Loading…

Welcome to Farley Forensics

Start exploring

Release: iTunes_Backup_Analyzer (With KAPE Module!)

iTunes_Backup_Analyzer is a Python 3 script that parses iTunes backups, and since iTunes backups have the same format across Mac OS and Windows machines, the script works on both. This script is based off of the plugin I wrote for Yogesh Khatri’s Mac_Apt, with additional features that’ll eventually be implemented into Mac_Apt as well. This script is also fully compatible with Eric Zimmerman’s KAPE triage tool with the .mkape file I include in my Github. All artifacts listed below can be parsed from encrypted backups as well. Outputs all data to an SQLite Database.

Download Python Script, Standalone Executable, and KAPE Module here

 

Artifacts Parsed

  • Device Names
  • Device Serial Numbers
  • Product Names
  • Product Models
  • Phone Numbers
  • iOS Version
  • First Backup Timestamp
  • Last Backup Timestamp
  • If Passcode was Set
  • If the Backup is Encrypted
  • Device GUID, ICCID, IMEI,  & MEID
  • iTunes Version
  • All applications installed on device (Including sideloaded apps)
    • Device Installed on
    • Device Serial Number Installed on
    • App Name
    • AppleID used to Download
    • User’s Full Name associated with AppleID
    • Purchase Date
    • App Version
    • Auto-Downloaded & Redownloaded
    • Publisher
    • Full App Name

Sample Output

Leave a Reply

Bitnami