SQLite Databases and Plist Files

SQLite Databases and Plist Files

  • What about partitions?

Partitions are the components on which different data could get stored inside a device. It comes without saying that the mechanisms differ according to the user to specify partitions and allocate storage to them when it comes to computers or personal laptops. On the other hand, one does not have that much freedom when it comes to a mobile device. The manufacturer of such equipment is the one responsible for such allocation of resources. Hence, Apple is the first responsible for the way in which partitions are created inside their iOS devices.

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is the one responsible for the sake of getting the partition overwritten with a brand-new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some critical files are maintained inside this barrier. Such files are like system files, upgrade files and necessary applications.

The data partition is another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such barrier. Accordingly, when performing an investigation process, such partition is critical to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes applications can just be found all there inside this partition.

  • What about SQL Lite Databases? Plist

First of all, let’s take into consideration that SQLite format is an open source and it is widely used when it comes to mobile devices. Such database is referred to as a relational database. Also, a C programming library can carry such database efficiently and in a small size.

The standard of SQL-92 is adhered to by SQLite, yet not all of the features are included. Although the small size of such an SQLite database, there are a plenty of functions that could be performed by such compacted database.

SQLite databases are widely used by the iOS development community such that a lot of iOS applications depend on this kind of database to get their data organized. These applications could be exemplified by Calendar, Text Messages, Notes, Photos, andAddress Book. All of the data related to these apps are stored in SQLite databases. The primary three databases are actually: Call History, Address Book, and SMS databases.

Let’s think about this matter from another essential perceptive, the perceptive of an examiner who needs to check evidence on an iOS device.A stable database is then required for an investigation process to be performed to serve to the target of the forensics procedures. Well, from the experts’ experience, I can suggest using of Sourceforge.net.

Since Sourceforge.net has its SQLite browser, it can be relied on when it comes to viewing an SQLite database to collect evidence. All data-stores of SQLite can be displayed using this methodology. In the meanwhile, there is another good to use software named RazorSQL. Nevertheless, this software requires some fees under $100 to become a great solution at the end of the day. There is though a free SQLite Manager plugin available for you without any purchases if you are lucky enough to be one of the users of Firefox.

In addition to what was previously discussed, there is a browser available at the following link: http://sqlitebrowser.org/

Such connection provides a downloadable browser that could be installed on the examiner’s machine to use it. It offers a clear and accessible means of reading and exploring an SQLite database for further investigations.

  • What about Plists?

Both iOS devices and Macintosh devices utilize what is called the Property List (plist). It is, in fact, a data file and it is sometimes referred to as a property file. Such files are relied on when it comes to the process of storing data on the aforementioned operating systems.

At the very beginnings of iPhones and Mac OS devices, there was another format utilized which was named NeXSTEP. Also, binary formats were being used for the same purpose. On the other hand, an XLM format which is new came into existence and became used. The formats which could be found nowadays are either an XML format or a binary format.

What type of data could be found inside a plist file then? Data like strings, dates, Boolean values, numbers or binary values could all be stored inside plist files. Examples of the data which use plist file formats to get saved in our browsing history, favorites, configuration data, and others. All of the data of these kinds depend on plist files in the very first place.

How can such plist files be opened? Well, there is a chance that such file could open successfully with the use of a standard text editor. However, there is also another chance that it requires a particular viewer for the sake of getting it opened. An instance of the tools which could be used is plutil. It is, in fact, a tool which depends mainly on a command line interface.

What it does is that it aims to get the plist files which are mostly binary files converted into a format which could be scanned and understood by human beings. The operating systems that could provide suite such tool are Linux, Microsoft Windows, and also Mac OS. After the conversion is applied to the plist file, an XML property list is available, and tags are used to wrap the plist.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

This post was written by hsamanoudy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.