Proj 14: Analyzing an iPad image with iPBA2 (15 pts.)

What You Need

Purpose

To analyze an iTunes backup file.

Get a Windows Machine

Use a Windows machine.

If you are using the Windows Server 2008 machine from the "S13" DVD handed out in class, log in as Administrator with a password of P@ssw0rd

Turning Off Internet Explorer Enhanced Security Configuration

This is an annoyance that only happens on Server versions of windows. It's intended to deter people from surfing the Internet on a server.

In the lower right of Server Manager, in the "Security Information" section, click the "Configure IE ESC" link, as shown below.

Click both Off buttons, as shown below. Then click OK.

Downloading iPBA2

In a Web browser, go to

http://www.ipbackupanalyzer.com/downloads

In the "Windows EXE build" section, click the "View releases in this category" button.

On the next page, find the latest version. When I did it, that was 042013(Beta), as shown below.

Click the "View files" button.

The next page shows the file size and hash values, as shown below.

Click the "Download now" button.

Verifying the Hash

If it's not already installed, download Hashcalc here and install it.

http://www.slavasoft.com/hashcalc/

Use Hashcalc to check the SHA-1 hash value of the downloaded iPBA file.

Unfortunately, the hash did not match when I did it, as shown below. The file size is also wrong.

I suspect that the download was updated and the hash values are not accurate. Let's proceed anyway.

Extracting iPBA

Right-click the "iPBA2 exe build 042013.zip" file and click "Extract All...", Extract.

An "iPBA2 exe build 042013" window opens. Double-click the main folder.

Double-click the iPBA2 icon.

iPBA2 opens, as shown below.

Getting the Evidence File

Download the file below:

iPad-backup.zip

Use Hashcalc to verify the SHA-1 hash of the file. It should match the value shown below.

Right-click the iPad-backup.zip file and click "Extract All...", Extract.

Analzing the File

In iPBA2, click File, "Open archive".

Browse to your desktop, double-click the iPad-backup folder, and click the folder inside with the long hexadecimal name.

Click the "Select Folder" button.

A "Repair datbase files" box pops up, warning that iPBA2 is about to alter the evidence file. That's OK because we are using a copy, not the original file, so click Yes.

Viewing Photos

The lower left pane of iPBA2 shows the files it extracted from the iTunes backup.

Expand the "CameraRollDomain" and hunt through the folders until you find the photo of a computer showing my Web page.

Right-click IMG_003.JPG and click "Open with image Viewer".

The image appears in the center pane, as shown below.

Capturing a Screen Image

Make sure the green web page titled "Sam Bowne" is visible, as shown above.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 14a from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Viewing EXIF Data

In the center of the iPBA2 window, in the "Image Viewer" window, click the "EXIF data" button.

Notice that the date and time the photo was taken appears as "DateTimeOriginal", as shown below.

Some cameras also record the GPS location in the EXIF data, but the iPad I used didn't do that.

Viewing Web History

Navigate to the Safari History, as shown below, and expand the items to show the visited URLs.

Capturing a Screen Image

Make sure these URLs are visible: Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 14b from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT In iPBA2, from the menu bar, click Plugins, "Known WiFi Networks".

The "Dr Evil" network appears, as shown below.

Turning in Your Project

Send the images to cnit.121@gmail.com with a subject of "Proj 14 from YOUR NAME".

Last revised: 3-25-14 10 am