For those of you who don’t have time to read for585.com/ios13, here is a mini summary for you.
First – If the backup is NOT encrypted you will not get:
Apple has upped their game on protection it seems, so you need to encrypt to extract. I used iTunes in my full blog and just testing PA 7.24 Method 1 with encryption and Method 2 is in progress. Worked like a charm and I got what I expected. You lock it up, or you don’t get much. Bottom line. Jessica Hyde wrote a post on protecting yourself from an accidental sync if using iTunes to create a backup: https://www.magnetforensics.com/blog/three-newer-things-that-may-surprise-you-about-ios-forensics/amp/ If you are using PA, you are protected from this.
While you are going to be forced to read the long blog for the juicy details, here are the file paths you need to be aware of for iOS 13:
- Contacts /var/mobile/Library/AddressBook/AddressBookImages.sqlitedb
- Calls /var/mobile/Library/CallHistoryDB/CallHistory.storedata
- SMS /var/mobile/Library/SMS/sms.db
- Maps /var/mobile/Applications/com.apple.Maps/Library/Maps/GeoHistory.mapsdata
- Safari /var/mobile/Library/Safari/History.db
- Photos Database /var/mobile/Media/PhotoData/Photos.sqlite
The biggest change other than encryption seems to be the use of protobufs, which Sarah Edwards is working on a blog to discuss, settings and how that may determine what is saved to device vs. cloud, Safari artifact storage, and encryption. Please read the full blog for all of the good details and stay tuned for my iOS series, webinars, etc.
Stay tuned for the release of PA 7.24 next week and also for #TipTues on Twitter where I will provide something useful, I hope. 😉