±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24209
Visitors: 40±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
iPod Photo Cache
iPod Photo Cache
Posted: Mon Jan 21, 2013 7:08 pm
Has anyone had any luck linking the iPod Photo Cache folder to an iPod/iPhone?
I've got a number of iPod Photo Cache folders, each containing the "Photo Database" file (no extension) and a Thumbs folder filled with ithmb files. I can parse the ithmb files and that gives me the location of the original files and possibly even some metadata around it (still figuring that out), but the one thing that will help tie this all together is determining whose ipod these files were on.
Thanks!
I've got a number of iPod Photo Cache folders, each containing the "Photo Database" file (no extension) and a Thumbs folder filled with ithmb files. I can parse the ithmb files and that gives me the location of the original files and possibly even some metadata around it (still figuring that out), but the one thing that will help tie this all together is determining whose ipod these files were on.
Thanks!
-
randomaccess - Senior Member
Re: iPod Photo Cache
Posted: Tue Jan 29, 2013 5:15 pm
just reposting this in case anyone that might know the answer didnt see it.
im hopefully going to be speaking to apple this week, so if i do figure something out ill post it up afterwards
im hopefully going to be speaking to apple this week, so if i do figure something out ill post it up afterwards
-
randomaccess - Senior Member
Re: iPod Photo Cache
Posted: Mon Feb 11, 2013 10:07 pm
Im talking to myself but with the help of the developer of ithmbconverter I can link the ipod photo cache folder to an iOS device (kind of)
The data is not stored in the ipod photo cache folder at all. If you look in the info.plist file that is created during a backup then there are three keys that link to the root folder synced, the subfolders within said folder and the address of the root folder.
This is written in base64, so will need to be decoded. I havent been able to completely reverse the translated data. It appears that the data is seperated by 0x00, and there is a single byte just before each of the subfolder names. Sometimes the names of the subfolders gets a little bit muddled (ie will have half the name of one and half the name of another).
If a user then decides they dont want to sync to this folder any more the info.plist does not remove this data until you change the folder that you sync to.
Either way, from this I can say that at some point someone synced this folder with the device related to this backup. The photo database/ithmb files do not store a unique identifier for the device that i can find (which makes sense, if you want to sync multiple ios devices to the same folder all it cares about is the ithmb files. Ive heard you may be able to reverse engineer which ios devices were used by determining the size of the ithmbs generated).
If anyone can think of something im missing or flaws in my logic let me know
The data is not stored in the ipod photo cache folder at all. If you look in the info.plist file that is created during a backup then there are three keys that link to the root folder synced, the subfolders within said folder and the address of the root folder.
This is written in base64, so will need to be decoded. I havent been able to completely reverse the translated data. It appears that the data is seperated by 0x00, and there is a single byte just before each of the subfolder names. Sometimes the names of the subfolders gets a little bit muddled (ie will have half the name of one and half the name of another).
If a user then decides they dont want to sync to this folder any more the info.plist does not remove this data until you change the folder that you sync to.
Either way, from this I can say that at some point someone synced this folder with the device related to this backup. The photo database/ithmb files do not store a unique identifier for the device that i can find (which makes sense, if you want to sync multiple ios devices to the same folder all it cares about is the ithmb files. Ive heard you may be able to reverse engineer which ios devices were used by determining the size of the ithmbs generated).
If anyone can think of something im missing or flaws in my logic let me know
-
randomaccess - Senior Member
Re: iPod Photo Cache
Posted: Tue Feb 12, 2013 8:16 am
So, you're analyzing a dump or backup of an iPod/iPhone? If so, how did you get it?
-
keydet89 - Senior Member
Re: iPod Photo Cache
Posted: Tue Feb 12, 2013 3:46 pm
backup
The POI had a backup of his phone on his PC. On idevices itunes gives you the option of backing up to the computer or icloud. This computer was seized prior to icloud.
Luckily there wasnt a backup password.
If im lucky i may be able to get the poi's old phone (chances are he's upgraded by now), and confirm its contents.
The POI had a backup of his phone on his PC. On idevices itunes gives you the option of backing up to the computer or icloud. This computer was seized prior to icloud.
Luckily there wasnt a backup password.
If im lucky i may be able to get the poi's old phone (chances are he's upgraded by now), and confirm its contents.
-
randomaccess - Senior Member