Proj X6: Analyzing an iTunes Backup with Magnet Forensics' Internet Evidence Finder (15 pts.)

What You Need

Purpose

Analyze a backup file to find evidence, including Internet use.

Getting a Trial Version of Internet Evidence Finder

If you are one of my CNIT 121 students, and it's in Nov or Dec, 2016, you can get a trial version of IEF with a temporary key from this page:

https://games.samsclass.info/secret/download-vms.htm

If not, do the steps below to get your own trial version and key.

In a browser, go to

http://www.magnetforensics.com/mfsoftware/internet-evidence-finder/

At the bottom, click the "REQUEST A FREE TRIAL" button.

You will have to fill out a form and wait a day or so to get an email with a link allowing you to download a free trial version of IEF.

When you get it, it's a Windows excutable named "IEFv660.0678setup.exe".

Run this file on your Windows computer and install the softare with the default settings.

Using Internet Evidence Finder

After it installs, Internet Evidence Finder launches, as shown below. Click MOBILE.

A box pops up saying "Your license was not detected".

Click OK.

From the menu bad, click Licensing, "Load License Key".

Copy and paste in the license key from the email Magnet Forensics sent you.

Click OK.

Click MOBILE.

Click IOS.

Click "FILE DUMP".

Navigate to:

C:\Users\Student\AppData\Roaming\Apple Computer\MobileSync\Backup

Check the folder with the long hexadecimal name, as shown below. Click OK.

At the bottom right of the IEF window, click NEXT, as shown below. When I did it, I had to maximize the IEF window to make the NEXT button visible.

The next screen shows all the types of artifacts IEF can find, as shown below. Scroll down to see them all--it sure knows a lot of websites.

At the bottom right, click NEXT.

On the next page, in the "Destination Path" line, click Browse and select your Desktop.

Enter a 'Case Nuber" of x6 and an "Examiner's Name" of "YOUR NAME", as shown below.

At the bottom right, click "FIND EVIDENCE".

A "Search Status" box appears, as shown below:

If a "Dynamic App Finder" box appears, click "Add checked artifacts and finish".

Click OK.

If the "Search Status" box is still open, close it.

The next screen has gathered the evidence into a very convenient form.

In the left pane, click "Google Searches". The right pane shows what was searched for, but not dates or times when I did it, as shown below:

In the left pane, click "iOS iMessage/SMS/MMS". The right pane shows SMS messages, as shown below:

In the left pane, click Pictures. The right pane shows thumbnail images, as shown below:

To make the pictures larger, at the top center, to the left of "Skin Tone", slide the slider to the right. as shown below:

Similarly, examine the other categories of items, such as "Calendar Events" and "iOS Contacts".

Finally, scroll down in the left pane and click "Safari History".

You should be able to find the sites you browsed to on the iPad, including "kittenwars", as shown below:

Capturing a Screen Image

Make sure at least one URL is visible, as shown above. It doesn't have to be kittenwar.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj X6 from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Send the image to cnit.121@gmail.com with a subject of "Proj X6 from YOUR NAME".

Source

Investigating iOS Phone Images, File Dumps & Backups


Last revised: 11-29-16