Notifications
Clear all

PList and .db Files

11 Posts
9 Users
0 Likes
2,325 Views
(@jhowe)
Posts: 5
Active Member
Topic starter
 

I recently had a locked iPhone 5 that I sent off to Apple with a search warrant for assistance in retrieving the files from the phone. After a few months, they sent the device back and a thumb drive with the recovered files, all of which is in .db and PList files. I do not have a lot of experience with these files. I was able to pull up the .db files with MPE, but I have yet to find any software that can convert these into any type of acceptable reporting format.

Does anyone know of anything that can import these into a semi-usable reporting format for court? I have heard OFS2013 has a viewer and offers some reporting features, but I do not have access to that software. Anything FREE or affordable that I could sell to the PD would be great!

Thanks in advance for any help you can provide!

 
Posted : 07/01/2014 10:30 am
(@dcs1094)
Posts: 146
Estimable Member
 

I recently had a locked iPhone 5 that I sent off to Apple with a search warrant for assistance in retrieving the files from the phone. After a few months, they sent the device back and a thumb drive with the recovered files, all of which is in .db and PList files. I do not have a lot of experience with these files. I was able to pull up the .db files with MPE, but I have yet to find any software that can convert these into any type of acceptable reporting format.

Does anyone know of anything that can import these into a semi-usable reporting format for court? I have heard OFS2013 has a viewer and offers some reporting features, but I do not have access to that software. Anything FREE or affordable that I could sell to the PD would be great!

Thanks in advance for any help you can provide!

You can open up/analyse/export (csv format) SQLite database files with
http//www.sqliteexpert.com/

There is a free Expert Personal version, or alternatively you can have the Professional version (which there is a 30 day trial of) or you can purchase the professional version for cheap $

OR try out http//sourceforge.net/projects/sqlitebrowser/

Also, with a quick search on this form, this looks interesting
http//www.forensicfocus.com/Forums/viewtopic/t=11253/highlight=sqlite/

For further info on PList and SQLite check out
http//www.appleexaminer.com/MacsAndOS/Analysis/PLIST/PLIST.html

Hope this helps 8)

 
Posted : 07/01/2014 2:40 pm
(@jhowe)
Posts: 5
Active Member
Topic starter
 

Thanks a lot. That's some good info and a good place to start

 
Posted : 07/01/2014 2:48 pm
(@ebwahlberg)
Posts: 34
Eminent Member
 

Katana forensics makes a product called Lantern that parses the files returned from Apple very well and produces a nice report.

Eric

 
Posted : 07/01/2014 7:43 pm
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

I would echo DCS1094's comments, those are very good SQLite browsers and you should be able to highlight and drag and drop a bunch of the databases into SQLite Expert to view multiple DB's quickly.

Our software, IEF, can also parse individual DB files from iOS/Android devices by using the "File Dump" option, and may save you some time. If you have IEF and need instructions or don't have IEF and would like a trial, please feel free to reach out to me directly at jad(at)magnetforensics(dot)com.

Good luck!
Jad

 
Posted : 07/01/2014 11:29 pm
nlpd120
(@nlpd120)
Posts: 96
Trusted Member
 

To view the Property List Files on a Windows machine you may want to look at Plist Editor for Windows

http//www.icopybot.com/download.htm

There is a freeware and a pro version.

Regards,

Chris Currier

 
Posted : 10/01/2014 5:23 am
(@bitstorm)
Posts: 53
Trusted Member
 

Why not use Cellebrite UFED to analyze the phones. Just played around with my personnel iP5 and if you get the passcode problem sorted out Cellebrite UFED Analyzer is a very nice tool to have an overview/ detailed data in a sorted way. You also have access to the file system itself to do some further stuff.

 
Posted : 10/01/2014 5:42 pm
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

The .db files are SQLite databases and can be viewed with any SQLite viewer. I use SQLite Expert Professional. While commercial tools offer support for some applications, I would suggest you look in the databases in case there is any additional information present.

The plist files can be viewed with Plist Editor for Windows as mentioned by Chris.

Incidentally, you may be able to recover deleted data from the .db files should you be interested.

Something along the lines of CCL's Epilog can do this for you. Both iOS and Android devices use SQLite databases for storing data so this tool can be used with more than just iOS.

A lot of tables interlink with one another so be wary if you can't see all of the information that you would normally associate with a piece of data. The SMS.db is a good example of this with it's messages and handles.

 
Posted : 14/01/2014 7:46 pm
(@tpd2021)
Posts: 1
New Member
 

I recently sent a warrant off to Apple (still waiting for them to tell me to send the phone) and talking to the tech department, they can't "unlock" the phone. All they are able to do is copy the data off of the phone onto an external drive. Then you do your exam on the external drive. I find it hard to believe that they designed these devices but can't unlock them.

I was wondering if you could examine the thumb drive with the Cellebrite as if it were a phone?

jhowe, if you don't mind, what was the turn around on your warrant to results with Apple? Just wondering what to expect.

 
Posted : 01/02/2014 9:35 pm
(@dcs1094)
Posts: 146
Estimable Member
 

Our software, IEF, can also parse individual DB files from iOS/Android devices by using the "File Dump" option, and may save you some time. If you have IEF and need instructions or don't have IEF and would like a trial, please feel free to reach out to me directly at jad(at)magnetforensics(dot)com.

Good luck!
Jad

Guys, just thought i'd vouch for Jad's comments on their IEF Advanced software. I was intrigued with his post and since then I have been testing out IEF on some physical images and file system dumps that were taken from iPhone's. Myself and a colleague have been quite impressed with the results so far, when compared to other software tools used on a daily basis such as Cellebrite's PA, XRY etc! It's now another tool at our disposal for analysing data from smartphones and is not just used for recovering computer artifacts! )

 
Posted : 02/02/2014 1:31 am
Page 1 / 2
Share: