I have a case in which the client wishes to recover date and time stamps from Safari's Internet cookies. We can see the cookies but not the date and time stamps, which are critical - of course. Unforturnately, the user had deleted Internet history so all that is left are the cookies. When I imaged the iPad in MPE+, no cookies were recorded - although they are clearly there.
Is there any way to download the cookies along with their date and time stamps?
You will need to Jailbreak the device and download its files using the AFC protocol. What are your clients looking for… Have you considered all the tasty internet artifacts in the Cache.db
http//
Hi, if you have the ".binarycookies" files then you should be able to parse the files using Dunk
http//
And if you can get hold of the Cache.db, I second mobileforensicswales enthusiasm that file is a goldmine.
Thank you for your help. I purchased Dunk! from CCL Forensics and it works great. I have one question
Are the timestamps local time (Denver, Colorado) or are they UTC, which is 7 hours ahead of Denver time?
You will need to Jailbreak the device and download its files using the AFC protocol. What are your clients looking for… Have you considered all the tasty internet artifacts in the Cache.db
have you found a way to jailbreak the device?
i thought that the ipad1 was the only one that could be jailbroken
Thank you for your help. I purchased Dunk! from CCL Forensics and it works great. I have one question
Are the timestamps local time (Denver, Colorado) or are they UTC, which is 7 hours ahead of Denver time?
firstly, do you have another ipad to test it on?
and secondly, what ever your findings can you please post them up here?
or iphonewiki
or forensicwiki
thanks