Editor's note: In the area of ​​mobile electronic data forensics, the forensics of iPhones has always been the focus of industry attention. Since the release of the iOS 9 system, the iPhone of the new version system has been difficult to directly extract and parse or copy the original data through jailbreak, which has brought difficulties to the electronic data collection of mobile phones. In this issue, researchers from Sichuan Provincial Key Laboratory of Data Recovery will introduce how to use the official iTunes backup method to obtain backup data of iPhones and extract them. First, background introduction In the global smartphone market, the iPhone has long been at the top of the market. According to the latest report released by TrendForce, the global market research organization, iPhones in the second and third quarters of 2016 were the top two in the market with a market share of over 10c/o. Market share of the top six mobile phone brands in the second and third quarters of 2016 With the high market share and influence of iPhones, electronic data extraction on iPhones has always been the focus of industry attention. However, since the release of the iOS9 system, the new version of the system iPhone has been difficult to extract or parse the original data directly by jailbreak, which makes the electronic data extraction of the iPhone mobile phone a major industry problem. In response to this problem, researchers from key laboratories in Sichuan Province Data Recovery Research found that they can use the official iTunes backup method to obtain backup data for iPhone phones, and then use third-party tools to decrypt the backup data and perform comprehensive analysis and display. Below, the iPhone 5C (iOS 10.0.2) will be used as an example to explain this process in detail. Second, use iTunes to backup iPhone data 1. Connect to an iPhone and authorize it, as shown in Figure 1; figure 1 2. Click to continue, as shown in Figure 2; figure 2 3. Click "Back up now" to backup, but do not check "Backup encryption" when backing up, as shown in Figure 3; image 3 Third, find iTunes backup data 1. Click the folder "View" option, uncheck "Hide Protected Operating System Files (Recommended)" and select "Show hidden files, folders and drives", as shown in Figure 4; Figure 4 2. The default path for iTunes backup is on the Mac system: Resource Library/Application Support/MobileSync/Backup; On XP systems: C:\Documents and Settings\username\Application Data\Apple Computer\MobileSync\Backup; 7 and above system is: C: \ Users \ username \ AppData \ Roaming \ Apple Computer \ MobileSync \ Backup, as shown in Figure 5; Figure 5 Fourth, decrypt iTunes backup data After the iTunes backup data is complete, you can choose third-party software to decrypt it. Here, we use the MTF mobile phone visualization source forensics system to decrypt it. 1. Open the MTF mobile phone visual whereabouts forensics system, call up the function bar, select "Toolbox", as shown in Figure 6; Figure 6 2. Click "Decrypt IOS backup folder", as shown in Figure 7; Figure 7 3. The default decryption save location in the C drive, click to select the original iTunes backup folder, folder decryption, as shown in Figure 8; Figure 8 Fifth, compress parsing folders and extracting data 1. Open the resolution folder, as shown in Figure 9; Figure 9 2. Select "C: \ XLYMTFData \ 20161122112711" all the contents, click the right mouse button to select "Add to the compressed file", select the compression format select "ZIP", parse the folder, as shown in Figure 10; Figure 10 Six, analytical display iOS data 1. Open the MTF, call up the function bar and select "data import", as shown in Figure 11; Figure 11 2. Click on "Browse" to bring up the function bar and select "Data Import" and select "iOS Package" as shown in Figure 12; Figure 12 3. Select "All file" in the file properties and select the previously compressed zip file, as shown in Figure 13; Figure 13 4. After the data is successfully loaded, left mouse click on the phone model, as shown in Figure 14; Figure 14 5. After the data analysis is completed, the behavior information and location information scanned in the iPhone 5C mobile phone can be displayed, as shown in FIG. 15; Figure 15 6. In the analysis result, the confidence of the application list in the iPhone 5C mobile phone can be displayed, as shown in Figure 16; Figure 16 Through the above steps, it has successfully realized the use of iTunes to backup iPhone data, and then used the MTF mobile phone visual forensic system to analyze the entire process of data, and successfully extracted the data in the iPhone 5C mobile phone. This method can also be applied to other types of iOS device data extraction. Concluding Remarks: In this issue, the key personnel of the Sichuan Provincial Key Laboratory of Data Recovery introduced the entire process of using iTunes to back up iPhone data and use the efficiency source MTF mobile visual forensic forensics system to analyze it. Currently, in the latest version of the MTF mobile phone visual forensics system, it is already possible to use the USB extraction method to back up iPhone data. And analysis, greatly improving work efficiency.
