Scenario Have logical acquisition of 3G-S iPhone, using Lantern (the output is live native files, not stored in a container/case file). We do not have any associated computer.
Question Is it possible to tell, from the iPhone data (thinking, maybe plist files?) that the device has been synchronized with a system?
Thanks,
LM
If I am not mistaken (don't have my notes in front of me)….
status.plist - status of last sync
manifest.plist - list of files backed up
info.plist - info on the phone.
Hope that helps.
Best
-=ART=-
The files listed by 4n6art are usually found as part of a backup set found on a system rather than on the phone itself.
I have observed subtle differences in the iTunesMetaData.plist files related to applications installed on the phone. The format of these seems to differ if an app has been downloaded using iTunes and subsequently uploaded to the device rather than those that have been downloaded directly to the device from the App Store.
I need to do a little more digging in this area, but it is possibly a good starting point.
[at 4n6art]Tnx for the prompt response. Of those files, only the info.plist exists in our dataset, with 4 separate instances. Viewing the text, nothing appears to relate to synchronization.
Two are dictionary, one is webclip, and one is photo-related.
Sounds like we may really want that status.plist. If the phone wasn't ever synched, would the status.plist not exist on it?
[at JDCoulthard]Interesting. Sorry, I didn't see your response when I replied before (think I was trying to draft it when you posted). We'll take a look at those files as well.
Try taking a look at 'pair_records' which can be found at location /private/var/root/library/Lockdown/pair_records
From my notes this file is suggested to hold information regarding pairing the device with a desktop computer.
Incidentally, the certificates that you find in there should match those held by the desktop computer (should you have it).
Of course this may all depend on whether you got a 'full read' and can access all files.
I have not actually looked at this file myself so let us know how you get on.
Regards
Coligulus,
There is /private/var/ but from there it goes only to /mobile/Applications/…
So, I don't know at this point if that means the other path/data did not exist on the phone, or if the acquisition did not get it.
This is just a little of the information I found about /private/var/root/Library/Lockdown/pair_records/
Examples of Unique Identifiers returned for the
/private/var/root/Library/Lockdown/pair_records/
6FB8FC9B-4A9F-4116-9DA6-FF3359189B58.plist
/private/var/root/Library/Lockdown/pair_records/
8967FF50-AD44-431A-801C-9B4754A84B04.plist
Apparently the identifier is supposed to be unique.
Below is a command which apparently requests the .plist but does not write to the plist.
0x82aa00 (82 aa 00) (/var/root/Library/Lockdown/pair_records/)
So the question is … if the device were never synched, would the …/pair_records/ directory still exist?
Coligulus,
There is /private/var/ but from there it goes only to /mobile/Applications/…
So, I don't know at this point if that means the other path/data did not exist on the phone, or if the acquisition did not get it.
I'm sorry LittleMac I should have quantified my previous statement.
The path of 'private/var/root/library/lockdown' should definitely exist.
Is the device you are using jailbroken or not? It is possible that the location is not accessible through a logical acquisition if the device is not jailbroken already. I am not familiar with the tool you are using but a number of other tools are unable to provide a comprehensive extraction of the file system on iPhones due to the 'jailed' environment which exists.
I have not tested this on a device which has not been synced and as such couldn't comment whether the file exists without a sync ever taking place, apologies.