fatcousin
// evidence type

mobile backup (ios / android)

itunes/finder backup folder · adb backup · vendor export. manifest integrity, app timelines, messages, location — consent-based triage without a write-blocker rig.

tools
15
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. ios backup browserdrop an iTunes backup Manifest.db · list backed-up apps · files · domains · relative paths · export CSV · runs locally
  2. ios backup analyzerdrop an ios backup manifest · browse file structure · extract app data · databases · runs locally
  3. ios backup manifest and status parserdrop manifest status or info plist · backupkeybag tlv · encryption assessment · installed apps · runs locally
  4. ios backup manifest integrity verifierdrop manifest.db and backup blobs · sha1 integrity vs manifest · missing modified unexpected files · runs locally
  5. ios backup diff and version comparatordrop two manifest.db files · added deleted modified renamed paths · forensic significance tags · runs locally
  6. android backup analyzerdrop an android backup ab file · browse app data · extract databases · files · shared preferences · runs locally
  7. iOS backup source device identifierdrop info plist · extract udid imei serial · model lookup · multi-backup mismatch flags · runs locally
  8. mobile location history extractordrop ios locations sqlite · google location json · csv gps · haversine stops · movement timeline · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ios spotlight search artifact extractordrop ios spotlight sqlite or interactionc database · extract spotlight search queries · reconstruct what the user searched for on device · surface app launches via spotlight and searched contact names · runs locally
  2. ios screen time forensic analyzerdrop screen time sqlite from ios backup · app usage · website visits · pickup frequency · digital activity · alibi assessment · runs locally
  3. ios app install and uninstall timeline reconstructordrop manifest db applicationstate plists installd log · install uninstall upgrade timeline · mass uninstall alerts · runs locally
  4. android logcat analyzerdrop android logcat output · parse log levels · crash detection · anr · security exceptions · network activity · timeline · runs locally
  5. ios call history parserdrop ios callhistory storedata sqlite · parse all call records · reconstruct call timeline · identify frequent contacts unknown numbers and voip calls · surface deleted call gap analysis · runs locally
  6. ios sms database parserdrop iOS backup SMS.db · threaded conversation view · timestamps · attachments · participants · export CSV · runs locally
  7. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready