MobileSyncBrowser v3 is an application available for Mac OS X and Windows that allows anyone to look at the iPhone/iPod Touch data left on a computer after a "sync". Vaughn wrote this software with the entire iPhone/iPod Touch community in mind, but digital analysts have uses for this type of software as well. Let's take a look at what Vaughn has produced and how it can be put to use in the digital forensic processes.
First, MobileSyncBrowser is available from Vaughn's website, www.mobilesyncbrowser.com. He is gracious enough to offer a trial version of this software so you can take a look and see if this will produce what you need before buying the product. Again, the product is available for both Windows and the Mac!
Next, iPhone data left on a Mac or PC can be read by either version, and in fact, is the same data. As you begin to examine iPhone/iPod Touch backup data, you will notice that the file and folder structure is the same on both platforms. When using this application to examine a suspect's iPhone or iPod Touch sync data, you will likely need to copy the data into a clean user account.
Note: At this point, we are going to be using the Mac version of MobileSyncBrowser as well as Mac OS X procedures. You can easily adapt these to your Windows based examination steps.
Data for iPhone and iPod Touch Backups is found in the User's Library in the following path: ~/Library/Application Support/MobileSync/Backup
User's MobileSync Backup folder in the Application Support folder
In order to look at suspect data, we need to place the "Backup" folder here. The cleanest procedure to accomplish this is to create a new user account and then copy the suspect user's "Backup" folder into this location. MobileSyncBrowser will immediately pick up on the data when it is launched as if it had always been there.
Let's now look at the interface of MobileSyncBrowser and what you can expect to gather by running this application.
MobileSyncBrowser v3 Initial Screen
Within this application, you can now browse the backup data shown. Unfortunately, there is no email to be browsed and you will need to gather that by other means. Let's take a look at a sample view of a single SMS being viewed:
MobileSyncBrowser v3 SMS Message Display
Notice in this display how it appears in the same manner as the suspect would see the SMS message on his iPhone! What is even more powerful for us is the ability to export this single message or all messages to HTML for reporting purposes. Once HTML has been created, you can also use the OS X built-in function of Print-To-PDF and create great reports for distribution.
Notable features for digital examiners:
- recognizes multiple devices being synced thru one account. In other words, if the suspect has 2 iPhones and 1 iPod Touch being synced to the same account, MobileSyncBrowser v3 will display each of the 3 devices to you for browsing.
- SMS Messages displayed in their native iPhone format as the suspect would have seen them and also gives the date/time for each message
- from the "Photos & Other Files" selection, you can extract the lockdown file, Keychain, documents, files from Apps installed, all Safari Browser data including History
- export to HTML for reporting or extract the native file for easy opening with Address Book, iCal, etc. for reporting.
This review is just a start of the features you will find in this powerful application for viewing iPhone/iPod Touch sync data. I would encourage you to look at this application as an additional tool in your digital arsenal.