±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 9
Overall: 26251
Visitors: 91

±Forensics Europe Expo


±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

iPod Photo Cache

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

iPod Photo Cache

Post Posted: Mon Jan 21, 2013 7:08 pm

Has anyone had any luck linking the iPod Photo Cache folder to an iPod/iPhone?

I've got a number of iPod Photo Cache folders, each containing the "Photo Database" file (no extension) and a Thumbs folder filled with ithmb files. I can parse the ithmb files and that gives me the location of the original files and possibly even some metadata around it (still figuring that out), but the one thing that will help tie this all together is determining whose ipod these files were on.

Thanks!  

randomaccess
Senior Member
 
 
  

Re: iPod Photo Cache

Post Posted: Tue Jan 29, 2013 5:15 pm

just reposting this in case anyone that might know the answer didnt see it.

im hopefully going to be speaking to apple this week, so if i do figure something out ill post it up afterwards  

randomaccess
Senior Member
 
 
  

Re: iPod Photo Cache

Post Posted: Mon Feb 11, 2013 10:07 pm

Im talking to myself but with the help of the developer of ithmbconverter I can link the ipod photo cache folder to an iOS device (kind of)

The data is not stored in the ipod photo cache folder at all. If you look in the info.plist file that is created during a backup then there are three keys that link to the root folder synced, the subfolders within said folder and the address of the root folder.

This is written in base64, so will need to be decoded. I havent been able to completely reverse the translated data. It appears that the data is seperated by 0x00, and there is a single byte just before each of the subfolder names. Sometimes the names of the subfolders gets a little bit muddled (ie will have half the name of one and half the name of another).

If a user then decides they dont want to sync to this folder any more the info.plist does not remove this data until you change the folder that you sync to.

Either way, from this I can say that at some point someone synced this folder with the device related to this backup. The photo database/ithmb files do not store a unique identifier for the device that i can find (which makes sense, if you want to sync multiple ios devices to the same folder all it cares about is the ithmb files. Ive heard you may be able to reverse engineer which ios devices were used by determining the size of the ithmbs generated).

If anyone can think of something im missing or flaws in my logic let me know  

randomaccess
Senior Member
 
 
  

Re: iPod Photo Cache

Post Posted: Tue Feb 12, 2013 8:16 am

So, you're analyzing a dump or backup of an iPod/iPhone? If so, how did you get it?  

keydet89
Senior Member
 
 
  

Re: iPod Photo Cache

Post Posted: Tue Feb 12, 2013 3:46 pm

backup

The POI had a backup of his phone on his PC. On idevices itunes gives you the option of backing up to the computer or icloud. This computer was seized prior to icloud.
Luckily there wasnt a backup password.

If im lucky i may be able to get the poi's old phone (chances are he's upgraded by now), and confirm its contents.  

randomaccess
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1