NOTES.md

Ideas

• FileFormat Adaptors:
  • According to FileID/Extension adaptors could be provided which makes inspecting these files easier/trivial
  • binary plists could be decoded as XML/whatever
  • encrypted files could be decrypted on the fly
  • …

Formats

New Format

• iTunes Backup
  • good overview
• How to decrypt an encrypted iPhone backup
  • Excellent HOWTO / explanation
  • Python code can be copied (almost verbatim!)
• Backup database hashes: which filenames do they use
  • excellent reference, can use these to create artificial "interesting files" folders
    • via defaults like so?:

      "Groups" = {
        "Interesting Files" = (
          "3d0d7e5fb2ce288813306e4d4636395e047a3d28", …
        );
      };
      

• Objective-C literals
• https://blog.erratasec.com/2020/01/how-to-decrypt-whatsapp-end-to-end.html
  • not sure that's required here, we do have access to the most recent unencrypted files in this backup?

SQLite3

• FMDB - SQLite3 in ObjC
  • Include in build via Carthage
• SQLite Database Browser
• DB Open Flags
  • #define SQLITE_OPEN_READONLY 0x00000001 /* Ok for sqlite3_open_v2() */

MbdbMbdxFormat

• MbdbMbdxFormat
  • Important : all numbers are big endian.

MBDB
header
  uint8[6]    'mbdb\5\0'

record (variable size)
  string     Domain
  string     Path
  string     LinkTarget          absolute path
  string     DataHash            SHA.1 (some files only)
  string     unknown             always N/A
  uint16     Mode                same as mbdx.Mode
  uint32     unknown             always 0
  uint32     unknown             
  uint32     UserId
  uint32     GroupId             mostly 501 for apps
  uint32     Time1               relative to unix epoch (e.g time_t)
  uint32     Time2               Time1 or Time2 is the former ModificationTime
  uint32     Time3
  uint64     FileLength          always 0 for link or directory
  uint8      Flag                0 if special (link, directory), otherwise unknown
  uint8      PropertyCount       number of properties following
Property is a couple of strings:

  string      name
  string      value               can be a string or a binary content

A string is composed of a uint16 that contains the length in bytes or 0xFFFF (for null or N/A) then the characters, in UTF-8 with canonical decomposition (Unicode normalization form D).


Mode:
                 Axxx  symbolic link
                 4xxx  directory
                 8xxx  regular file