Comments (9)
Hi. I've edited out your personal information. In future you can email me sensitive information rather than posting it in public. I've downloaded the backup so please change your password.
Also snapshot meta-data can leak additional information which is not present in the backups. In this case it references an IT company that I assume you're affiliated with.
I've had a brief look at the backup. Let me know if I've skipped/ misunderstood anything.
-
There is no file corruption that I can discern. The files were retrieved in AES CBC mode.
-
The sms.db opens without issue. The first message begins with "Discover Twitter!"
-
The CallHistoryDB folder files open without issue. CallHistory.storedata and CallHistoryTemp.storedata are SQLite files. Many calls reference country code PK.
-
The CallHistoryTransactions folder has a single transaction.log. It's my first time seeing it's file structure. It's a chunked sequence of NSKeyedArchives:
CHUNK LENGTH: 429
NSDICTIONARY
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>$top</key>
<dict>
<key>root</key>
<string>01</string>
</dict>
<key>$objects</key>
<array>
<string>$null</string>
<dict>
<key>record</key>
<string>02</string>
<key>type</key>
<integer>0</integer>
<key>$class</key>
<string>03</string>
</dict>
<data>
BASE 64 DATA REMOVED
</data>
<dict>
<key>$classes</key>
<array>
<string>Transaction</string>
<string>NSObject</string>
</array>
<key>$classname</key>
<string>Transaction</string>
</dict>
</array>
<key>$version</key>
<integer>100000</integer>
<key>$archiver</key>
<string>NSKeyedArchiver</string>
</dict>
</plist>
- The data field is another Base64 encoded NSKeyedArchive:
{
"$top" =
{
"root" = "01";
};
"$objects" =
("$null",
{
"isoCountryCode" = "REMOVED";
"read" = YES;
"duration" = 0.0;
"devicePhoneId" = "00";
"callerId" = "03";
"bytesOfDataUsed" = "00";
"uniqueId" = "02";
"handleType" = 2;
"unreadCount" = 0;
"callStatus" = 16;
"callerIdLocation" = "00";
"callCategory" = 1;
"callType" = 1;
"callerIdAvailability" = 0;
"serviceRadar" = "07";
"mobileNetworkCode" = "00";
"$class" = "08";
"mobileCountryCode" = "00";
"date" = "04";
},
"REMOVED", "NUMBER REMOVED",
{
"$class" = "05";
"NS.time" = DATE REMOVED;
},
{
"$classes" =
("NSDate", "NSObject");
"$classname" = "NSDate";
},
"pk", "com.apple.Telephony",
{
"$classes" =
("CHRecentCall", "CHSynchronizable", "NSObject");
"$classname" = "CHRecentCall";
}
);
"$version" = 100000;
"$archiver" = "NSKeyedArchiver";
}
Again I've only looked at the data briefly, but in summary there is no obvious file corruption/ encryption in the data I examined. This is a digital forensics issue. It should be possible to write a script/ tool to recover call history data based on the above information. Unfortunately it's not something I'll likely have time to do.
from inflatabledonkey.
Thank you so much for the great help. I tried a different sqlite utility and was able to open the database. It seems there was some issue with the utility that i was using before.
from inflatabledonkey.
Hi. I don't own any iOS devices at present so it's difficult for me to help. I have no access to iOS 10 backups. You can try downloading with both decryption modes in turn to see if that helps: --mode XTS
/ --mode CBC
.
Are things like photos in the media domain also corrupted? If not the chances are it's a digital forensics issue and not a corrupted file issue.
from inflatabledonkey.
I tried both the modes without any luck for SMS and callhistory dbs. Everytime, the download completes without any problem. There are other dbs that have the same issue.
Yes, I can see photos in camera roll domain, wallpapers etc and some of the other sqlite dbs open properly. Can it be the case that the above mentioned dbs have some kind of password/key protection and require a passphrase to view them? If yes, can i find the keys/passwords somewhere in the downloaded backup?
from inflatabledonkey.
If you can use this apple id/pwd, removed
and try to download the backup, may be you can get a clue of the problem. There is only one backup in it which is for ios 10.1.1
db is HomeDomain/Library/SMS/sms.db.
Thankyou
Edited by Horrorho: removed details.
from inflatabledonkey.
Excellent, I'm glad you have it working now.
from inflatabledonkey.
hey what sqlite db utility did you end up using? to view the sms
from inflatabledonkey.
@FelixLarrivee On Linux/ Ubuntu sqliteman works well. I'm using the official repo version '1.2.2'. It's available on OSX but I've not played with it.
from inflatabledonkey.
Closing ticket as resolved and no further input.
from inflatabledonkey.
Related Issues (20)
- ios 13 support HOT 2
- SSLHandshakeException - decode error
- IOS 12 2fa Backup not download HOT 5
- icloud Ask questions HOT 4
- Question
- Downloading backup not working for IOS 12.4.5 HOT 2
- Zone Retrieve Request Fails HOT 7
- How to do iCloud Reverse engineering?
- Remove logback.xml from shipped jar
- Man
- Message files are missing from iCloud backup HOT 5
- Maintaining InflatableDonkey For Future HOT 5
- 2FA for iCloud Backup HOT 2
- New Patch not working , not able to download backup HOT 1
- Can I hire you? HOT 1
- com.apple.facetime.bag.plist
- How to recreate protobuffer files? HOT 3
- Out of memory for large backup HOT 5
- Providing support for iOS 12 devices HOT 3
- Misdirected Request [Server: AppleHttpServer/70a91026 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from inflatabledonkey.