|
| 1 | +# iOS Backup Forensics (Messaging‑centric triage) |
| 2 | + |
| 3 | +{{#include ../../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +This page describes practical steps to reconstruct and analyze iOS backups for signs of 0‑click exploit delivery via messaging app attachments. It focuses on turning Apple’s hashed backup layout into human‑readable paths, then enumerating and scanning attachments across common apps. |
| 6 | + |
| 7 | +Goals: |
| 8 | +- Rebuild readable paths from Manifest.db |
| 9 | +- Enumerate messaging databases (iMessage, WhatsApp, Signal, Telegram, Viber) |
| 10 | +- Resolve attachment paths, extract embedded objects (PDF/Images/Fonts), and feed them to structural detectors |
| 11 | + |
| 12 | + |
| 13 | +## Reconstructing an iOS backup |
| 14 | + |
| 15 | +Backups stored under MobileSync use hashed filenames that are not human‑readable. The Manifest.db SQLite database maps each stored object to its logical path. |
| 16 | + |
| 17 | +High‑level procedure: |
| 18 | +1) Open Manifest.db and read the file records (domain, relativePath, flags, fileID/hash) |
| 19 | +2) Recreate the original folder hierarchy based on domain + relativePath |
| 20 | +3) Copy or hardlink each stored object to its reconstructed path |
| 21 | + |
| 22 | +Example workflow with a tool that implements this end‑to‑end (ElegantBouncer): |
| 23 | + |
| 24 | +```bash |
| 25 | +# Rebuild the backup into a readable folder tree |
| 26 | +$ elegant-bouncer --ios-extract /path/to/backup --output /tmp/reconstructed |
| 27 | +[+] Reading Manifest.db ... |
| 28 | +✓ iOS backup extraction completed successfully! |
| 29 | +``` |
| 30 | + |
| 31 | +Notes: |
| 32 | +- Handle encrypted backups by supplying the backup password to your extractor |
| 33 | +- Preserve original timestamps/ACLs when possible for evidentiary value |
| 34 | + |
| 35 | + |
| 36 | +## Messaging app attachment enumeration |
| 37 | + |
| 38 | +After reconstruction, enumerate attachments for popular apps. The exact schema varies by app/version, but the approach is similar: query the messaging database, join messages to attachments, and resolve paths on disk. |
| 39 | + |
| 40 | +### iMessage (sms.db) |
| 41 | +Key tables: message, attachment, message_attachment_join (MAJ), chat, chat_message_join (CMJ) |
| 42 | + |
| 43 | +Example queries: |
| 44 | + |
| 45 | +```sql |
| 46 | +-- List attachments with basic message linkage |
| 47 | +SELECT |
| 48 | + m.ROWID AS message_rowid, |
| 49 | + a.ROWID AS attachment_rowid, |
| 50 | + a.filename AS attachment_path, |
| 51 | + m.handle_id, |
| 52 | + m.date, |
| 53 | + m.is_from_me |
| 54 | +FROM message m |
| 55 | +JOIN message_attachment_join maj ON maj.message_id = m.ROWID |
| 56 | +JOIN attachment a ON a.ROWID = maj.attachment_id |
| 57 | +ORDER BY m.date DESC; |
| 58 | + |
| 59 | +-- Include chat names via chat_message_join |
| 60 | +SELECT |
| 61 | + c.display_name, |
| 62 | + a.filename AS attachment_path, |
| 63 | + m.date |
| 64 | +FROM chat c |
| 65 | +JOIN chat_message_join cmj ON cmj.chat_id = c.ROWID |
| 66 | +JOIN message m ON m.ROWID = cmj.message_id |
| 67 | +JOIN message_attachment_join maj ON maj.message_id = m.ROWID |
| 68 | +JOIN attachment a ON a.ROWID = maj.attachment_id |
| 69 | +ORDER BY m.date DESC; |
| 70 | +``` |
| 71 | + |
| 72 | +Attachment paths may be absolute or relative to the reconstructed tree under Library/SMS/Attachments/. |
| 73 | + |
| 74 | +### WhatsApp (ChatStorage.sqlite) |
| 75 | +Common linkage: message table ↔ media/attachment table (naming varies by version). Query media rows to obtain on‑disk paths. |
| 76 | + |
| 77 | +Example (generic): |
| 78 | + |
| 79 | +```sql |
| 80 | +SELECT |
| 81 | + m.Z_PK AS message_pk, |
| 82 | + mi.ZMEDIALOCALPATH AS media_path, |
| 83 | + m.ZMESSAGEDATE AS message_date |
| 84 | +FROM ZWAMESSAGE m |
| 85 | +LEFT JOIN ZWAMEDIAITEM mi ON mi.ZMESSAGE = m.Z_PK |
| 86 | +WHERE mi.ZMEDIALOCALPATH IS NOT NULL |
| 87 | +ORDER BY m.ZMESSAGEDATE DESC; |
| 88 | +``` |
| 89 | + |
| 90 | +Adjust table/column names to your app version (ZWAMESSAGE/ZWAMEDIAITEM are common in iOS builds). |
| 91 | + |
| 92 | +### Signal / Telegram / Viber |
| 93 | +- Signal: the message DB is encrypted; however, attachments cached on disk (and thumbnails) are usually scan‑able |
| 94 | +- Telegram: inspect cache directories (photo/video/document caches) and map to chats when possible |
| 95 | +- Viber: Viber.sqlite contains message/attachment tables with on‑disk references |
| 96 | + |
| 97 | +Tip: even when metadata is encrypted, scanning the media/cache directories still surfaces malicious objects. |
| 98 | + |
| 99 | + |
| 100 | +## Scanning attachments for structural exploits |
| 101 | + |
| 102 | +Once you have attachment paths, feed them into structural detectors that validate file‑format invariants instead of signatures. Example with ElegantBouncer: |
| 103 | + |
| 104 | +```bash |
| 105 | +# Recursively scan only messaging attachments under the reconstructed tree |
| 106 | +$ elegant-bouncer --scan --messaging /tmp/reconstructed |
| 107 | +[+] Found N messaging app attachments to scan |
| 108 | +✗ THREAT in WhatsApp chat 'John Doe': suspicious_document.pdf → FORCEDENTRY (JBIG2) |
| 109 | +✗ THREAT in iMessage: photo.webp → BLASTPASS (VP8L) |
| 110 | +``` |
| 111 | + |
| 112 | +Detections covered by structural rules include: |
| 113 | +- PDF/JBIG2 FORCEDENTRY (CVE‑2021‑30860): impossible JBIG2 dictionary states |
| 114 | +- WebP/VP8L BLASTPASS (CVE‑2023‑4863): oversized Huffman table constructions |
| 115 | +- TrueType TRIANGULATION (CVE‑2023‑41990): undocumented bytecode opcodes |
| 116 | +- DNG/TIFF CVE‑2025‑43300: metadata vs. stream component mismatches |
| 117 | + |
| 118 | + |
| 119 | +## Validation, caveats, and false positives |
| 120 | + |
| 121 | +- Time conversions: iMessage stores dates in Apple epochs/units on some versions; convert appropriately during reporting |
| 122 | +- Schema drift: app SQLite schemas change over time; confirm table/column names per device build |
| 123 | +- Recursive extraction: PDFs may embed JBIG2 streams and fonts; extract and scan inner objects |
| 124 | +- False positives: structural heuristics are conservative but can flag rare malformed yet benign media |
| 125 | + |
| 126 | + |
| 127 | +## References |
| 128 | + |
| 129 | +- [ELEGANTBOUNCER: When You Can't Get the Samples but Still Need to Catch the Threat](https://www.msuiche.com/posts/elegantbouncer-when-you-cant-get-the-samples-but-still-need-to-catch-the-threat/) |
| 130 | +- [ElegantBouncer project (GitHub)](https://github.com/msuiche/elegant-bouncer) |
| 131 | + |
| 132 | +{{#include ../../banners/hacktricks-training.md}} |
0 commit comments