HOWTO create a logical iOS device backup using libimobiledevice on Santoku Linux
This HOWTO will guide you through the process of creating a logical backup of an iOS device using libimobiledevice and Santoku.
Contents
- What you will need
- Running libimobiledevice
- Backing up an iOS 4+ device
- Extracting backup files
- Revision History
- Appendix: Listing of backup files from test iOS device
What you will need:
- Santoku – Alpha 0.2 (or later)
- idevicebackup2
- An iOS device running iOS 4+
Running libimobiledevice
First, navigate to Santoku –> Device Forensics –> lib-iMobile
This should open a terminal window and list the commands available in the libimobiledevice tool.
At this point, you can connect your iOS device to Santoku. If you are using a VM, make sure the USB device is “attached” to the VM and not the host.
You can easily check the connectivity between your iPhone and Santoku by running this command in a terminal window:
idevice_id -l
This should return the UDID of your phone. If you get an error message, this is likely because your phone is not connected properly to Santoku, and you should resolve that issue before continuing.
If your device is password protected, you will see a message like this:
Since you can not do a backup of a locked iOS device using libimobiledevice, you will need to unlock your phone prior to running the command.
Also, please change the autolock settings to “Never so that the connection does not drop if the device goes to sleep during the backup process. You can always change this setting back to a shorter time after the backup is completed.
This setting can be found under: Settings –> General –> Auto-Lock
Backing up an iOS 4+ device
You are now ready to start the backup of your device. In the terminal window, run the following commands:
mkdir ~/Documents/iPhoneBackups idevicebackup2 backup ~/Documents/iPhoneBackups/
Note: If your iOS device is running iOS 3 or earlier, see the idevicebackup command
The backup process will start and can take a while, depending on the amount of data currently stored on your device:
[email protected]:/usr/local/bin$ idevicebackup2 backup -d ~/Documents/iPhoneBackups/ Backup directory is "/home/santoku/Documents/iPhoneBackups/" Started "com.apple.mobilebackup2" service on port 49226. Negotiated Protocol Version 2.1 Starting backup... Requesting backup from device... Full backup mode. [= ] 0% Finished [= ] 0% Finished Receiving files[= ] 0% (110.2 kB/83.1 MB) [= ] 0% (110.3 kB/83.1 MB) [= ] 0% (157.5 kB/83.1 MB) [= ] 0% (164.7 kB/83.1 MB) [= ] 0% (171.9 kB/83.1 MB) [= ] 1% (434.1 kB/83.1 MB) [= ] 1% (445.6 kB/83.1 MB) [= ] 1% (445.6 kB/83.1 MB) [= ] 1% (446.0 kB/83.1 MB) [= ] 1% (545.6 kB/83.1 MB) [= ] 1% (602.9 kB/83.1 MB) [= ] 1% (619.5 kB/83.1 MB) [= ] 1% (881.7 kB/83.1 MB) [==================================================] 100% (83.1 MB/83.1 MB)
The backup will be located in a folder named after the UDID of your device, and is stored in the destination folder you specified in the command above.
Extracting backup files
Now, “unback” (extract) the file in order to make it easily browsable:
idevicebackup2 unback ~/Documents/iPhoneBackups/
This will create by default a readable extraction of all backups stored in the directory. If you only want to extract a specific backup, you can use the -u flag followed by the UDID of the device (which is also the folder name of the backup) when running the idevicebackup2 unback command.
idevicebackup2 -u <UDID> unback ~/Documents/iPhoneBackups/
Be careful to point your idevicebackup2 to the main directory that holds the UDID directories inside (ex. ~/Documents/iPhoneBackups/) and not the UDID directories themselves (ex. ~/Documents/iPhoneBackups/<UDID>/) or you will run into errors when extracting the backup(s).
If you take a look at the new directory where you saved your backups, you should now see a new directory named: “_unback_”.
Navigate to this directory, where you will find folder(s) named, once again, after the UDID of the devices successfully backed up. Navigate to the one that interests you and you will be able to explore the full backup of your iOS device.
You might note in the above screenshot that the iOS device is actually mounted and browsable through Santoku Linux. We will have anther HOWTO explaining how this works and how to use this data.
Investigating the backup itself for a security of forensic analysis is out of the scope of this tutorial (but covered in viaForensics’ iPhone and iOS Forensics book), but it is worth mentioning that SMS, call log, media, listing of apps installed, as well as other various preferences and many other artifacts can easily be recovered thanks to an iOS backup.
Appendix: Listing of backup files from test iOS device
[email protected]:~/Documents/iPhoneBackups/_unback_$ tree . └── 12fds56[UDID Hidden]asdfa3242 └── var ├── Keychains │ ├── keychain-backup.plist │ ├── ocspcache.sqlite3 │ └── TrustStore.sqlite3 ├── Managed Preferences │ └── mobile ├── mobile │ ├── Applications │ │ ├── com.popcap.ios.BejBlitz │ │ │ ├── Documents │ │ │ │ ├── cdata_sd.dat │ │ │ │ ├── MetricsCache │ │ │ │ └── userdata │ │ │ │ └── CDsd__DEFAULTUSER_.dat │ │ │ └── Library │ │ │ └── Preferences │ │ │ ├── com.popcap.bejblitz.plist │ │ │ └── com.popcap.ios.BejBlitz.plist │ ├── Library │ │ ├── AddressBook │ │ │ ├── AddressBookImages.sqlitedb │ │ │ └── AddressBook.sqlitedb │ │ ├── BulletinBoard │ │ │ ├── ClearedSections.plist │ │ │ └── SectionInfo.plist │ │ ├── Caches │ │ │ ├── com.apple.WebAppCache │ │ │ │ └── ApplicationCache.db │ │ │ └── Safari │ │ │ └── Thumbnails │ │ │ ├── 02D563CB-B0A8-4F5A-9ACE-359A180ABD86.png │ │ │ ├── 49BEF678-2AE9-4C24-BFC8-043CBBF97F68.png │ │ │ ├── BAE3B0AB-ED82-491E-B4C8-6FA9BBE31D83.png │ │ │ └── DE2DEE51-8F97-4B82-938A-621E74DDFB01.png │ │ ├── Calendar │ │ │ ├── Calendar.sqlitedb │ │ │ └── Extras.db │ │ ├── com.apple.itunesstored │ │ │ ├── itunesstored2.sqlitedb │ │ │ └── itunesstored_private.sqlitedb │ │ ├── ConfigurationProfiles │ │ │ ├── 2afbd467cd30a3c4889fe51b356827322523ffd9a+1553823060.stub │ │ │ ├── 439ef0b556f6862c89ecd06d600eae9f6e54a96ca+456128964.stub │ │ │ ├── 5b0877b4d973081a636224e0e547619f1447afbaa+1654179775.stub │ │ │ ├── c660f7c9ed697ff8cef008169ddd7855359ea82ca+3377108180.stub │ │ │ ├── com_apple_attwifi+3369864630.stub │ │ │ ├── KeyMapTable │ │ │ ├── MCDataMigration.plist │ │ │ ├── PayloadDependency.plist │ │ │ ├── PayloadManifest.plist │ │ │ ├── ProfileTruth.plist │ │ │ ├── PublicInfo │ │ │ │ ├── EffectiveUserSettings.plist │ │ │ │ ├── MCMeta.plist │ │ │ │ └── Truth.plist │ │ │ └── UserSettings.plist │ │ ├── Cookies │ │ │ ├── com.apple.itunesstored.2.sqlitedb │ │ │ └── Cookies.binarycookies │ │ ├── Keyboard │ │ │ ├── dynamic-text.dat │ │ │ ├── UserDictionary.sqlite │ │ │ └── UserDictionaryWordKeyPairs.plist │ │ ├── Mail │ │ │ └── AutoFetchEnabled │ │ ├── Maps │ │ │ ├── Bookmarks.plist │ │ │ ├── Directions.plist │ │ │ └── History.plist │ │ ├── MobileInstallation │ │ ├── MusicLibrary │ │ ├── Notes │ │ │ ├── notes.idx │ │ │ └── notes.sqlite │ │ ├── Preferences │ │ │ ├── com.apple.Accessibility.plist │ │ │ ├── com.apple.accountsettings.plist │ │ │ ├── com.apple.AdLib.plist │ │ │ ├── com.apple.AdSheetPhone.plist │ │ │ ├── com.apple.aggregated.plist │ │ │ ├── com.apple.appleaccount.plist │ │ │ ├── com.apple.AppStore.plist │ │ │ ├── com.apple.AppSupport.plist │ │ │ ├── com.apple.apsd.launchd │ │ │ ├── com.apple.apsd.plist │ │ │ ├── com.apple.assistant.token.plist │ │ │ ├── com.apple.camera.plist │ │ │ ├── com.apple.celestial.plist │ │ │ ├── com.apple.certui.plist │ │ │ ├── com.apple.conference.plist │ │ │ ├── com.apple.dataaccess.dataaccessd.plist │ │ │ ├── com.apple.facetime.plist │ │ │ ├── com.apple.gamed.plist │ │ │ ├── com.apple.GEO.plist │ │ │ ├── com.apple.GMM.plist │ │ │ ├── com.apple.imagent.plist │ │ │ ├── com.apple.imdsmsrecordstore.plist │ │ │ ├── com.apple.imessage.plist │ │ │ ├── com.apple.imservice.FaceTime.plist │ │ │ ├── com.apple.imservice.Madrid.plist │ │ │ ├── com.apple.itunesstored.plist │ │ │ ├── com.apple.keyboard.plist │ │ │ ├── com.apple.LaunchServices.plist │ │ │ ├── com.apple.locationd.plist │ │ │ ├── com.apple.managedconfiguration.janitor.plist │ │ │ ├── com.apple.Maps.plist │ │ │ ├── com.apple.mms_override.plist │ │ │ ├── com.apple.mobilecal.plist │ │ │ ├── com.apple.MobileInternetSharing.plist │ │ │ ├── com.apple.mobileipod.plist │ │ │ ├── com.apple.mobilemail.plist │ │ │ ├── com.apple.mobilenotes.plist │ │ │ ├── com.apple.mobilephone.plist │ │ │ ├── com.apple.mobilesafari.plist │ │ │ ├── com.apple.mobileslideshow.plist │ │ │ ├── com.apple.MobileSMS.plist │ │ │ ├── com.apple.mobilestoresettings.plist │ │ │ ├── com.apple.mobile.SyncMigrator.plist │ │ │ ├── com.apple.PeoplePicker.plist │ │ │ ├── com.apple.preferences.datetime.plist │ │ │ ├── com.apple.preferences.network.plist │ │ │ ├── com.apple.Preferences.plist │ │ │ ├── com.apple.purplebuddy.plist │ │ │ ├── com.apple.springboard.plist │ │ │ ├── com.apple.stocks.plist │ │ │ ├── com.apple.ubd.plist │ │ │ ├── com.apple.voiceservices.plist │ │ │ ├── com.apple.weather.plist │ │ │ ├── com.apple.webapp.plist │ │ │ ├── com.apple.WebFoundation.plist │ │ │ ├── com.apple.youtube.dp.plist │ │ │ ├── com.apple.youtubeframework.plist │ │ │ └── com.apple.youtube.plist │ │ ├── Safari │ │ │ ├── Bookmarks.db │ │ │ ├── History.plist │ │ │ └── SuspendState.plist │ │ ├── SMS │ │ │ ├── Drafts │ │ │ └── sms.db │ │ ├── SpringBoard │ │ │ ├── applicationstate.plist │ │ │ ├── DownloadingIconImageCache │ │ │ ├── IconState.plist │ │ │ ├── LockBackground.cpbitmap │ │ │ ├── LockBackgroundThumbnail.jpg │ │ │ └── PushStore │ │ │ ├── com.popcap.ios.BejBlitz.pushstore │ │ ├── Voicemail │ │ │ └── voicemail.db │ │ ├── WebClips │ │ │ └── BCBC3F654C994183AC0F7263C760677E.webclip │ │ │ ├── icon.png │ │ │ └── Info.plist │ │ └── WebKit │ │ └── Databases │ │ ├── Databases.db │ │ └── https_m.mg.mail.yahoo.com_0 │ │ └── 0000000000000001.db │ └── Media │ ├── DCIM │ │ └── 100APPLE │ │ ├── IMG_0002.JPG │ │ ├── IMG_0003.PNG │ │ ├── IMG_0100.PNG │ │ └── IMG_0101.PNG │ ├── iTunes_Control │ │ └── Device │ ├── PhotoData │ │ ├── AlbumsMetadata │ │ ├── MISC │ │ │ ├── DCIM_APPLE.plist │ │ │ └── PreviewWellImage.tiff │ │ ├── Photos.sqlite │ │ ├── Photos.sqlite.aside │ │ ├── Thumbnails │ │ │ ├── 120x120.ithmb │ │ │ ├── 158x158.ithmb │ │ │ └── thumbnailConfiguration │ │ └── Videos │ └── Recordings │ ├── AssetManifest.plist │ ├── Recordings.db │ ├── SyncAnchor.plist │ └── SyncedAssets.plist ├── MobileDevice │ └── ProvisioningProfiles │ ├── 3447BA08-5307-299F-E854-6D79FBCEB8EC ├── preferences │ └── SystemConfiguration │ ├── com.apple.AutoWake.plist │ ├── com.apple.mobilegestalt.plist │ ├── com.apple.network.identification.plist │ ├── com.apple.PowerManagement.plist │ ├── com.apple.radios.plist │ ├── com.apple.wifi.plist │ └── preferences.plist ├── root │ └── Library │ ├── Caches │ │ ├── Backup │ │ └── locationd │ │ ├── clients.plist │ │ ├── consolidated.db │ │ └── gyroCal.db │ └── Preferences │ ├── com.apple.coreservices.appleidauthenticationinfo.plist │ └── com.apple.preferences.network.plist └── wireless └── Library ├── CallHistory │ └── call_history.db └── Preferences ├── com.apple.CommCenter.counts.plist ├── com.apple.commcenter.plist └── csidata
