/AddressBook.sqlitedb | 31bb7ba8914766d4ba40d6dfb6113c8b614be442 |
HomeDomain | Library/Notes/notes.sqlite | ca3bc056d4da0bbf88b5fb3be254f3b7147e639c |
WirelessDomain | Library/CallHistory/call_history.db | 2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca |